We all remember that in May of 2017, the WannaCry attack—a file-encrypting North Korean ransomware—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits.
WannaCry used an exploit called EternalBlue – a malicious software that leverages Windows’ Server Message Block (SMB) network file sharing protocol to move across networks.
Since then the same core exploit used by WannaCry has been employed by other malware authors; it has been seen in the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining. The Adylkuzz was the first but not the only, other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware.
A year later its first appearance, WannaMine is still spreading affecting dozens of domain controllers and about 2,000 endpoints, after gaining access through an unpatched SMB server.
Companies and individual people must take certain precautions against this growing phenomenon of malware cyber attacks; for that they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows or antivirus for Mac depending on which OS your device is using.
Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
During a malware analysis, the cybersecurity researchers discovered that WannaMine is “fileless,” and it uses PowerShell scripts pulled from remote servers to establish a foothold on computers and run all of its components. The PowerShell code includes a PowerShell version of the Mimikatz credential-stealing tool copied directly from a GitHub repository. It also possesses a huge binary blob—a Windows .NET compiler—which the malware uses to compile a dynamic-link library version of the PingCastle network scanning tool for locating potentially vulnerable targets elsewhere on the network. It uses the Windows Management Instrumentation to detect whether it has landed on a 32-bit or 64-bit system to pick which version of its payload to download. After this it changes the power management settings of the infected computer to make sure the machine doesn’t go to sleep and its mining activities go uninterrupted and shuts down any process using Internet Protocol ports associated with cryptocurrency-mining pools (3333, 5555, and 7777); then it runs its own PowerShell-based miners, connecting to mining pools on port 14444.
The malware command and control servers are:
• 184.108.40.206, hosted by Shanghai Anchnet Network Technology Stock Co., Ltd in Shanghai.
• 220.127.116.11 and 18.104.22.168, both hosted by the DDoS mitigation hosting company Global Frag Servers in Los Angeles.
• 22.214.171.124 and 126.96.36.199, both hosted by CloudRadium L.L.C., a company with a disconnected phone number and a Los Angeles address shared with a number of other hosting and co-location service providers.
• 188.8.131.52, hosted in the US by CloudInnovation, which claims to be based in South Africa but gives a Seychelles address in its network registration.
We would continue to monitor this malware evolution. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac
in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.