WannaMine Malware That Uses NSA Exploit To Mine Cryptocurrencies Is On The Rise
The recent months have seen an increase in cyberattacks using cryptocurrency-mining tools, which has now become one of the main security threats.
In April last year, the ‘EternalBlue’ exploit, formerly owned by the US National Security Agency (NSA), was leaked to the public by hacking group Shadow Brokers. This exploit was then used as a base in the WannaCry virus that infected more than 230,000 computers running the Microsoft Windows operating system in 150 countries in May 2017.
Now, researchers at CrowdStrike, a cybersecurity company, have discovered a new strain of malware that uses the ‘EternalBlue’ exploit, to hijack victims’ computers and CPU processing power to secretly mine cryptocurrency in a new attack dubbed WannaMine.
“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors,” the researchers said in a blog post published on January 25.
“WannaMine employs ‘living off the land’ techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry.”
This WannaMine malware is quite similar to the one detected by Panda Security in October last year, which was also based on EternalBlue exploit and used by the infected computer to undermine Monero, in that case.
According to the new report, WannaMine can infect a computer in several ways, such as clicking a malicious link in an email or website, or through remote access attack on the victim. In most cases, the victim will not notice anything, except that the computer runs slower.
This malware is complex to attack for companies, as it does not need to download any type of file to infect the computer. Since WannaMine is a fileless operation and uses legitimate system software system software such as WMI and PowerShell to run, it makes it nearly impossible for organizations to detect and block it without some form of next-generation antivirus. However, WannaMine doesn’t immediately look to force the EternalBlue exploit.
It first uses a tool called “MimiKatz” to recover logins and passwords from system memory and try to infiltrate the system once. If that fails, WannaMine turns to the EternalBlue exploit to complete the task and break in.
Once the attack is successful, WannaMine quietly uses the CPU processing power to generate Monero coins in the background. “The WannaMine worm uses advanced techniques to maintain persistence within an infected network and move laterally from system to system,” the researchers said. “In one case, a client informed CrowdStrike that nearly 100% of its environment was rendered unusable due to overutilisation of systems’ CPUs.”
According to CrowdStrike specialists, the number of attacks has increased sharply since the beginning of 2018, and one can expect to see much more cryptomining activity in the coming months, resulting in business disruptions and downtime.