Hackers Use NSA Exploit to Mine Monero Using Victims’ Computers

Reports have surfaced detailing a malware trojan that uses an NSA hacking tool to infect Windows computers with a cryptocurrency mining bug. The virus identifies available resources on a victim’s PC that can be used to initiate the mining of XMR (Monero).

The Trojan Was First Reported by Russian Antivirus Dr.Web

Bleeping Computer has reported that malware authors are utilizing an NSA hacking exploit to infect Windows computers with a trojan that identifies available resources to divert toward mining Monero (XMR), a privacy-oriented alternative cryptocurrency.

The trojan was first reported by Russian antivirus Dr.Web, who discovered the virus under the generic name of Trojan.BTCMine.1259. The trojan has been identified as utilizing an NSA hacking tool named Doublepulsar that is used to infect computers running unsecure Server Message Block (SMB) services – a network protocol predominantly used for providing shared access to files, printers, and serial ports.

Once infected, the malware creates a simple backdoor that allows the hackers to execute code on a machine. The hackers then use the NSA’s Doublepulsar exploit to download a generic malware loader onto the infected machine. The virus will then scan the computer to determine if it has enough resources available to execute its payload. If said resources are available, a generic malware loader will download a cryptocurrency miner, begin mining XMR, and divert the XMR to the hacker’s wallet. Experts also note that the trojan is able to shut itself down when a PC owner launches the Task Manager utility, allowing the malware to remain undetected whilst in operation.

Recent Cryptocurrency-Oriented Viruses Have Adopted the NSA’s Doublepulsar Exploit

Trojan.BtcMine.1259 is not the first cryptocurrency associated virus that has been built using the Doublepulsar exploit. A similar virus called Eternalminer was detected last week, which targets Linux servers for XMR mining. Wannacry, the ransomware program that recently wreaked havoc on businesses and institutions across the globe, also incorporated Doublepulsar into its protocol, using the exploit as the basis for the malware’s self-spreading SMD worm.

Doublepulsar was made available in April 2017 by Shadow Brokers, leading to reports that over 36,000 computers had been infected by various viruses utilizing the exploit on April 21st, with experts suggesting that the number of infected machines may have peaked at nearly 100,000 Windows machines by the end of April. The number of infected computers is estimated to now be closer to 16,000, owing to Windows system update MS17-010.

H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now
Logo
Center