Cryptocurrency Miner Digging Into PCs Based On NSA Exploit

June 22, 2017 @ 2:15 PM
| |
2 min read

It’s been a tough year for the National Security Agency (NSA), and hacking group Shadow Brokers is responsible for much of the trouble. Over the past few months, they’ve leaked more than a few implants — the NSA term for malware code — developed by the agency.

Recently, the agency’s DOUBLEPULSAR tool was used to help spread the massive malware attack WannaCry. Bleeping Computer noted that it’s now on the hunt again, this time digging in with a Monero cryptocurrency miner on PCs running unsecured Server Message Block (SMB) devices.

Fraudsters Dig Deeper With Cryptocurrency Miner

According to the International Business Times, the new malware strain goes by the unassuming name Trojan.BtcMine.1259. First detected by Russian antivirus firm Dr. Web, the attack targets computers running unsecured SMB protocols and downloads a malware loader onto the machine. It then scans for minimal kernel threads. If PCs have enough resource room to spare, the download grabs the cryptocurrency miner and goes to work.

Based on current infection data, according to the International Business Times, researchers believe the new malware strain leverages DOUBLEPULSAR to gain access, parts of the Ghost RAT library to communicate with its command-and-control (C&C) server and other malware variants to carry out its attack. Once compromised, victim PCs mine Monero currency in the background and send the proceeds back to cybercriminals.

Why Monero? As Live Bitcoin News explained, this cryptocurrency is among the fastest-growing in the digital money market. It presents an ideal opportunity for fraudsters looking to avoid the scrutiny that comes with more traditional bitcoin transactions.

Updating to the latest Windows version should protect corporate devices from this newest attack. While DOUBLEPULSAR infections peaked at 100,000 in early April, the number fell to just 16,000 this month thanks to the MS17-010 patch, Bleeping Computer reported.

Long-Term Larceny?

DOUBLEPULSAR isn’t the first NSA tool leaked by the Shadow Brokers. In April, the group also released the EternalBlue exploit, which was used to carry out surveillance activities, according to ZDNet. It was subsequently adopted by fraudsters to attack targets in Singapore using the Ghost RAT Trojan and other parts of South Asia using Backdoor.Nitol.

This exploit also leveraged SMB vulnerabilities and is rendered useless by proper Windows patching. Since many PCs aren’t regularly updated or run older versions of the OS no longer covered by Windows support, however, CyberScoop argued that the tool will be used for years to come by both sophisticated cybercriminals and amateurs.

As Bob Wandell, former information assurance chief of the U.S. Department of Defense (DoD), explained to CyberScoop, “The payloads that can be loaded onto EtnernalBlue are boundless and uniformly malicious.”

The Latest Malware Bandwagon

Even government-built malware isn’t safe from theft and compromise. Exploits such as EternalBlue give cybercriminals long-term access options, while backdoors such as DOUBLEPULSAR provide ways for attackers to jump on the newest malware bandwagon: background cryptocurrency mining.

Fraudsters will take what they can get. They’ll innovate if needed, but they prefer to leverage tools from other sources that can quickly compromise thousands of machines.

It’s another case study for regular security updates and continual monitoring of network services. Supposed IT safety only lasts until attackers discover how to break down the door, steal the key or dig a tunnel.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more

Banner ad leading to the Cost of a Data Breach Report for 2020.
Banner ad leading to the Cost of a Data Breach Report for 2020.
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00