Beapy, a new crypto mining malware, is successfully using the stolen NSA exploits from two years ago – and the infection is spreading.

It was two years ago that Shadow Brokers, a hacking group, released malware it had supposedly stolen from hackers associated with the National Security Agency of the USA. This malware featured NSA-developed exploits that proved to be rather effective. These exploits helped fuel the rampant spread of the notorious WannaCry ransomware back in 2017. Researchers at Symantec are saying a new malware is still effectively using these exploits, and it is spreading.

Beapy – your cryptojacking friend

The new malware is dubbed Beapy, and hackers are using it to attack corporate networks in order to mine cryptocurrency. Spotted back in January, Beapy has now spread across 732 different organizations since March, representing 12,000 unique infections. Most of the infected systems are located in China.

Hackers are using Beapy to target major entities that feature a large number of computers. The reasoning for this scenario is that the cryptojacking of so many systems at once results in a tremendous revenue stream for the hackers. An infected website could generate up to $30,000 a month. By comparison, file-based cryptojacking of a corporation or government agency could reward hackers with up to $750,000 a month.

How does Beapy work?

The malware needs someone in the targeted company to open a malicious email. When that occurs, Beapy releases the DoublePulsar malware created by the NSA in order to create a persistent backdoor. Beapy also unleashes EternalBlue, another NSA exploit, which spreads laterally across the entire network.

The cryptojacking software is introduced from the hacker’s server once the backdoors have been created on the victim’s computers. Adding insult to injury, the malware then uses an open-source credential thief called Mimikatz to gather and use passwords in order to further its infection across the victim’s network.

The spread of Beapy is interesting in that the rate of cryptojacking had been going down due to Coinhive shutting down back in March. That particular project shut down due to the drop in price for Monero (XRM). In the official announcement, the development team said:

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the cryptocurrency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.”

Lots of malware out there

It does feel that every few weeks sees another malware threat rising. Back in January, cybersecurity experts illuminated the spread of Anatova, a type of ransomware that demanded Dash from its victims. The following month saw the discovery of a clipping malware in the Google Play Store that stole wallet addresses when Android users copied and pasted cryptocurrency wallet addresses. The malware would change the address to where the coins were going, thus putting the funds in the hackers’ coffers.

Android was targeted again last month with the Gustuff malware. This particular mischief-maker targeted over 130 apps associated with banks, cryptocurrency exchanges, and instant messaging platforms. Gustuff would target the Android Accessibility feature (which automates certain UI interactions on behalf of users who have disabilities) to open the apps, fill out the required data, and then start making transactions without the user aware of what is going on.

However, it’s not all doom-and-gloom on the malware front. Symantec did find eight malicious cryptojacking apps in the Microsoft Store back in February, leading to those apps getting deleted. As always, remember to be sure of any email that you’re opening lest you unleash some form of virtual nasty.