A group of cyber criminals has created a piece of malware, which security researchers have called “Beapy,” (opens in new tab) using NSA’s previously leaked DoublePulsar persistent backdoor code and EternalBlue exploit, to target enterprises. The Beapy malware installs cryptojacking code that uses the enterprise networks of computers to mine cryptocurrency.
Beapy Cryptojacking Malware
Despite a decline in cryptojacking activity since its peak in 2017 due to lower valuations for cryptocurrencies, malicious actors can still find ways to make significant amounts of money by installing cryptomining software on unpatched computers in enterprises. Enterprises often take many months, if not years, to patch their software, so they are the perfect target for cryptojacking malware campaigns.
Beapy is a new cryptojacking malware that has recently hit thousands of high-value enterprise organizations mostly in China, but also in other Asian countries. The infection happens when enterprise users open infected Excel files they receive via email.
The group uses NSA’s DoublePulsar backdoor to make Beapy difficult to remove from computers and to enable a connection to the criminals’ command and control (C2) server.
It then uses NSA’s EternalBlue exploit to spread the infection laterally across the entire organization. After which, the Monero cryptomining client that comes with Beapy will start using the network’s CPU resources to generate new coins for the cybercriminals.
On machines that were patched against EternalBlue, the criminals also use a credential-stealing software called Hacktool.Mimikatz.
NSA’s Hacking Tools Made Cyber Criminals' Jobs Easier
The Windows-based hacking tools that the NSA has created for its espionage operations have been used for devastating global ransomware attacks against millions of devices and thousands of organizations.
These tools were stolen and then leaked by the “ShadowBrokers” group in 2017, and the NSA may not have intended for them to leak, but the fact that they existed at all has put everyone at risk. Similarly, previously-leaked NSA-created Flame and Stuxnet malware were also used by the “bad guys” to cause further harm than NSA intended.
When DoublePulsar and EternalBlue leaked, Microsoft made the unusual move of publicly calling out NSA over its recklessness in creating such tools, as well as the agency’s irresponsible “stockpiling of vulnerabilities.”
Microsoft seems to have understood very well from day one the potential for harm and the fact these tools will be used to cause damage to its customers (as well as its public image) for years to come, even if the company immediately patches them.
The EternalBlue exploit also caused the company to make two additional unusual moves, such as skipping a whole month of Windows updates before announcing the patch for the Server Message Block (SMB) vulnerability that EternalBlue was exploiting, as well as updating the unsupported Windows XP and Windows Server 2003 operating systems.
As soon as the two NSA tools leaked, the WannaCry ransomware spread globally in over 150 countries and caused at least $8 billion in damage, with their help, according to an IBM X-Force report.
Other dangerous malware that was created with the help of NSA’s hacking tools includes GoldenEye, EternalRocks, NotPetya, Bad Rabbit, Yatron, and more. NSA’s EternalBlue and DoublePulsar malware are expected to live on at least another few years until unpatched systems either go offline or are patched.