Ever since the NSA hacking tools were released, there were multiple reported uses of it. The most likely suspects are different hacking groups, and they are using these tools to infect Windows computers with a cryptocurrency miner.
The newest use of these tools was noticed in the special Trojan named ‘Trojan.BtcMine.1259’. It was discovered by an antivirus vendor from Russia called Dr.Web.
The Trojan works by attacking computers that have unsecured SMB services. It uses a special implant by the mane of DOUBLEPULSAR, which was stolen from the NSA. This is actually another form of malware, and it creates a backdoor on infected computers. Nothing big or fancy, but enough for hackers to slip in and execute several malicious codes.
Their main goal is to download a generic malware loader on the infected devices and then use them for checking the devices for the smallest amount of kernel threads. In case that enough CPU resources are found on the computer, the cryptocurrency miner is the next thing that is getting downloaded.
Experts claim that the Trojan was made by mixing several libraries. Different parts with different features are used to form it. For example, parts of Ghost RAT are used for communication with the C&C server, but also for watching over the local systems.
These features come in handy when the Trojan needs to hide. It can detect when a user launches Task Manager on their computer, and so it shuts itself down for the occasion. There are both 32-bit as well as 64-bit versions of this Trojan. Depending on the hardware, it uses several different configurations.
The targeted currency is Monero, one that has almost completely replaced Bitcoin when it comes to most cryptocurrency miners. One example of malware that mines for cryptocurrency is EternalMiner, and it is used for mining Monero on Linux.
It was also detected as recently as last week. During that time, it was found infecting servers via the vulnerability called SambaCry.
DOUBLEPULSAR is mostly associated with the infamous ransomware called WannaCry. This is the same ransomware that infected thousands of worlds computers in April, during the biggest outbreak of malware ever.
That was its first noticed use after the Shadow Brokers robbed NSA of it and dumped it online. The number of infected computers exceeded 100,000 at the time. However, last week, that number was reduced to 16,000. This is a direct consequence to system updates on the Windows machines, and if this was done in time, perhaps the impact wouldn’t have been that great.