The latest version of EternalBlue exploit is actively spreading, and according to the world’s security experts, this malware will also install the new version of the cryptocurrency mining malware, NRSMiner.
According to ISNA, EternalBlue is an exploit developed by the U.S. National Security Agency. It was leaked by the Shadow Brokers hacker group and was used as part of the worldwide WannaCry ransomware attack. EternalBlue exploits a vulnerability in Server Message Block (SMB) protocol.
Starting in mid-November 2018, F-Secure’s telemetry reports indicate that the newest version of the NRSMiner crypto miners, which uses the Eternal Blue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia. Most of the infected systems seen are in Vietnam (54%), and Iran (more than 16%).
NRSMiner can download updated modules, remove the files and services installed by its own previous versions, and install a cryptocurrency miner on an infected computer. It also uses XMRig to mine Monero.