Two years after highly classified exploits built by the National Security Agency were stolen and published, hackers are still using the tools for nefarious reasons.
Security researchers at Symantec say they’ve seen a recent spike in a brand-new malware, dubbed Beapy, which uses the leaked hacking tools to spread like wildfire across corporate networks to enslave computers into running mining code to generate cryptocurrency.
Beapy was first spotted in January but rocketed to more than 12,000 distinctive infections across 732 organizations since March, said Alan Neville, Symantec’s guide researcher on Beapy, in an email to TechCrunch. The malware almost exclusively targets enterprises, host to big numbers of computers, which when infected with cryptocurrency mining malware can generate sizable sums of cash.
The malware relies on someone in the company opening a malicious email. Once opened, the malware drops the NSA-developed DoublePulsar malware to create a persistent backdoor on the infected computer, and uses the NSA’s EternalBlue exploit to spread laterally throughout the network. These are the same exploits that helped spread the WannaCry ransomware in 2017. Once the computers on the network are backdoored, the Beapy malware is pulled from the hacker’s regulate and regulate server to infect each computer with the mining app.
Not only does Beapy use the NSA’s exploits to spread, it also uses Mimikatz, an open-source credential stealer, to gather and use passwords from infected computers to navigate its path across the network.
According to the researchers, more than 80 percent of Beapy’s infections are in China.
Hijacking computers to mine for cryptocurrency — known as cryptojacking — has been on the decline in recent months, partially following the shutdown of Coinhive, a well-kown mining equipment. Hackers are finding the rewards fluctuate greatly depending on the value of the cryptocurrency. But cryptojacking remains a more stable source of revenue than the hit-and-miss results of ransomware.
Typically cryptojackers exploit vulnerabilities in websites, which, when opened on an user’s browser, uses the computer’s processing energy to generate cryptocurrency. But file-based cryptojacking is far more efficient and faster, allowing the hackers to make more cash.
In an individual month, file-based mining can generate up to $750,000, Symantec researchers estimate, compared to just $30,000 from a browser-based mining operation.
Cryptojacking might seem like a victimless felony — no data is stolen and files aren’t encrypted, but Symantec says the mining campaigns can sedate down computers and cause machine degradation.