New crypto malware “BlackSquid” emerges

Getting your Trinity Audio player ready...

An aptly-titled malware has been discovered that can wreak havoc on web servers, removable storage devices and network drivers. BlackSquid has a number of arms that facilitate its nefarious activity and which seeks to mine Monero on the target machines. It is able to attack by exploiting an unpatched security flaw found on the target devices. To date, most of the compromises have occurred in the US and Thailand.

BlackSquid has eight components and utilizes anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not,” according to a report by Trend Micro. It also includes “wormlike behavior for lateral propagation,” as well as several known exploits such as DoublePulsar, EternalBlue, three ThinkPHP exploits and four different CBE exploits.

That’s not all, though, Trend Micro believes that BlackSquid may only be a prelude to something more dastardly. The company explains, “… [C]ybercriminals may be testing the viability of the techniques used in this malware’s routine for further development. The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload. But BlackSquid may be used with other payloads in the future.”

BlackSquid attacks a target through one of three entry points – an infected webpage, infected removable or network drives or through an infected web server. It is able to immediately cancel the infection routine in order to avoid being detected.

Trend Micro further explains, “Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).”

Adding to the assertion that the code may only be in development, the analysts reveal that there is poor coding and skipped routines that could indicate more work on the malware is coming. The malware developers could just be studying how to make their attacks more profitable and determining which targets to hit first.

The malware goes after known exploits, holes in coding that were identified years ago. These holes have already had patches issued for them and IT professionals who don’t properly maintain their systems are promulgating the continued spread of hackers’ capabilities by not taking the necessary precautions. Trend Micro recommends that all systems be updated appropriately and that enterprises should enable a “multilayered protection system” to block threats and malicious web links.