Wanna-Cry Based Mining Malware Spreads Online
February 2, 2018
Hackers have found a new way to use EternalBlue exploit, that was stolen from the US National Security Agency. They developed a new mining malware called WannaMine, which is being used to secretly mine cryptocurrency with victims' computers. This malware was first detected in October 2017 by an antivirus company Panda Security, however it has entered the stage of active distribution just now.
In April 2017, a malware called WannaCry, which was created with the use of EternalBlue, infected a massive amount of Windows computers. This malware was breaking in through already-eliminated system vulnerability, that was related to SMB protocol, and not only blocked it, but also encrypted all data on a computer. Attackers demanded a ransom in bitcoin. If a victim failed to pay the ransom, then the virus deleted all the stolen data. Overall, more than 230 thousand computers in 150 countries was affected by WannaCry.
Bryan York, director of services at CrowdStrike, told in an interview with Motherboard:
"EternalBlue, which was previously only used by nation state actors, is now becoming much more commonplace in malware leveraged by your average cybercriminal."
It is safe to assume, that the new malware is less dangerous than WannaCry. At least because it does not block the access to a computer. According to a message from the official blog of CrowdStrike, the company was monitoring the malware and found that it practically does not affect the performance of a computer, but it is very difficult to detect.
York says that there are a lot of ways to let this malware infect your computer: from clicking on a suspicious link from an email sent by a stranger, to a targeted attack on a one particular computer.
How does this virus work: it use two standard Windows applications, PowerShell and Windows Management Instrumentation. This malware does not use an exploit immediately. Initially, WannaMine use Mimikatz, a toll that tries to steal logins and passwords from an infected computer. If it fails, then it is a turn for EternalBlue. It is worthy to note that if an infected computer is a part of a local network, then the malware infects all the other computers in this network too. After the data is stolen, the malware reaches computer's processor and begins to mine
"This is important, because many legacy antivirus products have trouble blocking malware that doesn’t write files to disk, making WannaMine more difficult to remediate from a system. Ransomware gives the victim an option to pay or not pay. With WannaMine, so long as the attackers are able to maintain persistence on the system, they’re making money off of it. The increasing sophistication of cryptocurrency miners is something that I think we’ll continue to see in the future."
A CrowdStrike representative said that if WannaMine infects a vast majority of some company's computers, then its operations may be freezed for an indefinite period.