BlackSquid Backdoor Malware

BlackSquid is an advanced modular backdoor primarily targeting financial and governmental organisations globally. It makes use of at least eight well-known vulnerabilities, including EternalBlue, to compromise web servers.

At the time of publication, BlackSquid has three delivery vectors, namely: manual installation on vulnerable servers, via websites hosted by previously compromised servers, and via previously compromised network or removable drives. 

During installation, BlackSquid will check the system username, primary drive model and device driver to ensure it is not running in a virtualised environment. It will also check certain hardware registers using a hard-coded routine, although this is commented out in some variant, indicating it may still be in development.

Once installed, BlackSquid will attempt to enumerate the network and any removable media, before deploying exploits in order to propagate to any connected devices or drives it finds. Once this is done, it will connect to a command and control server before deploying its intended payload, currently an XMRig-based cryptocurrency miner.

According to Beeping Computer security researchers found exploits for different vulnerabilities. One of them is NSA’s EternalBlue, three are for multiple ThinkPHP versions; another three are for getting remote code execution via CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell), research from Trend Micro reports.

Indicators of compromise (IOCs)

URLs
hxxp://m9f[.]oss-cn-beijing[.]aliyuncs[.]com/A[.]exe
hxxp[:]//m9f[.]oss-cn-beijing[.]aliyuncs[.]com/Black[.]hta