Beapy/PCASTLE cryptocurrency miner can pause and spread laterally while you play intensive games

• The worm-cryptominer combo possess advanced cryptomining capabilities and can spread laterally to compromise multiple victims’.
• The cryptominer keeps itself stealthy by halting its operations if performance-intensive tasks such as popular games are running on the victims' computer.

Security researchers have recently analyzed a worm-cryptominer combo that possesses advanced cryptomining capabilities in addition to worm-like methods to move laterally and compromise victims. The cryptominer is found to have a new attack vector, not previously associated with delivering cryptocurrency miners or analyzed in any past research. One of the interesting characteristics the cryptominer own is the ability to pause its mining operations when the victims' machine is running intensive processes, including popular games.

The cryptominer was dubbed as Beapy/PCASTLE by security researchers who discovered it initially.

When was it first identified?

According to the information posted on Chinese websites, the cryptominer was identified in December 2018 in a supply chain attack that targeted “DriveTheLife” users. DriveTheLife was a potentially unwanted application that apparently provided driver updates. Security researchers found that the domain from which DriveTheLife and other similar apps download driver updates were being manipulated by an unknown threat actor, to download the malicious payload on the victims' computer.

Deep analysis

On May 27th, the BitDefender cryptominer research team started a deeper analysis on the different characteristic of the worm-cryptominer, which was updated multiple times by the threat actors to improve its lateral movement and stealth capabilities. Interestingly, the researchers were able to trace down the attack vector back to the famous driver downloading the application.

Researchers also discovered a complex worm-cryptominer based ecosystem that was developed to install Monero (XMR) miners on victim machines. They also did a deeper dive into the cryptominer components to understand how the worm-cryptominer combo operates, and recently published the details in a whitepaper named, “Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally”.

A Worm-Cryptominer combo

The Beapy/PCASTLE cryptominer comprises of both Python and Powershell components as a combination to deliver a powerful cryptocurrency miner and a worm that can spread laterally and infect victims by using popular vulnerabilities. The cryptominer infects victims by using vulnerabilities such as the NSA-linked EternalBlue. “The malicious code combination spells a recipe for creating a very profitable piece of cryptominer as it is built in a complex ecosystem,'' said the researchers.

The researchers also published detailed information about the updates the cryptominer has received from the time of its initial discovery. The technical analysis also revealed important details relating to how the worm-cryptominer combo is used together to spread and mine cryptocurrency.

Key features

• The worm-cryptominer is delivered on to a victims' computer via supply chain attacks via potentially unwanted applications.
• The cryptominer spreads laterally to multiple victims' machines using advanced tools and unpatched vulnerabilities.
• It stays stealthy by halting cryptomining operations if performance-intensive tasks such as popular games are running on the victims' computer.
• The cryptominer can perform mining operation on both CPU and GPU operations.