Hackers Infect PCs With Cryptocurrency Miners Using BlueKeep Remote Desktop Security Flaw

(Image credit: Shutterstock)

Hackers attempting to mass-infect PC users with cryptocurrency miners have started exploiting the Windows BlueKeep vulnerability, as recently reported by BleepingComputer. The security flaw can impact the Remote Desktop Protocol of Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems.

Microsoft has been warning both individual users and businesses to update their machines with the BlueKeep patch for months, but some computers have remained vulnerable. Cyber attackers are now taking advantage of that. 

The somewhat good news is that the attack is not a worm, meaning it can’t spread from one computer to another in the same network.

BlueKeep Threat Persists

According to Beaumont, over 724,000 machines remained vulnerable to BlueKeep worldwide. Therefore, we may continue to see this sort of attack until those machines patch to a version of Windows that's newer than May 14, 2019, when Microsoft released its BlueKeep patch.

About two weeks afters Microsoft released the patch, almost 1 million machines remained vulnerable to BlueKeep. The quarter million or so machines that have been patched since include PCs that received the updates automatically. So chances are that months or even years will pass before the remaining computers at risk will enable the patch.

The BlueKeep bug exists before authentication into the Windows Remote Desktop Protcol (RDP), and an attacker can take advantage of it remotely. It's believed that the vulnerability could become equally or more dangerous than WannaCry or NotPetya, especially if wormable capability were enabled.  In that case, Microsoft says that Windows 8 and Windows 10 machines are protected worm transmission infections because they have Network Level Authentication, an anti-worm defense that requires users to authenticate before attempting to use RDP.

BlueKeep Malware in the Wild

The issue was discovered by security researcher Kevin Beaumont. He tweeted that he started noticing that some of his EternalPot RDP honeypots were crashing and rebooting for the first time since he set them up six months ago.

The crashes were analyzed by Marchus Hutchin, a security researcher known as MalwareTech famous for temporarily stopping some WannaCry attacks. Hutchin analyzed the crashes and found some “BlueKeep artifacts in memory and shellcode to drop a Monero Miner."

According to Hutchin's analysis, hackers were first sending an encoded PowerShell script to the vulnerable machines. Those machines would download a second encoded PowerShell script. The final payload is a cryptocurrency miner that installs on the infected machines and then generates Monero digital coins for the attackers using the computers’ local resources.

The researchers believe that the malware was created with publicly available code without the hackers putting much thought into it. This why it wasn’t created as a worm, even though the BlueKeep vulnerability makes the creation of worm exploitation. Hutchin noted that the attack likely used a predefined list of vulnerable machines. 

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.