PyRoMine Cryptocurrency Miner

A newly observed Python-based cryptocurrency miner, known as PyRoMine, has been seen using the EternalRomance SMB exploit to propagate. This exploit was released alongside the EternalBlue exploit by the Shadow Brokers in 2016.

In 2016 the Shadow Brokers leaked several hacking tools and zero-day exploits including ETERNALBLUE and ETERNALROMANCE  that targeted versions of Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016 and took advantage of CVE-2017-0144 and CVE-2017-0145. This related back to MS17-010

Delivery is facilitated using the EternalRomance exploit which searches for internet-facing SMB ports to spread. Once on a device PyRoMine will download a Visual Basic script to allow traffic over port 3389. This enables it to propagate using Remote Desktop Protocol. PyRoMine will also disable Windows Update features before installing the XMRig mining application.

The malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.

PowerShell Script To Check For MS17-010 Hotfixes

#list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"

#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

#confirms whether hotfix is found or not
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})
{"Found HotFix: " + $hotfix.HotFixID} 
else 
{Write-Warning ”Didn't Find HotFix"}

Note the above will check for WannaCry etc.

IP’s / Hosts To Block

212.83.190.122

Affected Platforms

  • Microsoft Windows – All versions





Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: