NSA Double Pulsar malware found mining monero for malicious miscreants

News by Max Metzger

Yet another case of cyber-criminals using NSA hacking tools has emerged, this time leveraged to mine crypto-currency.

Another NSA exploit is being employed by cyber-criminals. This time they are combining the implant with a Monero crypto-currency miner.

Discovered by Russian researcher, Dr Web, the Trojan leverages an NSA malware, dubbed DoublePulsar, released by the Shadow Brokers last year.

DoublePulsar, a backdoor which exploits unsecured SMBs, is used to download a malware loader, from which the virus then infects the targeted system. Crypto-currency mining often requires a lot of resources and the malware will only start if the affected computer has the power to pull it off.

Though it might not be the household name that Bitcoin is, Monero has greatly increased in popularity to rival even its better known crypto-currency predecessor in certain areas.

Recent valuations of Monero puts its market cap at nearly US $700 million (£552 million).

Double Pulsar was released along with a variety of other NSA-linked exploits and hacking tools last year when a group calling itself “The Shadow Brokers” offered them as just a sample of a larger tranche of earth shattering information from the Equation Group, an APT associated with the NSA.

Since then, all manner of cyber-criminal and hacker has been using them to further their schemes. Perhaps the most notable case of this were the WannaCry attacks which, last month, successfully attacked the Russian interior ministry, car factories, a Spanish telecoms giant and 48 NHS trusts as well as a great variety of other targets. In total it has been predicted that 200,000 endpoints across 150 countries were caught in its grasp.

The ransomware/worm hybrid used the Eternal Blue vulnerability, also stolen from the NSA, to propagate so far, fast and wide. While a patch that would have fixed the vulnerability was released in March, hundreds of thousands had clearly not taken advantage of it. Even after the attacks rocked global cyber-space, many did not pay heed. WannaCry is still claiming victims including Honda Motors manufacturing plants and, according to reports, speeding cameras in Australia.

In the case of DoublePulsar, which was patched the month before the Shadow Brokers ever released it. This, said Morey J. Haber vice president of technology, Beyond Trust, “is a traditional story and mainstream business problem.”

Many, added Haber, “have not mastered security basics from regular vulnerability assessments to efficient patch management. They are aware of the problems but the cost, effort, and change control maturity still allude their information technology departments to implement across all assets within the organisation.” The WannaCry outage at Fedex is a perfect example. A combination of EOL operating systems, unpatched hosts, and poor security practices lead to them being a victim of this massive outbreak. Patches were available back in March for all non-EOL systems yet the worm based ransomware still impacted the business in a significant way.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews