Security researchers have detected the first mass-hacking campaign using the BlueKeep flaw in Windows operating system to infect computers with a cryptocurrency miner. The good news is that the exploit is not being leveraged as a self-propagading worm, as Microsoft has cautioned back in May when it issued a patch urging users to update their systems, but rather attacks appear to be an opportunistic endeavor in pursuit of monetary gain.
detected a spike in attacks exploiting the BlueKeep vulnerability, but rather than taking remote control of the machines, the attackers were causing them to crush. According to Beaumont, the attacks began on October 23.
Beaumont’s discovery was confirmed by security expert Marcus "MalwareTech" Hutchins. According to researcher’s blog post, the attackers were using a demo BlueKeep exploit released by Metasploit team back in September to compromise Windows systems and install a Monero cryptocurrency miner.
"Finally, we confirm this segment [in crash dump] points to executable shellcode. At this point, we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep Metasploit module!" Hutchins said.
The analyzed exploit contained encoded PowerShell commands as the initial payload, which downloaded the final malicious executable binary from a remote attacker-controlled server and executed it on the targeted systems.
Hutchins also confirmed that this hacking operation doesn’t include self-spreading, worm-like capabilities, instead, it appears that the attackers are scanning the internet in search of vulnerable Windows with exposed RDP ports, deploy the BlueKeep exploit and then install a cryptocurrency miner.