14 DAY TRIAL // Security researcher Amit Serper of Cybereason reports that the Wannamine cryptominer malware which uses the EternalBlue hack from NSA is still making rounds around the Internet and a new outbreak is spreading.
Cryptominers are specially crafted malicious programs designed to work in the background on infected computers mining a wide variety of crypto coins without the knowledge of the owners.
This new variant of the Wannamine persistent cryptominer still uses the well-known EternalBlue SMB exploit leaked last year by NSA to penetrate a target computer and, once inside, it starts mining cryptocurrency as instructed by the threat actor who built it and to spread itself through the entire network using the same procedure.
Although the EternalBlue exploit was widely publicized by both security experts and the media, and Microsoft patched it on March 14th, 2017, there still are around 1 million Internet-facing vulnerable machines according to the Shodan search engine for Internet-connected devices.
Wannamine works by exploiting unpatched SMB server using EternalBlue, just like the NotPetya and WannaCry malware from 2017.
Once in, the malicious program uses a PowerShell instance to download platform-specific payloads and the PingCastle scanner to help it rapidly move across the network to other exploitable targets.
This Wannamine hybrid mines coins and hunts down its brothers for more processing power
While this is happening in the background, Wannamine also changes the power management settings for maximum available power and spawns hundreds of new processes which use PowerShell-programs to connect to mining pool servers to start earning money for the attacker.
This Wannamine variant also has a quite unusual behavior not seen in previous variations: once connected to the pre-defined mining pool server(s), it begins hunting down previous infections made by other attackers and kills all processes connected to the 3333, 5555 and 7777, known as Wannamine standard connection ports.
The issue is that, although the EternalBlue vulnerability is widely-known, there still are companies and Internet users who haven't patched their computers which leads to threat actors re-using this attack vector to gain access to exposed devices.
Thus, making sure that personal and company machines are patched is probably the one and most important step one can take to avoid falling victim to the highly dangerous EternalBlue security hole which allows malicious tools to obtain high privilege code execution rights on hacked devices, as well as simple network propagation and boot persistence.