Cryptominer Beapy targeting Asian enterprises via NSA hacking tools

NSA backdoor and the EternalBlue EK used to spread the Phyton-based malware in Asia

Cryptocurrency mining worm hits enterprises on China with EternalBlue exploit kit and stolen credentials.

Cryptominer worm called Beapy has been targeting various enterprises in Asia with exploit kits like EternalBlue and DoublePulsar. Each of these tools is believed to belong to the U.S National Security Agency and were leaked by hacker group back in 2017.^[1]

As researchers at Symantec report,^[2] the Phyton-based malware has mainly been attacking enterprises in China. In order to spread across their networks,^[3] it is using the EternalBlue exploit kit. Then, DoublePulsar backdoor helps to enable remote code execution.

China has been the most affected country by this cryptominer Beapy since more than 83 percent of victims reported from there. Other countries that have become victims:

• Japan
• South Korea
• Hong Kong
• Taiwan
• Philippines
• Vietnam
• Bangladesh

In this case, we should also mention the U.S and Jamaica which are two countries outside Asia from the ones who have made on the list of victims.

Beapy was first spotted in January 2018

Beapy activity was first spotted in January 2018. Since then, its activity has increased significantly. As researchers wrote in their blog post, the cryptominer was spotted working on web servers in March. The more recent campaigns are clearly set against enterprises:

While we have no evidence these attacks are targeted, Beapy’s wormlike capabilities indicate that it was probably always intended to spread throughout enterprise networks.

It seems that Beapy's victims are infected via emails with malicious file attachments – Excel spreadsheets. Once the document is opened, it launches the automatic installation of the DoublePulsar backdoor. PowerShell command that gets executed to communicate with C&C server follows. At this point, Monero cryptocurrency miner gets downloaded and launched. It is highly profitable as the file-based cryptominer can make more than $700000 from 100 000 affected devices in 30 days, while the browser-based crypto threat makes only $30 000 over the same 30 days.^[4]

Since the miner is focused on enterprises, Beapy is using a hard-coded list of usernames and passwords to infect patched networks. Since most of the companies patch vulnerabilities and protect their system against EternalBlue, credentials are harvested from infected machines with the help of the open-source Mimikatz tool.

Hacking tools used to target web servers

Researchers who reported about the newest Beapy worm campaign told that, at first, malware targeted public web servers and tried to infect computer connected to the previously-mentioned servers. One of the methods used to achieve this involves generating a list of IP addresses the malware attempts to affect.

This earlier Beapy malware version was not based on Python like the later variant. However, other functions remain similar. Additionally, when the malware initially gets downloaded, Mimikatz modules get used to harvest various credentials. At this point, EternalBlue exploit kit gets employed.

Beapy is also exploiting previously patched Apache Struts vulnerability.^[5] Also, other vulnerabilities in Apache Tomcat and Oracle WebLogic Server. This particular attempt to exploit servers began in February.

Researchers report that Beapy was first spotted in February due to C&C server connections which were observed on March 13th. Since then, the activity has only been increasing.