Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally

Bitdefender researchers recently found and analyzed a
worm-cryptominer combo that uses a series of exploits to move laterally and
compromise victims. What makes it interest is that it pauses the
resource-intensive cryptomining process if it finds popular games running on
the victim’s machine. The investigation revealed that the worm-cryptominer has
been constantly updated by its developers. Some of its modules were updated to
make it difficult for security researchers to analyze it, as well as improve
lateral movement and other capabilities.

Dubbed Beapy/PCASTLE by previous security researchers, Bitdefender
takes a deeper dive into the behavior of the worm-cryptominer combo, offering a
detailed changelog into how its modules and components have been updated over time.
The Bitdefender investigation reveals how the worm and malware components have
been used in conjunction to spread and mine cryptocurrency.

A new attack vector, not previously associated with
delivering cryptocurrency miners or covered in past research, was also revealed
during the investigation. A supply chain attack broke out against users of
DriveTheLife, a potentially unwanted application (PUA), and against users of
other similar apps that seem to run on the same infrastructure. It was found
that a component of DriveTheLife that normally downloads and executes files
from a legitimate domain, was apparently being manipulated and used to download
a malicious payload on the victim’s machine from a domain operated by


  • Delivered via supply chain attack on PUA
  • Moves laterally using advanced tools and
    unpatched vulnerabilities
  • Stays stealthy by pausing crypto mining if
    performance-intensive tasks, such as popular games, are running
  • Features both CPU and GPU mining components
  • Full timeline and changelog on how modules were
  • Private RSA key used for signing C&C
    communication publicly available
  • First detailed analysis on how both Beapy and
    PCASTLE work together

For a more detailed technical analysis, please check out the technical paper below:

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: