Guardicore security researchers have uncovered a sophisticated malware attack that successfully destroyed more than 800 devices belonging to a company in the medical technology industry. The malware masquerades as a WAV file and contains a Monero mining software that exploits the infamous Eternal Blue vulnerability to compromise devices on the network.
The malware’s only bug, which ultimately led to the death of an infected computer blue screen (BSOD) and the display of an error code, ultimately aroused the victim’s suspicion and led to an in-depth investigation into the incident.
The researchers said BSOD first discovered on October 14th that the machine that had a fatal crash was trying to execute the command line (actually a PowerShell script based on base-64 encoding). After decoding the script, the researchers obtained a readable Powershell script that was used to deploy malware. The script first checks the system schema (based on pointer size). It then reads the value stored in the registry sub-key above and loads the value into memory using the Windows API function WriteProcess Memory. The researchers point out that the malware payload is performed by acquiring and calling function pointer delegates.
The malware attempted to spread to other devices on the network using an EternalBlue-based vulnerability that infected thousands of computers around the world, in the same vulnerability that WannaCry used in 2017. After reverse engineering the malware, the researchers found that the malware actually hid the Monero mining module disguised as a WAV file, using the CryptonightR algorithm to mine the Monero virtual currency. In addition, the malware exploits cryptography and hides its malicious modules in a clear-looking WAV file. “
The researchers found that the complete removal of malware, including terminating malicious processes, prevented BSOD from occurring on the compromised device.