On March 24, 2014 Kaseya wrote a letter to all customers notifying them that several Kaseya customers had been targeted in attacks in which attempts were made to deploy ‘Litecoin’ mining malware in their environments, in some cases successfully. While the malware may have allowed the unknown attacker to access end point systems that may contain sensitive data elements, we have seen nothing to suggest that this malware was harvesting personal, financial, or any other kind of sensitive information, or that any individual’s information has been misused as a result of this attack. The actions taken by the attacker appear to be a Litecoin mining operation only, aimed at generating this digital currency. A copy of this email has been posted as a Knowledge Base article.
We have developed and published a patch for both the 6.3 (Patch 6.3.6, Hotfix #8813) and 6.5 (patch 22.214.171.124) releases of Kaseya Virtual System Administrator (VSA) to address this vulnerability, and our SaaS systems have been patched. A link to the patch release notes and installation instructions for 6.5 and 6.3 Patch Releases can be found here: http://help.kaseya.com/WebHelp/EN/RN/index.asp#PatchReleaseNotes.htm
The following article includes instructions to assist in running an audit to identify whether or not Litecoin mining malware is running in a customer environment. Instructions for running a script to remediate this issue if identified are also included.
Please note that:
- Only MS-Windows computers are affected (Mac OSX, Linux and mobile devices are not affected).
- The Litecoin mining malware is a process running ‘SoftwareUpdate.exe’, version 126.96.36.199, and the file description is 'Apple Software Update’. In order to avoid false positives, it is important that you note the affected version is 188.8.131.52. There is legitimate software from Apple using other version numbers.
- You must run an audit across your Windows endpoints for this executable name and version number to determine whether this malware is present.
- The view described below relies on software audit data in the Kaseya database.
INSTRUCTIONS TO DETERMINE WHICH MACHINES ARE AFFECTED
1) Ensure you are viewing all machines under management. Click Reset as shown below
2) Create a new Kaseya View by selecting ‘Edit’ in the Navigation Bar.
3) Expand ‘Applications’. Check the box next to ‘Contains’ and ‘Version String Is’. Enter ‘softwareupdate.exe’ for the application title. Select radial next to ‘=‘ for the operator and enter ‘184.108.40.206’ for the version.
In order to avoid false positives, it is important that you note the affected version is 220.127.116.11. There is legitimate software from Apple using other version numbers.
4) Click ‘Save As’ and in the pop-up dialog that follows, enter ‘Litecoin Miner Explorer’ as view name and press OK.
5) Select your new Litecoin Miner Explorer view from the views drop-down.
6) If you do not see any machines listed, you are unaffected by this rogue Litecoin Miner.
7) If you do see agents listed, please see the section below or contact support to obtain a fix. The quickest way to obtain support is by opening a ticket with Kaseya Support in https://helpdesk.kaseya.com. Make sure you use the keyword LCCLEAN in the description.
INSTRUCTIONS TO REMOVE MALWARE FROM AFFECTED MACHINES
Please use the instructions below only if you have found agents affected; it is not recommended that you run the script on non-affected machines.
The agent procedure attempts to detect and remove rogue bitcoining mining software from a MS-Windows agent. The Litecoin Miner loads itself into c:\program files\ on 64-bit machines, making it easy to remove and not damage the existing Apple Software Updater, which is present in c:\program files (x86).
On a 32-bit machine, iTunes/Apple Software Updater will have to be completely re-installed if the Litecoin Miner has been installed on the system as it has overwritten Apple's SoftwareUpdater.exe.
On a 64-bit machine, the scheduled task has to be re-created within the procedure, as schtasks.exe only supports deleting by task name, and the Litecoin Miner's task name will match Apple's official task name.
1) Download the file “Procedure LCClean.xml” attached to this article.
2) Import the file into your Kaseya Server (System > Server Management > Import Center). See http://help.kaseya.com/WebHelp/EN/VSA/6050000/index.asp#6963.htm for instructions.
3) A new Agent Procedure called “LCClean” will be available in your VSA. Go to Agent Procedures. See http://help.kaseya.com/WebHelp/EN/VSA/6050000/index.asp#10718.htm for more information.
4) Schedule the execution of the “LCClean” agent procedure on the affected machines. If you have a small number of affected machines, you can use the Run Now option. Otherwise, in order to spread network traffic and server loading, please select a suitable Distribution Window, as described here: http://help.kaseya.com/WebHelp/EN/VSA/6050000/index.asp#10720.htm
5) If you have trouble running the agent procedure, or if the script is unable to clean the rogue software (you will see a message in the Agent Procedure log "Warning: Unable to remove SoftwareUpdate.exe. Please reboot and run this procedure again"), please contact Kaseya support.
The quickest way to obtain support is by opening a ticket with Kaseya Support in https://helpdesk.kaseya.com. Make sure you use the keyword LCCLEAN in the description and clearly indicate you have run the script and indicate the number and names of the machines where you have confirmed the malware has been installed.