June 22, 2017 By Douglas Bonderud 2 min read

It’s been a tough year for the National Security Agency (NSA), and hacking group Shadow Brokers is responsible for much of the trouble. Over the past few months, they’ve leaked more than a few implants — the NSA term for malware code — developed by the agency.

Recently, the agency’s DOUBLEPULSAR tool was used to help spread the massive malware attack WannaCry. Bleeping Computer noted that it’s now on the hunt again, this time digging in with a Monero cryptocurrency miner on PCs running unsecured Server Message Block (SMB) devices.

Fraudsters Dig Deeper With Cryptocurrency Miner

According to the International Business Times, the new malware strain goes by the unassuming name Trojan.BtcMine.1259. First detected by Russian antivirus firm Dr. Web, the attack targets computers running unsecured SMB protocols and downloads a malware loader onto the machine. It then scans for minimal kernel threads. If PCs have enough resource room to spare, the download grabs the cryptocurrency miner and goes to work.

Based on current infection data, according to the International Business Times, researchers believe the new malware strain leverages DOUBLEPULSAR to gain access, parts of the Ghost RAT library to communicate with its command-and-control (C&C) server and other malware variants to carry out its attack. Once compromised, victim PCs mine Monero currency in the background and send the proceeds back to cybercriminals.

Why Monero? As Live Bitcoin News explained, this cryptocurrency is among the fastest-growing in the digital money market. It presents an ideal opportunity for fraudsters looking to avoid the scrutiny that comes with more traditional bitcoin transactions.

Updating to the latest Windows version should protect corporate devices from this newest attack. While DOUBLEPULSAR infections peaked at 100,000 in early April, the number fell to just 16,000 this month thanks to the MS17-010 patch, Bleeping Computer reported.

Long-Term Larceny?

DOUBLEPULSAR isn’t the first NSA tool leaked by the Shadow Brokers. In April, the group also released the EternalBlue exploit, which was used to carry out surveillance activities, according to ZDNet. It was subsequently adopted by fraudsters to attack targets in Singapore using the Ghost RAT Trojan and other parts of South Asia using Backdoor.Nitol.

This exploit also leveraged SMB vulnerabilities and is rendered useless by proper Windows patching. Since many PCs aren’t regularly updated or run older versions of the OS no longer covered by Windows support, however, CyberScoop argued that the tool will be used for years to come by both sophisticated cybercriminals and amateurs.

As Bob Wandell, former information assurance chief of the U.S. Department of Defense (DoD), explained to CyberScoop, “The payloads that can be loaded onto EtnernalBlue are boundless and uniformly malicious.”

The Latest Malware Bandwagon

Even government-built malware isn’t safe from theft and compromise. Exploits such as EternalBlue give cybercriminals long-term access options, while backdoors such as DOUBLEPULSAR provide ways for attackers to jump on the newest malware bandwagon: background cryptocurrency mining.

Fraudsters will take what they can get. They’ll innovate if needed, but they prefer to leverage tools from other sources that can quickly compromise thousands of machines.

It’s another case study for regular security updates and continual monitoring of network services. Supposed IT safety only lasts until attackers discover how to break down the door, steal the key or dig a tunnel.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today