Beapy Cryptojacking campaign leverages EternalBlue exploit to spread

Pierluigi Paganini April 26, 2019

Security experts uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit.

Security experts at Symantec have uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit to spread a cryptocurrency malware on enterprise networks in Asia.

“Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.” reads the analysis published Symantec.

Beapy (W32.Beapy) is a file-based coinminer that uses email as an initial infection vector.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack. The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online by ShadowBrokers hacker group.

Most of the victims are located in China (80%), remaining in South Korea, Japan, and Vietnam.

The experts first observed the campaign in January, almost any victim is an enterprise (98%).

The attack chain starts with phishing email using as an attachment the Excel document that downloads the DoublePulsar backdoor used to deliver the EternalBlue exploit.

Once the backdoor is installed, a PowerShell command will allow the malware to connect the command and control server. The malicious code executes more PowerShell scripts before the crypto currency miner is downloaded.

Experts reported that the Beapy malware also uses the popular post-exploitation tool Mimikatz to steal passwords from Windows systems.

Experts at Symantec also discovered an earlier version of Beapy malware that hit a public-facing web server and that was attempting to spread to connected systems.

It was coded in C rather than Python, this version also includes both
EternalBlue and Mimikatz.
The malicious code also leverages other exploits for known vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.

“In the web server compromise, Beapy also attempted to exploit an Apache Struts vulnerability (CVE-2017-5638). This vulnerability was patched in 2017, but if successfully exploited it can allow for remote code execution.” continues the analysis. “Beapy also tried to exploit known vulnerabilities in Apache Tomcat (CVE-2017-12615) and the Oracle WebLogic Server (CVE-2017-10271). In the case of this web server compromise observed by Symantec, exploit attempts began in early February, with connections to Beapy’s C&C server first observed on March 13. Activity targeting this web server continued until early April.”

Experts observed a spike in the activity of Beapy in March:

Beapy malware

Since Coinhive cryptocurrency mining service shut down in March, experts observed a drop in cryptojacking attacks.

Unlike Coinhive, Beapy is a file-based miner that must be installed by attackers on the victims’ machines in order to mine cryptocurrency.

“As well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers because they can mine cryptocurrency faster.” states Symantec, “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals.”

Beapy-malware-

The Beapy campaign was also spotted by other security firms, including Qihoo 360’s research team and a Trend Micro.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Beapy miner, hakcing)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment