New crypto mining malware spreads across enterprises via NSA exploits

Getting your Trinity Audio player ready...

A new form of cryptocurrency mining malware has been identified, which relies on exploits leaked from the National Security Agency (NSA) to spread rapidly throughout corporate networks, TechCrunch reported.

Researchers at security firm Symantec said it had uncovered a surge in the so-called Beapy malware, which uses exploits leaked from the NSA two years ago, with scammers relying on the leaked tools to identify systemic weaknesses in enterprise networks.

The result is a malicious script that harvests processing power for crypto mining, effectively turning corporate machines into crypto mining units.

According to researchers, Beapy was first spotted in January of this year. By March, the malware had been reported across some 12,000 instances spanning 732 different companies and organizations.

Alan Neville, lead researcher on Beapy at Symantec, told the news outlet the attack specifically focuses on commercial networks due to the large number of networked machines, providing more processing power that can be monetized through mining.

The malware is activated when someone on the network clicks on a malicious link within an email. Once clicked, the malware plants DoublePulsar malware to create a permanent backdoor exploit, before relying on the EternalBlue exploit to move throughout the network.

Both DoublePulsar and EternalBlue were developed by the NSA, and leaked following a hack of NSA systems in 2017. The same exploits were responsible in part for the explosion of WannaCry ransomware which began to proliferate in the same year.

Researchers have said that Beapy also harvests and uses password information from infected computers in order to move throughout networked systems. Some 80% of the attacks identified to date are said to be linked to China, continuing the pattern seen in a number of similar crypto hacks.

The process of hacking computers to mine cryptocurrency, known as “cryptojacking,” reached epidemic levels towards the end of 2018 and into the early part of this year, before slightly falling back after the closure of mining tool Coinhive.

With the latest revelations about Beapy, cryptojacking appears to have returned with a vengeance. While SegWit prices continue their long-term decline, the rewards for scammers nevertheless continue to incentivise large-scale cryptojacking attacks of this kind.