PyRoMineIoT cryptojacker uses NSA exploit to spread

The latest malware threat based on the EternalRomance NSA exploit is PyRoMineIoT, a cryptojacker infecting IoT devices. But experts said the NSA shouldn't be held responsible for the damages. A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner. And according to experts, there's blame to be had on all sides. Researchers at Fortinet's FortiGuard Labs have been tracking Python-based malware that uses the EternalRomance National Security Agency (NSA) exploit to spread and install a cryptominer -- hence, PyRoMine. And, now, the researchers found a variant that directly targets IoT devices, which they call PyRoMineIoT. Jasper Manuel, a malware researcher at Fortinet, based in Sunnyvale, Calif., wrote in a blog post that PyRoMine and PyRoMineIoT malware don't need Python to be installed on the target systems, and PyRoMineIoT uses the EternalRomance NSA exploit to scan for IoT devices that are vulnerable due to using hardcoded passwords. Once PyRoMineIoT infects a device, the malware downloads components, including a Monero cryptominer. "This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem," Manuel wrote. "We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices."