UPDATED 22:02 EDT / APRIL 28 2019


Rapidly spreading cryptomining malware uses NSA hacking code

A new form of cryptomining malware that utilizes U.S. National Security Agency hacking code has been detected rapidly spreading across Asia.

Dubbed “Beapy” by security researchers at Symantec Corp. who identified it last week, the malware is primarily targeting enterprise networks, with the majority of infections detected in China but also other countries in Asia as well. A small number of infections have been detected in the U.S.

Beapy is being spread via emails that have a malicious Excel attachment with them. Once they’re clicked on, Beapy uses the NSA DoublePulsar code to open a backdoor on infected machines that is then exploited to gain access to a corporate network to install cryptomining scripts.

“Beapy is particularly effective for hackers because it targets corporations and leverages NSA technology to spread throughout employees’ devices and perform large-scale, clandestine cryptojacking,” Anurag Kahol, chief technology officer and founder of Bitglass Inc., told SiliconANGLE. “This practice mines cryptocurrency at an extremely accelerated rate and wastes enterprises’ processing and storage power, costing thousands of additional dollars in electricity bills.”

A report in September found that there had been a massive increase in illicit cryptomining driven by NSA exploits but that specifically referred to EternalBlue – another NSA hacking script leaked by the hacking group Shadow Brokers in April 2017.

DoublePulsar is said to be more insidious because it not only gains backdoor access to a targeted network but also goes further in using a hardcoded list of usernames and passwords, trying to dig deeper into the infected network, giving it wormlike characteristics.

Jonathan Bensen, chief information security officer and senior director of product management at Balbix Inc., noted that cryptojacking should not be viewed as a victimless crime.

“Besides drastically slowing down computers and causing device degradation, Beapy in particular leverages credential stealing capabilities to aid in its spread throughout an enterprise’s network,” Bensen explained. “If these credentials make their way back to a command-and-control center, a malicious third party could gain unauthorized access into a corporation’s network and compromise intellectual property, employee, customer or partner data.”

Barry Shteiman, vice president of research and innovation at Exabeam Inc., said information technology teams need to be vigilant against these sorts of attacks.

“The best thing to do is look for anomalies in your electricity bill,” Shteiman said. “You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity.

One help approach to detecting irregular network behavior, he added, is using an emerging technology called “entity analytics.” It automates detection by baselining normal machine behavior and highlighting the anomalies. Deviations from these benchmarks could an indicator of capacity abuse and a “marker of malicious cryptomining activity on your network,” he said.

Image: 30478819@N08/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy