EternalRed

EternalRed and SambaCry are the infosec designations given to the CVE-2017-7494 vulnerability that affects *nix-based systems. More specifically, it was present in the Samba versions starting from 3.5.0 released in 2010 up to versions 4.6.4/4.5.10/4.4.14 of the package when it was patched. Although the vulnerability was associated with the infamous EternalBlue exploit, EternalRed was first detected in the attack chain of hackers that were not delivering ransomware threats such as WannaCry but instead were dropping a cryptocurrency miner.

The vulnerability allowed a payload in the form of a Samba plug-in to receive super-privileges. However, the cybercriminals had to guess the full path to the dropped payload, starting from the root directory. If successful, the hackers then proceed to loan and execute the file as part of the Samba-server process. The file is then deleted, leaving the payload to operate in the compromised system's memory entirely. The researchers observed to payloads to be delivered through the EternalRed vulnerability.

The first one was named INAebsGB.so and carried a reverse-shell that, when initiated, gave the attacker almost full freedom to execute remotely any shell-commands. In practice, the hackers could download any additional applications from the Internet and run them on the compromised system, or, if they so desired, they could delete all of the user's data simply.

The other payload that exploited EternalRed is cblRWuoCc.so. Its main purpose is the delivery of CpuMiner, an open-source cryptocurrency mining tool. The particular cpuminer version used in the attack was modified to be able to run without any additional parameters. As a result, it delivered all of the generated cryptocurrency coins to the hackers' wallet directly. As for the specific currency cblRWuoCc.so, it was created to mine Monero (XMR). By tracking the wallet address, the cybersecurity researchers discovered that the Monero coins delivered to it increased at a rapid rate. From a single coin on the first day of the campaign to around five during the later periods. After a month of the crypto-mining activity, the hackers had managed to amass 98 XMR coins, which was equal to approximately $5500 at that time.