What Is It?
Symantec first detected the Beapy cryptominer malware in January 2019. Since then, it has seen increasing activity since March with 98% of infections found in corporate networks. Approximately 80% of infections were detected in China, with the remainder being made up in Japan, South Korea, Hong Kong, Taiwan, Philippines, Vietnam and Bangladesh. A small percentage of infections occurred outside of Asia in the U.S. and Jamaica.
The infection vector is a spam email containing a malicious Microsoft Excel attachment, unsurprising as this is currently the most common infection vector for malware attacks. If a user opens the attachment, the leaked NSA DoublePulsar backdoor is installed on the system, followed by the coinminer itself, using PowerShell commands. Beapy uses multiple methods to propagate through an infected corporate network. First, it uses a hardcoded list of usernames and passwords, in addition to the Mimikatz tool to extract credentials from infected systems and finally by uses the leaked NSA EternalBlue exploit to propagate.
Beapy is an example of attackers returning to file-based crypto miners, after previously focusing on browser-based miners. Browser-based miners were the most popular as even fully patched systems could be targeted as the only prerequisite was an internet-connected browser.
The Coinhive coin mining service, which shutdown in early March 2019 after being active for 18 months, made it much simpler to perpetrate browser-based coin mining. The advantage to attackers of file-based mining is the significantly greater return when compared to browser-based mining, given a file-based attack can access all the resources of an infected system at all times. As detailed by Symantec, a 100,000 bot mining botnet for 30 days could be expected to return a profit of US$30,000, where a file-based botnet of the same size, over the same timeframe could return $750,000.
The recently released Malwarebytes Labs Cybercrime Tactics and Techniques report for Q1 2019 found that cryptomining attacks against home users have nearly ceased. As we predicted in Threat Report Q4 2018, the decline in the value of crypto currencies and lack of stability in the crypto currency market have greatly reduced the profit potential and incentive for attackers to target home user’s systems. However, attackers seemingly still find corporate networks offer a sufficient return on investment for cryptomining.
How Does It Propagate?
Beapy utilizes the leaked NSA exploit, EternalBlue, to propagate. The infection vector for this attack is a spam email containing a malicious Microsoft Excel attachment.
When/How Did BluVector Detect It?
Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 11 months prior to their release.