Beapy, Monero Mining Malware

According to the report by the security firm Symantec, a malware with the aim of mining the cryptocurrency Monero is spreading in the region of Asia.

According to this report, 80 percent of its victims have been observed in China. Also, the activities of this malware in other countries in the region of Asia including South Korea, Japan, and Vietnam have been observed. This malware which is called Beapy is executed on the victim system in the form of a file (which is technically called file-based) and unlike many crypto mining malwares, is not added to the browser in the form of a plugin (such malwares are called browser-based). According to Symantec, Beapy was first observed in January 2019, and its activity peaked in the month of March.

The way this malware spreads is through sending an Excel file containing the destructive code via email. If the user downloads and runs the email attachments without paying attention to security points, a backdoor will be downloaded and run on his system. This backdoor is called DoublePulsar and is one of the spying tools of the U.S. National Security Agency (NSA) that was stolen in 2017 by a group called The Shadow Brokers and was released publically on the internet. DoublePulsar was previously used in the famous Ransomware attack by Wannacry.
After DoublePulsar is installed on the victim’s system, it provides access for the attacker and then downloads and runs the Monero mining piece of code. Beapy uses another NSA leaked tool called EternalBlue to spread itself. EternalBlue uses a vulnerability in the SMB protocol in Microsoft systems to run malicious code remotely. Currently, the security patch to ward off the threat posed by EternalBlue has been released by Microsoft, although many devices that are not updated are still vulnerable against it.

Cryptocurrency mining malwares that are called Cryptojacking malwares use the victim’s system’s sources to mine cryptocurrencies and decrease the efficiency and speed of the device. The increase in the value of cryptocurrencies in recent years have enticed hackers to develop and release various Cryptojacking malwares.

Monero was published in 2014. One of the important features of this cryptocurrency is protecting users’ privacy. This feature hides the source, destination and the amount of transaction from being seen by others. For this very feature, Monero has gotten a lot of attention to circumvent the surveillance of legal institutes and is widely used for buying and selling in the Darkweb. According to the results of academic research, Monero has been the most popular cryptocurrency for mining by Cryptojacking malwares, and the reason for this is Monero’s ability in protecting privacy which helps the attacker remain hidden. In this research, it is estimated that Cryptojacking malwares have mined at least 4.32 percent of the released Moneros.
 

Coins International Journal