Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareExploits 1 CVE

NSABuffMiner

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionExploited in the wild

Соответствующее вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010). Исправление к ней было выпущено за четыре года до первоначальной компрометации. | ...указанные файлы связаны с кампанией скрытого майнинга криптовалюты под названием NSABuffMiner. Соответствующее вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010).

via securelist rusecurelist.ru
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1053Scheduled Task/JobEvidence1

Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2

T1053.005Scheduled TaskEvidence1

Запуск этого инструмента был организован через задачу планировщика, замаскированную под легитимное обновление Google Chrome.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2

T1053.005Scheduled TaskEvidence1

Запуск этого инструмента был организован через задачу планировщика, замаскированную под легитимное обновление Google Chrome.

T1543Create or Modify System ProcessEvidence1

...создаются службы, запускающие криптомайнер. Эти задачи и службы называются MicrosoftMysql, MicrosoftFonts и MicrosoftMSSql.

T1543.003Windows ServiceEvidence1

services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql

Privilege Escalation

6 techniques
T1053Scheduled Task/JobEvidence1

Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2

T1053.005Scheduled TaskEvidence1

Запуск этого инструмента был организован через задачу планировщика, замаскированную под легитимное обновление Google Chrome.

T1055Process InjectionEvidence2

Эти компоненты внедряют вредоносные DLL-библиотеки Eternalblue2.dll и Doublepulsar2.dll в процессы lsass.exe и explorer.exe...

T1068Exploitation for Privilege EscalationEvidence1

...вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010)...

T1543Create or Modify System ProcessEvidence1

...создаются службы, запускающие криптомайнер. Эти задачи и службы называются MicrosoftMysql, MicrosoftFonts и MicrosoftMSSql.

T1543.003Windows ServiceEvidence1

services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql

Stealth

3 techniques
T1036MasqueradingEvidence1

It created the alias “Kaspersky” for “Invoke-Expression” in an attempt to blend in as legitimate activity in the hope that a quick glance at the script would not raise suspicion.

T1055Process InjectionEvidence2

Эти компоненты внедряют вредоносные DLL-библиотеки Eternalblue2.dll и Doublepulsar2.dll в процессы lsass.exe и explorer.exe...

T1564.001Hidden Files and DirectoriesEvidence1

This was done after adding the malware’s folder to Windows Defender exclusions and applying hidden and system attributes to the file to hide it from regular users.

Discovery

1 technique
T1046Network Service DiscoveryEvidence2

Файлы bat.bat и cmd.bat генерируют случайные IP-адреса и сканируют их... для выявления активных и уязвимых хостов с открытым SMB-портом 445 и NetBIOS-портом 139.

Lateral Movement

2 techniques
T1021.002SMB/Windows Admin SharesEvidence2

...вредоносное ПО распространяется через протокол SMB...

T1210Exploitation of Remote ServicesEvidence2

...вредоносное ПО распространяется через протокол SMB с использованием уязвимости EternalBlue (MS17-010)...

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.