MadoMiner Cryptocurrency Worm

MadoMiner is a newly observed cryptocurrency mining worm that uses large portions of the ZombieBoy remote access trojan's code.

Threat ID:: CC-2693
Category:: Worm
Threat Severity:: Medium
Threat Vector:: Exploit, Insecure network
Published:: 27 September 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

MadoMiner is a newly observed cryptocurrency mining worm that uses large portions of the ZombieBoy remote access trojan's code.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

MadoMiner uses the EternalBlue and DoublePulsar exploits, along with known RDP exploits, to compromise a device. The modules used for this are identical to those in ZombieBoy, even down to the comments within the exploits. Once access to a vulnerable device has been gained, a Dynamic-link Library (DLL) file is delivered which, when executed, will download two Ultimate Packer for eXecutables (UPX) modules referred to as Install.exe and Mask.exe.

Once installed, MadoMiner will contact a command and control server, which will provide it with a list of mining pool URLs and IP addresses to scan. It will then connect to one of these URLs and begin mining (at less than 50% CPU utilisation). Install.exe is then used to scan the IP ranges using the WinEggDrop tool, and will deploy the exploit modules against any vulnerable systems it identifies.

Remediation steps

Type	Step
	MadoMiner exploits the Windows SMB vulnerability CVE-2017-0147. Organisations should apply Microsoft Security Bulletin MS17-010 immediately if they have not already done so. If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then: Only allow access for authorised RDP users. Enforce strong password policies. Enforce multi-factor authentication. Don't allow RDP access for privileged user accounts. Don’t use generic accounts. Set user accounts with an expiry date. Audit user accounts periodically. Only allow point-to-point connections from specific IP addresses where feasible. Ensure Transport Layer Security (TLS) is up-to-date. Log and monitor all RDP activity and investigate unusual behaviour. Consider only allowing RDP for authorised virtual private network (VPN) connections.

Type

Step

MadoMiner exploits the Windows SMB vulnerability CVE-2017-0147. Organisations should apply Microsoft Security Bulletin MS17-010 immediately if they have not already done so.

If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then:

Only allow access for authorised RDP users.
Enforce strong password policies.
Enforce multi-factor authentication.
Don't allow RDP access for privileged user accounts.
Don’t use generic accounts.
Set user accounts with an expiry date.
Audit user accounts periodically.
Only allow point-to-point connections from specific IP addresses where feasible.
Ensure Transport Layer Security (TLS) is up-to-date.
Log and monitor all RDP activity and investigate unusual behaviour.
Consider only allowing RDP for authorised virtual private network (VPN) connections.

CVE Vulnerabilities

Status

CVE-2017-0147

Last edited: 17 February 2020 12:47 pm