1 min read

Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally

Liviu ARSENE

August 20, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally

Bitdefender researchers recently found and analyzed a worm-cryptominer combo that uses a series of exploits to move laterally and compromise victims. What makes it interesting is that it pauses the resource-intensive cryptomining process if it finds popular games running on the victim’s machine. The investigation revealed that the worm-cryptominer has been constantly updated by its developers. Some of its modules were updated to make it difficult for security researchers to analyze it, as well as improve lateral movement and other capabilities.

Dubbed Beapy/PCASTLE by previous security researchers, Bitdefender takes a deeper dive into the behavior of the worm-cryptominer combo, offering a detailed changelog into how its modules and components have been updated over time. The Bitdefender investigation reveals how the worm and malware components have been used in conjunction to spread and mine cryptocurrency.

A new attack vector, not previously associated with delivering cryptocurrency miners or covered in past research, was also revealed during the investigation. A supply chain attack broke out against users of DriveTheLife, a potentially unwanted application (PUA), and against users of other similar apps that seem to run on the same infrastructure. It was found that a component of DriveTheLife that normally downloads and executes files from a legitimate domain, was apparently being manipulated and used to download a malicious payload on the victim’s machine from a domain operated by attackers.

Key findings:

  • Delivered via supply chain attack on PUA application
  • Moves laterally using advanced tools and unpatched vulnerabilities
  • Stays stealthy by pausing crypto mining if performance-intensive tasks, such as popular games, are running
  • Features both CPU and GPU mining components
  • Full timeline and changelog on how modules were updated
  • Private RSA key used for signing C&C communication publicly available
  • First detailed analysis on how both Beapy and PCASTLE work together

For a more detailed technical analysis, please check out the technical paper below:

Download the whitepaper

tags


Author



Right now

Top posts

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

December 06, 2022

1 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

October 05, 2022

1 min read
A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

EyeSpy - Iranian Spyware Delivered in VPN Installers EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELESBogdan BOTEZATU
2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Bitdefender

January 05, 2023

1 min read
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPORVictor VRABIE
1 min read