Cryptocurrency Malware Uses Leaked NSA Exploits To Infect China’s Enterprises To Mine Monero

24/04/2019

A dangerous cryptocurrency mining malware has infected thousands of high-valued enterprises across Asia and China to mine the Monero cryptocurrency.

Known as 'Beapy', the malware make use of two leaked NSA exploits, and hacked the credentials of victims when passing through networks, as quickly as possible. Making things worse, this malware can also infect systems that are already patched.

According to cybersecurity research firm Symantec, which has been tracking the threat since January 2019, Beapy is a file-based coinminer that uses email as an initial infection vector.

“This campaign demonstrates that while crypto-jacking has declined in popularity with cyber criminals since its peak at the start of 2018, it is still a focus for some of them, with enterprises now their primary target,” explained the company.

While Beapy typically infects victims' systems through email, according to Symantec, the activity has spread since March.

TikTok
Beapy malware infections

Beapy works by first spreading itself to potential victims through malicious Excel spreadsheet files that are distributed via emails.

If the recipient opens the attachment file, the malware goes to work by downloading a NSA-built in exploit called 'DoublePulsar, which is responsible for opening a backdoor on infected machines, allowing for the hackers to execute remote commands to the victims' computer.

"Once DoublePulsar is installed, a PowerShell command is executed, and contact is made with the Beapy command and control server, before a coinminer is downloaded onto the target computer,” continued Symantec.

After that, the malware then uses another NSA exploit, called 'EternalBlue', to spread throughout the victims' networks. And this is where the malware is unique, as it can also infect systems that are already patched against EternalBlue.

DoublePulsar and EternalBlue are the same exploits that helped spread the WannaCry ransomware in 2017.

"Beapy also uses a hardcoded list of usernames and passwords to attempt to spread across networks. This is similar to how the Bluwimps worm operated," further explained Symantec. "Bluwimps infected thousands of enterprise machines with coinminers in 2017 and 2018."

Not only does Beapy use the NSA’s exploits to spread, it also uses 'Mimikatz', an open-source credential stealer, to collect and use passwords from infected computers to navigate its way across the victims' network.

Beapy
Chart showing the increase in Beapy malware infections

Before finding the malware spreading, Symantec detected an earlier version of this particular cryptocurrency malware, hidden inside a public server. The malware was attempting to infect victims by generating a list of IP addresses of connected computers.

"The version of Beapy seen on the web server is an early version of the malware, coded in C rather than Python, like later versions," Symantec revealed. "However, the activity is similar, with the downloaded malware also containing Mimikatz modules for credential harvesting, as well as EternalBlue exploit capabilities."

Symantec also discovered that Beapy's victims are mostly enterprises.

"While we have no evidence these attacks are targeted, Beapy’s wormlike capabilities indicate that it was probably always intended to spread throughout enterprise networks," said Symantec.

"This mirrors a trend we saw in ransomware in 2018 too when, despite a drop in overall ransomware infections of 20 percent, ransomware infections in enterprises increased by 12 percent,” Symantec continued. “Enterprises appear to be an increasing focus for cyber criminals."

There have been more than 12,000 unique infections across 732 organizations since March, with 98 percent of recorded Beapy infections were enterprise machines, and 83 percent of those infected were located in China.

Here, Beapy, which is a file-based cryptocurrency miner, mines Monero cryptocurrency faster than the notorious CoinHive.

"The Monero cryptocurrency, which is the cryptocurrency most commonly mined during crypto-jacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals," said Symantec.

Symantec recorded just under 3 million crypto-jacking attempts in March 2019, a big drop from the peak of February 2018, when there were 8 million crypto-jacking attempts. But still, this is a significant figure, highlighting that crypto-jacking is still popular.