Sat. Jun 6th, 2020

Hackers Use Stolen NSA Exploits in New Crypto Mining Malware

Security research firm, Symantec, has seen a spike in a new crypto mining malware that mainly targets enterprises.


The new malware, dubbed Beapy, spreads across corporate networks, particularly ones with a lot of computers. Then, it uses mining codes to generate cryptocurrency. What’s most interesting about the new crypto jacking malware, however, is that it uses highly classified tools that were stolen from the National Security Agency (NSA) two years ago, TechCrunch reports.


Beapy was first spotted in January 2019. But since March, the total number of unique infections has surged to over 12,000 across 732 organizations, with more than 80% located in China.


According to Symantec researchers, Beapy is spread through malicious emails. Once opened the malware uses the NSA-developed DoublePulsar malware to create a persistent backdoor on the infected computer. Then, it uses NSA’s ExternalBlue exploit to move laterally throughout the network. These are the same exploits that helped spread WannaCry ransomware in 2017.


Worse still, Beapy used Mimikatz, an open-source credential stealer, to collect and use passwords from infected computers to navigate its way across the network.


Although there has been a decrease in crypto jacking, especially in the months since the shut down of Coinhive, a popular mining-tool, file-based crypto jacking is increasing. Additionally, crypto jacking malware, such as Beapy, is reportedly more efficient and faster. As a result, hackers can make more money.


Symantec researchers say that file-based crypto jacking can generate up to $750,000 compared to the $30,000 generated in browser-based crypto jacking.


To date, crypto mining is one of the most observed methods hackers utilize when attacking a business’ infrastructure. And even though it may seem like a victimless crime, since no data is stolen or files encrypted, Symantec says that mining campaigns can cause device degradation.