Symantec has released new research on a new cryptojacking campaign, dubbed Beapy, which is primarily impacting enterprises in China.

Beapy is a cryptojacking campaign that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy activity was first tracked by Symantec in January 2019. This activity has also been seen on web servers and has been increasing since the beginning of March. This campaign demonstrates that while cryptojacking has declined in popularity with cyber criminals since its peak at the start of 2018, it is still a focus for some, with enterprises now their primary target.

Beapy is most heavily affecting enterprises in Asia, with more than 80 percent of its victims located in China, with other victims in South Korea, Japan, and Vietnam.Whilst Australia is not among the targeted countries, the findings act as a warning to Australian enterprises to implement multiple mutually supportive defensive systems to guard against single point failures in any specific technology or protection method.

Beapy is a file-based coinminer, which is interesting as most of the cryptojacking activity at the height of its popularity was carried out using browser-based coinminers. While browser-based coinminers were popular due to lower barriers to entry, file-based coinminers have a significant advantage because they can mine cryptocurrency faster.

Infection chain

Malicious emails are the initial vector for at least some Beapy infections. A malicious Excel document is delivered to victims as an email attachment. If the email recipient opens the malicious attachment, the DoublePulsar backdoor (Backdoor.Doublepulsar) is downloaded onto the target machine. DoublePulsar, like EternalBlue, was leaked in the Shadow Brokers dump and was also used in the destructive WannaCry ransomware attack in 2017. DoublePulsar opens a backdoor on infected machines and allows for remote code execution on compromised computers. EternalBlue exploits a vulnerability in the Windows SMB protocol to allow files to spread laterally across networks