New PyRoMine Malware Variant Used Obfuscation and Incorporates IoT Device Scanner

A new variant of the PyRoMine cryptocurrency mining malware has been discovered by security researchers at Fortinet. The Pythod-based malware variant has been named PyRoMineIoT.

The malware bears a number of similarities to the PyRoMine malware discovered by FortiGuard Labs in April, although this variant has enhanced capabilities helping it to evade detection by AV software.

The new version of the malware is hosted on the same IP address as its predecessor, and also uses the NSA exploit ETERNALROMANCE to propagate. The purpose of the malware is to mine the Monero and to recruit as many vulnerable computers and IoT devices as possible to maximize the processing power that can be devoted to the task.

PyRoMineIoT has been packaged into a standalone executable file using Pyinstaller, so devices do not need to have Python installed to be vulnerable.

The infection process requires a user to visit a malicious website where a fake browser security update is displayed, tailored to the browser the visitor is using. Visitors who respond to the download request will receive an file that contains a C# downloader that installs the miner and various other components, one of which uses the ETERNALROMANCE exploit to spread to all vulnerable devices on the network.

An additional component included in the zip – ChromePass – steals credentials in Chrome, which are saved to an XML file. ChromePass attempts to send the XML file to a DriveHQ account, although the account has now been disabled. An IoT device scanner component searches for vulnerable IoT devices in Iran and Saudi Arabia – devices that have admin set as the username and password. That information is then passed back to the malware developers for use in future attacks.

The ETERNALROMANCE exploit requires authentication, although system privileges can be gained on Guest accounts. PyRoMineIoT attempts to login as Anonymous with an empty username and password, although it is also capable of setting up an account with the username ‘Default’ and the password ‘P@ssw0rdf0rme.”

Once access is gained, an obfuscated VBScript is downloaded, in contrast to the previous version which had no obfuscation. This helps the malware evade detection by AV software. The VBScript then downloads various other components including the XMRig Monero miner. If older versions of PyRoMine malware are already installed, the new malware variant deletes those copies.

The malware enables RDP, adds a firewall Rule on RDP port 3389, stops the Windows Update Service, and starts the Remote Access Connection Manager service, enabling basic authentication on that service to permit the transfer of unencrypted data.

It has only been two months since the malware was first detected, but in those two months the number of infected devices has increased considerably, with Singapore, India, and Taiwan seeing the most infections, followed by Ivory Coast and Australia.

This latest malware variant shows that the authors of the malware are actively developing their malware and have put considerable effort into mining Monero. FortiGuard Labs warns that this malware threat will continue to pose a threat for some time to come.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of