The Eternal Blue exploit, the infamous Windows bug that the U.S. National Security Agency weaponized and was eventually leaked by the Shadow Brokers hacking group, which was then later used for the successful WannaCry ransomware campaign in 2017 is re-emerging. WannaCry launched ransomware into public prominence and even made an estimated $4 billion profit for its authors in 2017 until its eventual shutdown. Now, in the age of cryptocurrency mining malware, a little known variant named “Beapy” recycled the use of Eternal Blue exploit for its infection proliferation.
As of this writing, Beapy has infiltrated around 732 corporate networks, 80% of these victims are headquartered in mainland China. The infection mechanism is not complicated, it comes in an email message containing another NSA-made malware named DoublePulsar as its dropper. Beapy does reuse 3rd party tools in order to scan the network instead of building such functionality within the malware itself. We discussed Mimikatz, an advanced open source tool for network sniffing in an article last year, this tool is extensively used by Beapy to make it aware of the network it is residing in.
Beapy is seen to be the saving grace of the cryptocurrency mining malware family, given that the mainstream cryptojacking malware fell on the wayside since Coinhive, a web-based mining service (used for both legitimate users and cryptojacking malware) was permanently shut down. The new malware operates on a completely different level, as it may theoretically mine $750,000 worth of cryptocurrrency monthly compared to the measly $30,000 worth of cryptocurrency/month for contemporary cryptojacking malware.
Aside from the Eternal Blue exploit, Beapy also features exploits documented under CVE-2017-10271 (Oracle WebLogic), CVE-2017-12615 (Apache Tomcat) and CVE-2017-5638 (Apache Struts). “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals,” explained Symantec.
Security researchers are convinced that we are in the age of cryptojacking malware, as ransomware infection though continue to cause problems for many networked computers, more variants of the former are expected to be developed.
“What we’ve seen is that there is the ability to tie some of those cryptocurrency transactions either to the pharmacies in China or to the services that people are using to distribute fentanyl. Homeland Security and the DEA have actually become really good at apprehending those people,” emphasized Jonathan Levin, Co-Founder and Chief Operating Officer of ChainAnalysis.
Cryptocurrencies earned through cryptojacking are usually spent in the dark web by the hacker groups. Mr. Levin highlighted that 95% of all purchases in the dark web is not through real-world currencies, but rather using its crypto counterpart.