EternalBlue Exploit Serves Beapy Cryptojacking Campaign
(Apr 25, 2019)
A file-based cryptojacking campaign, dubbed "Beapy," has been discovered by Symantec researchers that utilises the US National Security Agency's (NSA) leaked "EternalBlue" exploit and "DoublePulsar" backdoor. The campaign has impacted mainly enterprises in China, Japan, South Korea, and Vietnam. The campaign is initiated via phishing emails that contain a malicious Microsoft Excel spreadsheet. If the document is opened, the DoublePulsar backdoor is downloaded, allowing the threat actors to exploit the EternalBlue vulnerability to spread laterally in the network and enables arbitrary code execution. Following the backdoor being installed, a connection is established with the Command and Control (C2) server to run PowerShell script to install the coinminer. Beapy also uses open source credential-stealing tool "Mimikatz," to obtain Windows passwords so the actors can also infect patched machines.
Recommendation: It is critical that the latest security patches be applied as soon as possible to all devices used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described. This story serves as a reminder of the potential risks to opening attachments from unknown senders. Cryptocurrency miners causes a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.