Rapidly spreading cryptomining malware uses NSA code

A new form of cryptomining malware uses hacking codes from the US National Security Agency (NSA). The malware is spreading rapidly throughout Asia, writes Silicon Angle.

Symantec security researchers discovered the malware last week and called it Beapy. Beapy mainly focuses on enterprise networks. Most infections have been detected in China, but also in other Asian countries. A small proportion of the infections occur in the United States.

DoublePulsar

Beapy is distributed via emails that have a rogue Excel document attached. As soon as an attachment is clicked on, Beapy uses the DoublePulsar code of the NSA to make a backdoor on infected machines. That backdoor is then misused to access a business network, to install cryptomining scripts.

DoublePulsar abuses a legitimate process, asynchronous procedure calls (APC), which allows a thread to be temporarily redirected to stop its current function, first perform another function, and only then continue with the original function. In the event of an attack, the code is copied to the memory of an actively privileged process. The system is instructed by an APC to execute the code directly.

Although the steps are individually innocent, they can indicate a DoublePulsar attack together.

Protection

Barry Schteiman, vice president of research and innovation at Exabeam, needs IT teams to be alert to such attacks. “The best thing you can do is look for anomalies in your electricity bill. You can also measure changes in your HVAC use for heat dissipation, although this is more difficult. In addition, you can search for sudden changes in capacity or use, as well as significant deviations in pattern and speed.”

In order to detect deviant network behaviour, companies can use an emerging technique called “entity analytics”. This automates detection by setting up a baseline of normal machine behaviour and highlighting deviations. Deviations from the benchmark may be an indicator of misuse of capacity.