June 22, 2017 By Douglas Bonderud 2 min read

It’s been a tough year for the National Security Agency (NSA), and hacking group Shadow Brokers is responsible for much of the trouble. Over the past few months, they’ve leaked more than a few implants — the NSA term for malware code — developed by the agency.

Recently, the agency’s DOUBLEPULSAR tool was used to help spread the massive malware attack WannaCry. Bleeping Computer noted that it’s now on the hunt again, this time digging in with a Monero cryptocurrency miner on PCs running unsecured Server Message Block (SMB) devices.

Fraudsters Dig Deeper With Cryptocurrency Miner

According to the International Business Times, the new malware strain goes by the unassuming name Trojan.BtcMine.1259. First detected by Russian antivirus firm Dr. Web, the attack targets computers running unsecured SMB protocols and downloads a malware loader onto the machine. It then scans for minimal kernel threads. If PCs have enough resource room to spare, the download grabs the cryptocurrency miner and goes to work.

Based on current infection data, according to the International Business Times, researchers believe the new malware strain leverages DOUBLEPULSAR to gain access, parts of the Ghost RAT library to communicate with its command-and-control (C&C) server and other malware variants to carry out its attack. Once compromised, victim PCs mine Monero currency in the background and send the proceeds back to cybercriminals.

Why Monero? As Live Bitcoin News explained, this cryptocurrency is among the fastest-growing in the digital money market. It presents an ideal opportunity for fraudsters looking to avoid the scrutiny that comes with more traditional bitcoin transactions.

Updating to the latest Windows version should protect corporate devices from this newest attack. While DOUBLEPULSAR infections peaked at 100,000 in early April, the number fell to just 16,000 this month thanks to the MS17-010 patch, Bleeping Computer reported.

Long-Term Larceny?

DOUBLEPULSAR isn’t the first NSA tool leaked by the Shadow Brokers. In April, the group also released the EternalBlue exploit, which was used to carry out surveillance activities, according to ZDNet. It was subsequently adopted by fraudsters to attack targets in Singapore using the Ghost RAT Trojan and other parts of South Asia using Backdoor.Nitol.

This exploit also leveraged SMB vulnerabilities and is rendered useless by proper Windows patching. Since many PCs aren’t regularly updated or run older versions of the OS no longer covered by Windows support, however, CyberScoop argued that the tool will be used for years to come by both sophisticated cybercriminals and amateurs.

As Bob Wandell, former information assurance chief of the U.S. Department of Defense (DoD), explained to CyberScoop, “The payloads that can be loaded onto EtnernalBlue are boundless and uniformly malicious.”

The Latest Malware Bandwagon

Even government-built malware isn’t safe from theft and compromise. Exploits such as EternalBlue give cybercriminals long-term access options, while backdoors such as DOUBLEPULSAR provide ways for attackers to jump on the newest malware bandwagon: background cryptocurrency mining.

Fraudsters will take what they can get. They’ll innovate if needed, but they prefer to leverage tools from other sources that can quickly compromise thousands of machines.

It’s another case study for regular security updates and continual monitoring of network services. Supposed IT safety only lasts until attackers discover how to break down the door, steal the key or dig a tunnel.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today