BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner

By Johnlery Triunfante

An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another.

We found a new malware family that targets web servers, network drives, and removable drives using multiple web server exploits and brute-force attacks. This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons. It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation. And it uses some of the most notorious exploits today: EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions.

In addition, cybercriminals may be testing the viability of the techniques used in this malware’s routine for further development. The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload. But BlackSquid may be used with other payloads in the future.

Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May.

Evasion, routine, and exploits

BlackSquid can infect a system from three initial entry points: via an infected webpage visited because of infected known servers, via exploits as main initial entry point for infecting web servers, or via removable or network drives. It cancels the infection routine to immediately avoid detection and blocking if at least one of the following conditions is met:

• The victim’s username is equal to one of the following common sandbox usernames:

  • Avira
  • CWSX
  • Kappa
  • VBOX
  • cuckoo
  • cwsx-
  • nmsdbox
  • qemu
  • sandbox
  • virtual
  • wilbert-sc
  • xpamast-sc
  • xxxx-ox

• The disk drive model is equal to one of the following:

  • Avira
  • Kappa
  • VBOX
  • Qemu
  • Sandbox
  • test
  • virtual
  • vitual
  • vmware
  • vware


•  The device driver, process, and/or dynamic link library is one of the following:

  • exe
  • exe
  • exe
  • EXE
  • exe
  • dll
  • exe
  • sys
  • exe
  • sys
  • exe
  • dll
  • sys
  • sys
  • dll
  • dll
  • exe
  • exe
  • dll
  • sys
  • sys
  • exe

The malware also checks the breakpoint registers for hardware breakpoints, specifically for the flags. Hard-coded in, it skips the routine if that flag is at 0, while it seems to proceed with infection if the flag is at 1. As of this writing, the code is set at 0, implying that this aspect of the malware routine is still in development.

Figure 1. Hardware breakpoint flags hard-coded at 0

The malware routine continues with infection once the conditions of the system do not meet any of the three conditions above. Like a number of malicious cryptocurrency-mining malware routines in recent incidents, BlackSquid also uses EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the network.

Figure 2. Command line of EternalBlue-DoublePulsar exploit

Figure 3. Server Message Block (SMB) exploit attack on ports 445 and 139

It drops a copy of itself in network and removable drives, using the critical vulnerability CVE-2017-8464 to execute itself. This remote code execution (RCE) flaw can be used to gain the same user rights as the local system user.

Figure 4. Malware executed via CVE-2017-8464

Aside from network propagation, BlackSquid infects web servers via web application exploits. Using the GetTickCount API as its seed, it randomly selects the IP addresses to target and checks if the addresses are live. Having confirmed the live status of the addresses, it begins connecting to and attacking the targets through exploits and brute force.

Figure 5. Randomly generating and checking for live IP addresses to target

Among the vulnerabilities abused are three ThinkPHP exploits to support multiple versions of the said framework, using mshta.exe to download and execute the main component of the payload. However, we noticed that one of the exploits had been wrongly coded: The letter “l” was used where the number “1” was needed, thereby rendering the code useless.

Figure 6. ThinkPHP exploits used by BlackSquid

Figure 7. The cybercriminals might have made a mistake coding one of the ThinkPHP exploits, making the command useless.

By sending an HTTP request, it also targets IP addresses using CVE-2014-6287 to run mshta.exe via a %00 sequence in a search action. Once abused, this allows attackers to execute arbitrary programs remotely.

Figure 8. Specially crafted request to exploit CVE-2014-6287

BlackSquid also exploits CVE-2017-12615, an Apache Tomcat vulnerability with a snippet that puts an HTTP request. The exploit enables any code to be executed by the server by uploading a JavaServer Pages (JSP) file via a specially crafted HTTP PUT request.

Figure 9. Snippet of HTTP request method and URI

Figure 10. Snippet of HTTP message body

BlackSquid can also upload a JavaServer page in the targeted web server and uses the page to execute mshta.exe, in turn downloading and executing the malware’s main component.

Figure 11. Executing the main component of the payload via a JavaServer page

BlackSquid can also infect HTML files in the following known web server path by prepending a malicious iframe to the target.


Table 1. Web server stacks and scripts reference for iframe insertion

Figure 12. Iframe tag used in HTML file infection

Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components. Both components are 64-bit Monero (XMR) miners, one in its resource and another downloaded into the system. The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.

Figure 13. XMRig miner


Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).

But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages; they may be studying how they can best profit from the attacks by having two components for mining regardless of the systems’ installed GPU resources. Further, they may still be trying to determine specific targets without putting up much capital. For one thing, the majority of the exploits and techniques they have chosen have been openly shared in the underground. And using random IP address scanning rather than a faster but possibly more expensive option such as a Shodan scan (which requires a subscription) presents advantages in lessening limitations for targets, as well as blocking and evading traffic to and from Shodan.

All of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected. We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.

Trend Micro solutions

Customers of the Trend Micro™ TippingPoint™ solution are protected from this threat via these MainlineDV filters:

  • 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request)
  • 2390: EQUATED – SMB (Response)
  • 2498: CVE-2017-12615 – APACHE TOMCAT Remote Code Execution via JSP Upload – HTTP (Request)
  • 2722: CVE-2017-0146 – Remote Code Execution – SMB (Request)
  • 2786: ThinkPHP 5x Remote Code Execution – HTTP (Request)
  • 2922: CVE-2014-6287 Rejetto HttpFileServer RCE Exploit – HTTP (Request)2923: BLASQUI Webshell – HTTP (Request)3227: CVE-2014-6287 Rejetto HttpFileServer RCE Exploit – HTTP (Request)
  • 3228: BLASQUI Webshell – HTTP (Request)
  • 3229: ThinkPHP 5x Remote Code Execution – HTTP (Request)

Indicators of compromise (IOCs)

Trend Micro products with XGen™ security detect and block the following:

SHA Detection
14f8dc79113b6a2d3f378d2046dbc4a9a7c605ce24cfa5ef9f4e8f5406cfd84d Worm.Win32.BLASQUI.A
3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c TROJ_EQUATED.J
4bc1a84ddbbb360e3026e8ec1d0e1eff02a100cf01888e7e2a2ac6a105c71450 Trojan.Win64.DLOADR.AUSUPP
aa259b168ec448349e91a9d560569bdb6fabd811d78888c6080065a549f60cb0 Trojan.Win32.DLOADR.AUSUPY
4abb241a957061d150d757955aa0e7159253b17a1248eaac13490a811cdabf90 Coinminer.Win32.MALXMR.TIAOODCI
515caf6b7ff41322099f4c3e3d4846a65768b7f4b3166274afc47cb301eeda98 Coinminer.Win64.TOOLXMR.AS
8974da4d200f3ca11aa0bc800f23d7a2be9a3e4e6311221888740c812d489116 Trojan.Win32.CVE20178464.A


The post BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro