Trend Micro: BlackSquid Malware Infects Servers to Install Monero Cryptojacking Software

Cybersecurity firm Trend Micro announced that it found a malware dubbed BlackSquid that infects web servers employing eight different security exploits and installs mining software. The findings were announced in a blog post published on June 3.

Per the report, the malware targets web servers, network drives and removable drives using eight different exploit and brute force attacks. More precisely, the software in question employs “EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions.”

While the sample acquired by Trend Micro installs the XMRig monero (XMR) Central Processing Unit-based mining software, BlackSquid could also deliver other payloads in the future. According to Trend Micro data, most of the instances of the malware in question have been detected in Thailand and the United States.

The malware can reportedly infect a system via three different routes: through a website hosted on an infected server, exploits, and removable or network drives. BlackSquid also cancels the infection protocol if it detects that the username, device driver or the disk drive model suggests that the software is running in a sandbox environment.

As Cointelegraph recently reported, as many as 50,000 servers worldwide have allegedly been infected with an advanced cryptojacking malware that mines the privacy-focused open source cryptocurrency turtlecoin (TRTL).

At the beginning of May, Trend Micro also noted that cybercriminals are now exploiting known vulnerability CVE-2019-3396 for crypto mining in the software Confluence, a workspace productivity tool made by Atlassian.