Security News Hackers Use NSA Exploit to Mine Monero Using Victims’ Computers

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Bleeping Computer has reported that malware authors are utilizing an NSA hacking exploit to infect Windows computers with a trojan that identifies available resources to divert toward mining Monero (XMR), a privacy-oriented alternative cryptocurrency.

The trojan was first reported by Russian antivirus Dr.Web, who discovered the virus under the generic name of Trojan.BTCMine.1259. The trojan has been identified as utilizing an NSA hacking tool named Doublepulsar that is used to infect computers running unsecure Server Message Block (SMB) services – a network protocol predominantly used for providing shared access to files, printers, and serial ports.
Once infected, the malware creates a simple backdoor that allows the hackers to execute code on a machine. The hackers then use the NSA’s Doublepulsar exploit to download a generic malware loader onto the infected machine. The virus will then scan the computer to determine if it has enough resources available to execute its payload. If said resources are available, a generic malware loader will download a cryptocurrency miner, begin mining XMR, and divert the XMR to the hacker’s wallet.
Experts also note that the trojan is able to shut itself down when a PC owner launches the Task Manager utility, allowing the malware to remain undetected whilst in operation.

Trojan.BtcMine.1259 is not the first cryptocurrency associated virus that has been built using the Doublepulsar exploit. A similar virus called Eternalminer was detected last week, which targets Linux servers for XMR mining. Wannacry, the ransomware program that recently wreaked havoc on businesses and institutions across the globe, also incorporated Doublepulsar into its protocol, using the exploit as the basis for the malware’s self-spreading SMD worm.

Doublepulsar was made available in April 2017 by Shadow Brokers, leading to reports that over 36,000 computers had been infected by various viruses utilizing the exploit on April 21st, with experts suggesting that the number of infected machines may have peaked at nearly 100,000 Windows machines by the end of April. The number of infected computers is estimated to now be closer to 16,000, owing to Windows system update MS17-010.
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top