Symantec Finds New Beapy Crypto Mining Malware Is Hijacking Chinese Companies for Monero
Beapy, a new cryptocurrency malware, is spreading very fast around the world, especially in Asia. This new malware is being used to infect several thousand highly valued companies. It uses some U. S. National Security Agency (NSA) exploits and hacked credentials in order to work and can infect many machines quickly.
This latest infection spike was discovered by a company called Symantec. The program is based on hacking tools that belonged to the NSA and was leaked, so it is a pretty powerful program that can be used to mine Monero from companies and get a fairly high sum of money from them.
Beapy was first spotted back in January and it has infected 12,000 computers from a total of over 700 companies since then. Most of the companies (80%) are based in China, the country most heavily affected by the problem. Since March, the activity has increased a lot.
According to researchers, the malware is distributed by email and, as soon as you open the program, the malware uses the NSA-developed DoublePulsar, which uses an exploit called EternalBlue. This was the same technology that helped to spread ransomware called WannaCry in 2017.
Not only does this program use NSA tech, but it also uses a program called Mimikatz, which is an open source credential stealer program that can be used in order to get the passwords from the computer that was infected.
A New Threat
While cryptojacking has decreased in activity recently, mostly due to the shutdown of Coinhive, a Monero mining tool which was often used by the attackers, programs like Beapy may be considered far larger threats.
They use file-based cryptojacking attacks and are faster and considerably more efficient than other methods, which make the whole operation considerably more profitable for hackers. This way, they can mine up to $750,000 USD in a single month while Coinhive-based programs only were able to mine $30,000 USD.
Another important change is that while users were the primary targets before, now companies are being targeted by this new kind of malware. This is a trend that was getting more prominent lately, which is basically the same that happened with ransomware some time ago after the attackers discovered that it was fairly more lucrative to simply attack companies instead of individuals.
This shows that the trends with cryptojacking malware follow the same ones that ransomware criminals used some time ago, as 98% of the computers infected by Beapy are enterprise machines. Cryptojacking may have fallen 52% since January 2018, but it is still a very big threat.
How Does Beapy Work?
Initially, the malware is distributed via Excel spreadsheets, which are sent out in emails. If you open the attachment, the DoublePulsar is downloaded together with the file and it opens a backdoor that will infect the machines allowing commands to be executed by the hackers in a remote way.
After that, a command called PowerShell is used and the server is contacted, downloading the crypto miner. The program uses a leaked list of usernames and passwords in order to access networks that belonged to the victim.
At the moment, there are more than one versions of the program, which means that it is evolving fast. The early versions use C coding while the newer ones based in Python. However, both versions work in a very similar way.
To mine the Monero, the XMRig software is used. This is a fairly new threat since it was not being used before. However, since CoinHive is not defunct, the surprise should not be so big. Also, Monero lost 90% of its value since 2018, which means that criminals now need to mine it even faster in order to actually have a profitable operation.
Beapy can slow down the performance of companies and even damage their equipment, so Symantec urged them to do something about it and to look for ways to be protected from this kind of threat.
Another problem that can be caused by the malware is that it can cause higher IT costs or even produce large bills if it uses cloud services to mine cryptos.