Cryptojacking Campaign on Enterprises Ensues Amid Decline in Popularity

Technology > Security

Cyber criminals are still doing cryptojacking in some cryptocurrencies despite the decline in popularity of the cryptocurrencies like Bitcoin and Ethereum / Photo by: WorldSpectrum via Pixabay


Cybercriminals continue to focus cryptojacking attacks on enterprises despite the shutdown of campaign facilitator CoinHive and declines in cryptocurrency valuation, according to a Symantec report released on Thursday.

File-based coin miner Beapy was initially discovered in January of this year and its attacks have been escalating since March. Its victims are mostly enterprises (98 percent) with businesses in Asia as Beapy's common target. Over 80 percent of its victims are based in China while the rest are located in South Korea, Japan, and Vietnam, TechRepublic reports.

It adds that attacks could be partly due to the exploits employed to infect systems. In April 2017, an organization called The Shadow Brokers released exploits called the EternalBlue and DoublePulsar. Although the said exploits were originally built by the NSA Office of Tailored Access Operations and CIA Information Operations Center.

EternalBlue has been greatly exploited by Lazarus Group, an actor with sponsorship from the North Korean government and is the group behind for both the WannaCry attacks and 2014 hacking of Sony Pictures.

According to TechRepublic, the attacks employ a maliciously developed Excel file sent as an email attachment. This document installs the DoublePulsar backdoor onto the enterprise's system and then disperses to other systems on the network with the help of EternalBlue.

"EternalBlue isn't Beapy's only propagation technique, and it also uses the credential-stealing tool Hacktool.Mimikatz to attempt to collect credentials from infected computers. It can use those to spread to even patched machines on the network," the Symantec report stated.

It added that the coin miner also utilizes a hardcoded roster of usernames and passwords to try to reach across networks, which is similar to the operational method of Bluwimps, a worm that infected thousands of business machines in 2017 to 2018 with file-based coin miners.

Moreover, the tech news site said Beapy was found to exploit weak links in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.

Cryptojacking has a negative influence on the performance of workstations and mobile devices since the estimated time is appropriated to mining activity instead of its intended functions. Such attacks have led to overheating of phones, which causes physical damage to the device.