Two years later, the NSABuffMiner botnet is still alive and kicking
A crypto-mining malware family named NSABuffMiner (or Indexsinas) is still active and infecting Windows systems using three leaked NSA exploits, more than two years after being discovered for the first time, security firm Guardicore said today.
- The botnet has been active since 2019, when it was first documented by Chinese security firm Tencent. Tencent published a second NSABuffMiner report in 2020.
- The botnet works by scanning the internet for internet-connected Windows systems that have their SMB ports exposed online.
- NSABuffMiner (Indexsinas) uses three exploits to gain a foothold on Windows systems.
- The exploits are named EternalBlue, DoublePulsar, and EternalRomance and are part of a cache of hacking tools stolen and dumped from the US National Security service in 2016-2017.
- After gaining access to a Windows system, the attackers drop a version of the Gh0stCringe remote access trojan on infected hosts, along with the XMRig app to mine the Monero cryptocurrency.
- NSABuffMiner (Indexsinas) also uses the infected hosts to propagate to other systems on internal networks but also continues to scan the internet and make new victims.
- Guardicore said it tracked more than 2,000 attacks against its honeypots over the course of the past 15 months since it started tracking the botnet in March 2020.
- IOCs are available here. A scheme breaking down of the botnet’s infection process is available here.