Malware Warning! NSA’s DOUBLEPULSAR Exploit activities in Distributing New Monero Mining Malware.

 It  has been a while since cybercirminals leveraged one of the many NSA  exploits in circulation. It now turns out a new type of malware is  making the rounds. This particular tool infects Windows computers with a  cryptocurrency mining Trojan. The distribution of the malware is made  possible thanks to the DOUBLEPULSAR exploit, which targets unsecured SMB  services. It is a very simple backdoor, yet one that could cause a lot  of damage. 

Leveraging Another NSA Exploit for Cryptocurrency Mining

Over the past few years, we have seen multiple cryptocurrency mining malware  types. Most of these tools are distributed through email spam campaigns  and infect a computer with a malicious tool which will hijack computing  resources to mine Bitcoin or other cryptocurrencies. Even though  regular computer hardware will not net a lot of earnings, it doesn’t  matter much if you don’t own the computer nor pay for the electricity  being consumed. The new cryptocurrency mining malware  is called Trojan.BtcMine.1259. It has been in circulation for at least  one full week, although this is merely an estimated period of time. As  we would somewhat expect, this particular Trojan uses a well-known NSA  exploit, which goes by the name of DOUBLEPULSAR. This particular exploit  is one of the many backdoors used by the NSA in recent years. For now,  it seems to mainly target Windows computers, even though the code can be  modified to infect Linux servers as well. It appears this new cryptocurrency  mining trojan combines various existing malware libraries. It shows  similarities to the Ghost RAT, among other things. Even though it has  “Btc” in the name, this malware is not designed to mine Bitcoin  whatsoever. Instead, it will try to mine Monero,  a cryptocurrency which is quickly becoming popular among  cybercriminals. This is mainly due to the anonymity and privacy traits  Monero has to offer. Bitcoin lacks such features, to say the least.  Even though this is a rather  troublesome type of malware, there is some good news as well. The number  of Windows machines vulnerable to the DOUBLEPULSAR exploit is on the  decline. In fact, there are still 16000 vulnerable Windows machines to  be found around the world. However, the number is a lot smaller compared  to the number of victims made by the WannaCry ransomware. That  particular attack leveraged the DOUBLEPULSAR exploit as well. What is rather remarkable is how this  Monero-mining malware performs a check to determine if the target  computer has enough CPU resources. If this is not the case, the malware  will go dormant again, and never resurface. If the computer is powerful  enough to conduct mining operations however, the cryptocurrency mining  payload will be downloaded as a result. One would expect criminals  distributing cryptocurrency mining malware to just infect as many  computers as possible. That does not appear to be the case where this  particular Trojan is concerned. It is evident cybercriminals are not  done with cryptocurrency mining malware just yet. Using a well-known NSA  exploit to distribute this Trojan is quite interesting, albeit it  remains to be seen how successful this venture will be. A lot of  computers do not have enough CPU resources to even mine Monero. Even if  they do, the total earnings will be minimal, at best. It remains to be  seen if we will see more advanced versions of cryptocurrency mining  malware in the future.