NSA’s DOUBLEPULSAR Exploit Aids in Distributing New Monero Mining Malware

It has been a while since cybercirminals leveraged one of the many NSA exploits in circulation. It now turns out a new type of malware is making the rounds. This particular tool infects Windows computers with a cryptocurrency mining Trojan. The distribution of the malware is made possible thanks to the DOUBLEPULSAR exploit, which targets unsecured SMB services. It is a very simple backdoor, yet one that could cause a lot of damage.

Leveraging Another NSA Exploit for Cryptocurrency Mining

Over the past few years, we have seen multiple cryptocurrency mining malware types. Most of these tools are distributed through email spam campaigns and infect a computer with a malicious tool which will hijack computing resources to mine Bitcoin or other cryptocurrencies. Even though regular computer hardware will not net a lot of earnings, it doesn’t matter much if you don’t own the computer nor pay for the electricity being consumed.

The new cryptocurrency mining malware is called Trojan.BtcMine.1259. It has been in circulation for at least one full week, although this is merely an estimated period of time. As we would somewhat expect, this particular Trojan uses a well-known NSA exploit, which goes by the name of DOUBLEPULSAR. This particular exploit is one of the many backdoors used by the NSA in recent years. For now, it seems to mainly target Windows computers, even though the code can be modified to infect Linux servers as well.

It appears this new cryptocurrency mining trojan combines various existing malware libraries. It shows similarities to the Ghost RAT, among other things. Even though it has “Btc” in the name, this malware is not designed to mine Bitcoin whatsoever. Instead, it will try to mine Monero, a cryptocurrency which is quickly becoming popular among cybercriminals. This is mainly due to the anonymity and privacy traits Monero has to offer. Bitcoin lacks such features, to say the least.

Even though this is a rather troublesome type of malware, there is some good news as well. The number of Windows machines vulnerable to the DOUBLEPULSAR exploit is on the decline. In fact, there are still 16000 vulnerable Windows machines to be found around the world. However, the number is a lot smaller compared to the number of victims made by the WannaCry ransomware. That particular attack leveraged the DOUBLEPULSAR exploit as well.

What is rather remarkable is how this Monero-mining malware performs a check to determine if the target computer has enough CPU resources. If this is not the case, the malware will go dormant again, and never resurface. If the computer is powerful enough to conduct mining operations however, the cryptocurrency mining payload will be downloaded as a result. One would expect criminals distributing cryptocurrency mining malware to just infect as many computers as possible. That does not appear to be the case where this particular Trojan is concerned.

It is evident cybercriminals are not done with cryptocurrency mining malware just yet. Using a well-known NSA exploit to distribute this Trojan is quite interesting, albeit it remains to be seen how successful this venture will be. A lot of computers do not have enough CPU resources to even mine Monero. Even if they do, the total earnings will be minimal, at best. It remains to be seen if we will see more advanced versions of cryptocurrency mining malware in the future.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.