Researchers have discovered a previously unknown, file-based cryptominer worm that has been heavily targeting enterprises based in Asia.
The researchers, from Symantec Corporation’s Security Response Attack Investigation Team, believe this latest threat perpetuates what they describe as a recent trend in cryptojacking: focusing on large business and organizations rather than consumers.
Dubbed Beapy, the Python-based malware leverages the “EternalBlue” Windows Server Message Block protocol exploit to spread across a victim’s network, and the DoublePulsar backdoor to enable remote code execution on infected devices. Both malicious tools are widely believed to have originated with U.S. National Security Agency, and were publicly leaked by the Shadow Brokers hacker group in 2017.
In an April 24 blog post, Symantec reports that Beapy activity first surfaced in its telemetry last January, but has increased since early March and was even been observed on web servers.
A Symantec analysis of known victims showed that 98 percent of them are enterprises, while only two percent are consumers. “While we have no evidence these attacks are targeted, Beapy’s wormlike capabilities indicate that it was probably always intended to spread throughout enterprise networks,” the report states.
Indeed, “while cryptojacking has declined in popularity with cybercriminals since its peak at the start of 2018, it is still a focus for some of them, with enterprises now their primary target,” the report continues. (Symantec observed a 52 percent decrease in cryptojacking in 2018, compared to the previous year.)
China has been the country most heavily affected by Beapy, with 83 percent of victims, followed by Japan, South Korea, Hong Kong and Taiwan. The malware has also targeted the Philippines, Vietnam and Bangladesh, while the U.S. and Jamaica are the only countries outside Asia to make the report.
Victims are infected via emails containing a malicious Excel spreadsheet. Opening this document results in the downloading of the DoublePulsar backdoor, after which a PowerShell command is executed to establish communication with Beapy’s command-and-control server. It’s at this point that a Monero-based cryptomining program is downloaded.
Because properly patched machines are already protected against EternalBlue, the malware also tries to spread to networked computers using a hard-coded list of usernames and passwords, as well as credentials harvested from already infected machines via the open-source Mimikatz tool.
Symantec says it also found an earlier version of Beapy, written in the C programming language, on a public-facing server. The worm attempted to spread to connected computers by generating a list of target IP addresses. This version of the malware also attempted to exploit vulnerabilities for Apache Struts, Apache Tomcat and the Oracle WebLogic Server.
Symantec believes the demise of Coinhive last month may have influenced the attackers’ decision to opt for a file-based cryptominer over a browser-based cryptominer. Another possible reason is that file-based miners generate profits faster than browser-based ones. According to Symantec, a file-based coin-mining botnet composed of 100,000 devices can generate roughly $750,000 over 30 days, while an equally sized browser-based mining botnet can generate only about $30,000 over that same span of time.
To defend against Beapy and other cryptomining threats, Symantec recommends investing in endpoint, email and web gateway protection technologies, deploying firewalls, conducting vulnerability assessments, promoting awareness of phishing and cryptomining threats across one’s enterprise, monitoring battery usage, and regularly installing security patches.