EternalBlue and DoublePulsar hacking tools are back in action.
Symantec security researchers have identified that cybercriminals are still utilizing the classified exploits/hacking tools of the National Security Agency (NSA), which were stolen about two years back. The new malware has been dubbed Beapy by researchers.
Beapy is a new malware that makes use of leaked hacking tools for spreading the infection at blazing fast speed across corporate networks and turn the computers into cryptocurrency mining machines. The computers are mainly enslaved to mine for Monero (XMR) cryptocurrency and the primary targets of this malicious new campaign are enterprises in Asia.
Monero is emerging as the most preferred cryptocurrency in such campaigns and enterprises are the primary targets of hackers in cryptojacking campaigns as they have a massive network of computers, which promises higher revenues for the attacker.
In a blog posted on Wednesday, Symantec researchers wrote that more than 80% of the victims of this cryptomining campaign are located in China while Japan, Vietnam, and South Korea are also among the targets.
Beapy’s code is different because it isn’t browser-based but a file-based crypto-miner that performs its nefarious task by sending a malicious Excel file to the target device as an email attachment. If the recipient opens the file, the DoublePulsar backdoor, which was developed by the NSA, is instantly downloaded on the system.
After the backdoor is installed, the next phase is to download the miner, which is done by using EternalBlue, another leaked NSA tool. EternalBlue is tasked with spreading the infection across the network and look for unpatched computers to steal credentials and further spread the malware. Beapy uses the open-source credential stealer called Mimikatz, which can collect passwords from unpatched computers to look for other vulnerable devices.
Info: NSA hacking tools were leaked by the infamous Shadow Brokers hacking group!
Symantec researchers claim that Beapy was firstly identified in January but its activity was suddenly increased in March with over 12,000 unique devices infected across more than 700 enterprises. It is worth noting that the backdoor was part of the hacking tools leaked by Shadow Brokers.
Both EternalBlue and DoublePulsar were previously used in several destructive hacking campaigns such as the WannaCry ransomware attack back in 2017.
The impact of cryptojacking campaigns can be devastating because it can slow down the device, which affects the performance of the machine and lead to a reduction in employee productivity as well as increasing time and costs of day-to-day operations. However, Symantec has witnessed a considerable drop in cryptojacking campaigns this year. As noted by Symantec researchers in their blog:
“Looking at the overall figures for cryptojacking, we can see that there were just under 3 million cryptojacking attempts in March 2019. While a big drop from the peak of February 2018, when there were 8 million cryptojacking attempts, it is still a significant figure.”
“Crypto-mining operations could be running within your organization’s network – draining vast amounts of energy – without your knowledge. IT teams need to be vigilant. The best thing to do is look for anomalies in your electricity bill. You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity,” said Barry Shteiman, VP of Research and Innovation at Exabeam.
“The best approach to detecting irregular network behavior is using an emerging technology called entity analytics. This automates detection by baselining normal machine behavior and highlighting the anomalies. Deviation from these benchmarks may be an indicator of capacity abuse, and will the best marker of malicious cryptomining activity on your network,” Shteiman advised.