The internet is currently facing a dangerous new wave of crypto mining malware. The malware may have already infected many high-value enterprises in Asia. This malware, dubbed Beapy, uses leaked NSA exploits and hacked data to spread rapidly through exposed networks. Moreover, it can infect patched machines.
Symantec has tracked the threat for a while and reported that Beapy is a file-based coinminer. It uses email as the primary infection vector. Although crypto-jacking has reduced in popularity among cyber criminals, it still entices a few. However, enterprises have now become hackers’ primary targets. Symantec first noted Beapy in January 2019.
Since the beginning of March, the malware’s activity has seemingly increased.
How Beapy Attacks
The malware’s initial attack vector comes in the form of malicious Excel spreadsheets distributed in emails. When a recipient opens the infected attachment, a secondary NSA-built exploit referred to as DoublePulsar is downloaded. It was used by the infamous WannaCryransomware attackers that battered the world in 2017.
DoublePulsar, known to open a backdoor on infected machines, enables attackers to execute commands remotely. After it installs, a PowerShell command is executed enabling contact to be made with the Beapy command and control server. All that happens before a coinminer is downloaded onto the target computer.
The malware follows that with another famous exploit, EternalBlue, to infect and spread throughout networks. However, that is not the only propagation technique that Beapy uses. The malware also uses credential-stealing tool Hacktool.Mimikatz to get credentials from infected machines. That enables Beapy to spread to computers have adequate security installed against EternalBlue.
Beapy also employs a hardcoded list of passwords and usernames to spread across networks. That strategy is similar to how the Bluwimps worm operated. Symantec also discovered an earlier version of Beapy concealed on a public-facing web server. That early version was coded in C instead of Python like the later versions. The worm tried to spread infections by generating IP addresses of connected computers.
Nevertheless, the activity of that early worm was similar to that of the downloaded malware also containing Mimikatz modules for credential harvesting.
Beapy’s Wormlike Capabilities
The researchers discovered that almost all the victims targeted by Beapy are enterprises. That means the malware seems like a continuation of earlier infection trends that enabled crypto-jacking criminals to focus on hacking enterprise networks. Enterprises appear as an increasingly attractive harbouring ground for cybercriminals. As a matter of fact, 98% of the Beapy infections recorded were enterprise machines with 83% of them located in China.
The file-based coinminer malware appears to point towards the notion that hackers are changing tact. In the past, hackers preferred browser-based coinminers due to lower barriers to entry. Also, they used the browser-based malware since it enabled them to target even fully patched machines.
Beapy Mines Monero Faster than CoinHive
Alan Neville, a Symantec threat intelligence analyst, explained that they had seen infected machines downloading crypto minerXMRig from the attacker’s own infrastructure. He thinks that the attackers are using Beapy to mine Monero using minerXMRig. This software featured in previously reported malware infection threats.
Researchers and analysts noted that file-based coinminers like XMRig mine tokens faster than browser-based miners. Monero lost its value by 90% in 2018 amidst the crypto-jacking attacks. Hence, it is sensible to note that miners that create more crypto faster are popular amongst cybercriminals. They mine cryptocurrency much faster and return profits to the attackers within a significantly short period.
The Beapy Threat on Asian Enterprises
Symantec warned businesses against complacency reminding them of major impacts that the malware could have on their firms. Beapy causes slowdown in device performance which frustrates workers, in turn, reducing productivity. The malware may result in high IT maintenance and repair costs as a result of hardware degradation.
Also, businesses with cloud operations may encounter large bills particularly when the services in question pay fees depending on CPU usage. Symantec recorded around 3 million crypto-jacking attempts in March 2019. Although it is a considerable drop compared to the February 2018 peaks of almost 8million crypto-jacking attempts, that figure is still high.
To reduce the Beapy attack risk, enterprises should strive to protect their networks using overlapping and mutually supportive defensive systems. They can use a combination of endpoint, email and web gateway protection technologies. Also, employees should get adequate education on the signs of crypto-jacking to arrest the problems in their initial stages.