The recent computer worm, Indexsinas SMB was found out to have caused wide damages to various sectors in the community including telecommunication and healthcare. Apart from that, it could also wreck the crypto mining industry by infesting the miners' systems.
Since 2019, the malware has been moving to different locations to carry out exploitations. The most popular involves the attack launched in a scanner called EternalBlue. The security experts issued a warning that the ongoing activity of the worm resurfaced this week after its long hibernation.
How Indexsinas SMB Worm Propagates?
In an analysis by Guardicore Labs on Wednesday, June 30, three Equation Group exploits were covered during the propagation of the worm. These are EternalBlue, EternalRomance, and DoublePulsar. Users should be careful that their machines could undergo sudden data leaks through the backdoor operations of the attack.
The researchers added that the two Eternal titles were covered in the past malware attack. They have been used during NotPetya and WannaCry ransomware outbreaks. As of the moment, there were over 1.2 million SMB servers that are at risk of being infected by the worm.
Particularly, countries such as Vietnam, India, and the US have been the strongholds of attacks on more than 1,300 devices. Most importantly, the Indexsinas worm aims to render the machines useless. At present, there were approximately 2,000 records of cyberattacks linked to the worm.
There is no certain explanation about the culprits controlling the malware. The experts noted that the unknown gang is "very careful" in each of its steps over the past years. In hitting cryptominers, the cybercriminals rely on their established "private mining pool" which bars the people from opening their stash when checking money.
Worm Infection on Cryptocurrency Mining
"These exploits run code in the victim's kernel and are capable of injecting payloads to user-mode processes using asynchronous procedure calls (APCs). Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe, " the researchers spoke about the worm.
From the main C2 server, the 64-bit DoublePulsar.dll and the 32-bit EternalBlue.dlll serve as the payloads inserted into the system along with the three accessible files. What the cyber attackers do is install the specialized remote access tool (RAT) called the Gh0stCringe which is an executable file.
After the RAT installation, the MainThread will be incorporated to summon the commands. This will later produce the information from the machine including the installation date, name of the computer, and the malware group ID.
The Monero-mining malware works the same as the iexplore.exe in terms of exploiting crypto miners. On the other hand, the services.exe files focus on showing the crypto miner module.
Besides the two, there is also c64.exe which yields ctfmon.exe and other files. The former was responsible for the propagation of the Indexsinas SMB worm.
How to Avoid Indexsinas Worm From Infecting Your System?
According to a report by Threatpost, the enterprise should do regular patching of its SMB servers. Through this, we can spot the possible locations where the malware can enter. Other methods that the people could apply are network segmentation and attaining environmental visibility.
Take note that there should be some division for the production and corporate operations. If you are a big owner of the corporation, you might want to check your network by preventing it from being accessed via SMB. You can also limit the IP addresses in your platform so it would be easier to filter what servers are suspicious of the attack and what servers are not.
This article is owned by Tech Times
Written by Joseph Henry