NSABuffMiner mining trojan occupied campus servers and made illegal profits of 1.15 million yuan

September is the start of another school year. Universities, middle schools and primary schools across the country are welcoming the "back to school boom". Students are returning to campus one after another, and criminals are also ready to move, eyeing the "back to school economy" and trying to use illegal means to obtain huge profits. Recently, Tencent Smart Security Yujian Threat Intelligence Center received feedback from users that the school's intranet water card management server frequently crashed. After the school network management personnel checked the system, no abnormal problems were found. It was initially suspected that the intranet was attacked by illegal hackers, so they asked Tencent Smart Security Yujian Threat Intelligence Center for help.

Tencent security experts found that the school's intranet water card management server was hacked by the rundllhost.exe mining Trojan, which is a variant of the NSASrvanyMiner mining Trojan, using NSA weapons and tools to attack and spread in the intranet. Because the server has an unpatched ms17-010 vulnerability, it was attacked and used for mining. After checking the wallet information, it was found that as of now, the NSABuffMiner mining Trojan has mined 1,217 Monero coins, with illegal profits of up to 1.15 million yuan.

(Photo: NSABuffMiner mining trojan makes illegal profits)

At present, Tencent Smart Security Yujian Threat Intelligence Center has fully intercepted and killed the mining Trojan, and reminded the majority of corporate users to repair high-risk vulnerabilities in a timely manner. Once illegal hackers exploit these system vulnerabilities, in addition to implanting mining Trojans, users' computers may also be implanted with ransomware and become tools for stealing data, causing more serious consequences.

According to Tencent security technology experts, the new variant of the NSASrvanyMiner mining trojan will first shut down the firewall when launching an attack, start CPUInfo.exe to scan the 445 port of the intranet machine, and use multiple NSA weapons and tools to attack the user's computer if the port is open. At the same time, the mining trojan uses the NSSM service management tool to start the mining machine and install the mining machine as a system service. This tool has the function of automatically guarding the target service process, which can keep the mining process running and avoid detection by some antivirus software.

It is worth mentioning that in order to ensure the monopoly of mining resources, the mining Trojan will use methods such as "black eating black" and "crossing the river and demolishing the bridge" to block the invasion of other mining Trojans, check and kill more than 30 processes that are also mining Trojans, and after its own invasion is successful, it will actively close dangerous ports such as 135, 137, 138, 139, and 445 to prevent other mining Trojans from competing with itself for mining resources.

In addition, the new variant of the NSABuffMiner mining trojan is equipped with a powerful NSA vulnerability attack kit, which facilitates its attack and propagation in the intranet. At the same time, the mining trojan will also detect the processes of multiple task managers. Once the user finds that the system is abnormal and enables the task manager to check the system resource usage, the trojan will immediately try to close the task manager. If the closure fails, the trojan will immediately exit, thereby confusing ordinary users.

(Photo: Tencent Security Enterprise Product Yudian)

To prevent such illegal hacker attacks from happening again, Ma Jinsong, security expert at Tencent Computer Manager and head of Tencent Security Anti-Virus Laboratory, recommends that enterprise network administrators: promptly apply security patches to servers, try to close unnecessary file sharing, ports and services, use high-strength unique server accounts and passwords and keep changing them regularly; it is also recommended to install security software such as the Yudian Terminal Security Management System, which can provide unified management and control of terminal antivirus and vulnerability repair, as well as comprehensive security management functions such as policy management, to help enterprise managers fully understand and manage the security status of the enterprise's intranet and protect enterprise security.