Now, when cryptocurrency is on the rise and mining the same can leave even the most powerful systems gasping for air. So, it won’t be surprising to hear about a cryptojacking malware intended to suck CPU power out of others’ machines. In fact, we already have seen many.
The cybersecurity firm Panda Security discovered a cryptojacking malware in October last year that’s also fueled by NSA’s EternalBlue exploit. It was found hijacking victim’s CPU cycles to mine Monero.
But another security company called CrowdStrike said last week that they observed an increase in the number of WannaMine infections in the last couple of months. The cryptocurrency mining worm managed to cripple the operations of some companies for days and even weeks while utilizing their system resource to mine Monero.
The working of the malware makes it hard for the companies to take any action as the malware performs fileless operation, i.e., it doesn’t download or use any file to infect a system. WannaMine script takes the help of built-in Windows components such as Windows Management Instrumentation (WMI) and PowerShell to do its work, making it very difficult to detect and stop the malware.
WannaMine uses advanced techniques to move from one system to another within a network. First, it uses the Mimiktaz tool extract the login credentials of a system. In case it fails, it uses the EternalBlue exploit to attack the remote system.
A machine can get infected by WannaMine when the user clicks a malicious link in an email or website. The attacker can also initiate a remote access attack on the target.
CrowdStrike says the persistence mechanisms and propagation techniques used by WannaMine are similar to those leveraged by nation-state actors and the attacks seem to demonstrate trends that blur the lines between nation-state and common cybercrime tactics. But it’s different from WannaCry ransomware, it doesn’t lock people out of their computers as it’s already producing digital money by mining cryptocoins.
WannaMine isn’t the first of its kind but its fileless operation makes it more sophisticated than other cryptojacking malware like Adyllkuzz which downloads an application called cpuminer. AV software fall short of capabilities while acting against such threats that don’t write files on the disk.
Source: Crowd Strike via Motherboard
