A newly identified form of cryptomining malware that employs a U.S. National Security Agency vulnerability disclosed last year is causing concern among security experts because it may be a form of attack that could surge in the year ahead.

Dubbed PyRoMine by researchers at Fortinet Inc., the new Python-based malware uses EternalRomance, a related exploit to the ExternalBlue exploit that was used in both the WannaCry and NotPetya attacks in 2017. The exploit takes advantage of unpatched vulnerabilities in Windows versions ranging from XP through to 10, as well as Windows Server from 2003 through to 2016.

Exploiting those vulnerabilities through a distributed phishing campaign, once installed PyRoMine distinguishes itself by not only mining in the background for the Monero cryptocurrency but also by disabling ports on a targeted personal computer, potentially allowing the hackers to install additional malware packages.

“This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services,” Fortinet said. “FortiGuardLabs is expecting that commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit.”

Chris Morales, head of security analytics at Vectra Networks Inc., told SiliconANGLE that by combining cryptomining malware with an NSA exploit, “attackers can proactively generate revenue but still stay hidden to deploy new attack vectors.”

Morales added that “the good news is AI can find these new type of attacks without any prior knowledge of their existence by looking for attacker behaviors instead of looking for the malware used. The things an attacker must do to compromise, destroy or steal information on the network follow the same progression of attacker behaviors across the attack lifecycle, regardless of the ultimate intent of the attacker.”

Chris Roberts, chief security architect at Acalvio Technologies Inc. believes that attacks like PyRoMine are a sign of things to come, saying that it’s “something that we will see much more of in the future as the tools that are being deployed are multifaceted.”

In this case, he added, it’s not only about mining and disabling security services. “Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time,” Roberts said. “And this all comes in a nice, neat package using the simple issue that we, the human, haven’t patched or don’t pay attention to what we are downloading and clicking. Once again, we are the attack vector and the computer suffers.”

Image: 30478819@N08/Flickr