WannaMine worm spreads via exploit EthernalBlue and copies of Monero

Do You Remember The WannaCry? Certainly. A few months ago the ransomware spread by vulnerability in SMB/445 paraliżowało computer systems across Europe. Exploit from the NSA (EthernalBlue) was used (and still is) not only to distribute ransomware'u. Weapons have been known to exploit in backdoors, Trojans brankowe and other pest files encryption- NotPetya. So far, victims of attacks WannaCry fell a few hundred thousands of computers in more than 150 countries around the world.

WannaCry mapa infekcji

In recent months the company CrowdStrike has noted the increase in the number of cyber-attacks that focus on tools for extracting refreshed, that manage the available CPU cycles without authorization. While kicking was typically seen as something burdensome — something that only slows down your computer and heats the components, CrowdStrike observed several cases in which the "mining" affected the continuity of the business. In some companies virus led to the failure of systems and applications because of high CPU usage on the server. Long-term effect of malware can even lead to damage to your computer hardware, in particular laptops, which are sensitive to continuous high temperature.

The Worm WannaMine

WannaMine is a "cryptographic worm, which spreads by using the exploit EternalBlue in the same way as WannaCry (uses a vulnerability in SMB on port 445). Cyber criminals can see a new way to monetize Monero payments online campaign, which the extraction algorithm is designed for desktop computers, unlike Bitcoin, which requires special equipment, such as integrated circuits application-specific (ASIC) or high-end graphics processors. What's more, Monero, using the so-called stealthowych address together with the mixing of the transaction provides 100% anonymity (as opposed to a Bitcoin), making it impossible to trace the transaction portfolio and ensuring complete anonymity.

WannaMine wykrycie

In the last 30 days solutions from CrowdStrike began to block much more scripts than before.

Accurate operation of the worm WannaMine:

Schemat działania robaka WannaMine

The researchers add, WannaMine is not enough, that is bezplikowy. These threats "fileless" have several features in common with Rootkits: can store data in the registry, which is a base for operating system settings, and certain applications, and even capture and modify low-level API functions. In addition, as rootkits can hide the presence of processes, folders, files, and registry keys, in that install their own drivers and services on your system. Bezplikowe malware can access permissions "ring 0". The process started at this level performs the code with the privileges of the kernel, can get unlimited access to all processes, drivers, and services.

Did antivirus deal with viruses bezplikowymi? We encourage you to familiarize yourself with our test virus protection bezplikowymi, in which we explained the exact viruses bezplikowych and we have ways to protect.

WannaMine and other bezplikowe malware uses PowerShell Shell to download and install malware. In addition, this malware is equipped with tool " mimikatz " used to steal information and data. In this case, the " mimikatz " is used to steal data to a Windows login. Stolen credentials help copy the bug to other systems on the network. However, if such a login fails, WannaMiner is trying to use the exploit EternalBlue to jump to another computer.

In addition, one of the harmful components of the worm is set by the PowerShell script task in Task Scheduler, that every 90 minutes trying to redo the infection to other computers.

WannaMine invades all versions of Windows starting with Windows 2000, including 64-bit editions and Windows Server 2003.

One of the symptoms of infection WannaMiner'em is the process of taskservice.exe :

File: taskservice. exe
Size: 180736
Compiled: Thu, Aug 31 2017, 13:31:24-32 Bit EXE

VirusTotal for this sample returns the conclusive results:

WannaMine VirusTotal

WannaMine threat is not new. One of the users Microsoft reported last year, the excessive use of CPU on three company servers in the Amazon Cloud. Suspicious task every 90 minutes run script in PowerShell:

PowerShell-nop-nonl-hidden "$mon = ([wmiclass] ' root\default: win32_taskservice '). [' Mon '] value; $funs = ([wmiclass] ' root\default: win32_taskservice '). ['funs ']. Value; iex 9 [syste, System.text.encoding]:: ascii. getstring ([convert]:: fromba

How to protect from WannaMine?

Exactly the same as before the ransomware WannaCry, namely:

  • Install security updates for servers and Windows desktops.
  • Disable Protocol SMBv1 in Control Panel by deactivating the option " Obsługa udostępniania plików SMB1.0 " in " Włącz lub wyłącz funkcje systemu Windows ".

Stop the software protection is not a good idea. Most reputable suppliers of products to protect your network and endpoints can block viruses bezplikowe, not allowing to run scripts that are run in the CMD and PowerShell.

Administrators should carefully review the settings for the security policy. To the settings approach comprehensively, that is, starting from scanning Internet resources by going to proactive protection to end up on the firewall with intrusion detection (IPS/IDS). Exploit signatures of the NSA are already widely known, so a good product security (antivirus, firewall or UTM) should not have problems with detecting and stopping the attacks.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.