NSABuffMiner
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Соответствующее вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010). Исправление к ней было выпущено за четыре года до первоначальной компрометации. | ...указанные файлы связаны с кампанией скрытого майнинга криптовалюты под названием NSABuffMiner. Соответствующее вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010).
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2
Persistence
4 techniques
Persistence
Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2
Запуск этого инструмента был организован через задачу планировщика, замаскированную под легитимное обновление Google Chrome.
Privilege Escalation
6 techniques
Privilege Escalation
Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2
Запуск этого инструмента был организован через задачу планировщика, замаскированную под легитимное обновление Google Chrome.
Эти компоненты внедряют вредоносные DLL-библиотеки Eternalblue2.dll и Doublepulsar2.dll в процессы lsass.exe и explorer.exe...
...вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010)...
Stealth
3 techniques
Stealth
It created the alias “Kaspersky” for “Invoke-Expression” in an attempt to blend in as legitimate activity in the hope that a quick glance at the script would not raise suspicion.
Discovery
1 technique
Discovery
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Майнер криптовалюты, распространяющийся по SMB с эксплуатацией EternalBlue/MS17-010; использует скрипты и компоненты для сканирования, латерального распространения, внедрения DLL и закрепления через задачи и службы.
A crypto-mining campaign that spreads over SMB by exploiting EternalBlue/MS17-010, uses helper scripts and malware components to inject EternalBlue2.dll and Doublepulsar2.dll for lateral movement, and establishes persistence via scheduled tasks and services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.