PyRoMineIoT malware use NSA Exploit to mine Monero

FortiGuard Labs released a report on June 12, 2018, revealing malware called “PyRoMineIoT.” The software not only uses “Eternal Romance” loopholes to spread encrypted mining software but also misuses infected devices to scan vulnerable Internet of Things (IoT) devices.

FortiGuard Labs previously analysed this Python-based malware called PyRoMine and predicted that the new version of the malware would appear, so it has been tracking it. This report analyses the upgraded version of PyRoMine malware and a PyRoMine-like malware PyRoMineIoT.

According to researchers, PyRoMine is still under development and has recently been updated with the addition of obfuscation techniques to circumvent detection of anti-virus software.

The upgraded version of PyRoMine malware is hosted on the same IP address (, but developers use PyInstaller to compile it into a separate executable and continue to use the “eternal romance” exploit code on the vulnerability database Exploit Database. After successful use, the upgraded version of PyRoMine will download the obfuscated VBScript.

The upgraded PyRoMine will also set a default account with a password of P@ssw0rdf0rme and add it to the local group (administrators, remote desktop users, and users), then enable RDP and add firewall rules to allow traffic on port 3389. Also, it also tries to remove the old version of PyRoMine from the system.

One of the address pools used by PyRoMine shows that the attacker earned about 5 Monroe coins. Since April 2018, this malware has also infected a large number of systems. The five most affected areas are Singapore, India, Taiwan, Côte d’Ivoire and Australia.

Image: fortinet

The report pointed out that PyRoMineIoT is similar to PyRoMine and is based on Python’s Monroe coin mining malware. Besides, both malware uses the “eternal romance” vulnerability to spread.

Researchers stated that the threat of PyRoMineIoT came from a malicious website disguised as a Web browser security update. The spurious update is downloaded as a .zip archive file containing the downloader agent written in C#. The agent obtains mining files and other malicious components, including a Python-based malware that uses “eternal romance” to spread the downloader to vulnerable devices on the network. The agent also obtains parts that steal user credentials from Chrome and scans IoT devices in Iran and Saudi Arabia that use an administrator account through another component.

This malware searches for vulnerable IoT devices, but it only targets such devices in Iran and Saudi Arabia. PyRoMineIoT will send the device’s IP information to the attacker’s server, which may be to prepare for further attacks.

PyRoMineIoT, like PyRoMine, also downloads mining software XMRig on infected systems. After examining one of the address pools, the researchers found that PyRoMineIoT has not yet received revenue. This is roughly because the malware began to spread on June 6 and was an unfinished project.

Fortinet stated that developers of PyRoMineIoT are interested in cryptocurrency mining and are also trying to use the Internet of Things to threaten the ecosystem. According to researchers’ predictions, this trend will not disappear in the short term. As long as there is a chance, lawbreakers will continue to use the vulnerable equipment to make money.