Saturday, January 18, 2025
HomeComputer SecurityWannamine Malware Still Penetrate the Unpatched SMB Computers using NSA's EternalBlue Exploit

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

Published on

SIEM as a Service

Follow Us on Google News

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access.

Eternalblue Exploit leaked from NSA last year that made a huge impact around the world by exploiting the SMB flow and that leads to massive WannaCry and NotPetya attacks.

Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targetted by cybercriminals to inject Wannamine crypto mining malware.

Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

How Does Wannamine Malware Works

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Here we can see the PowerShell script in the bottom of the image that indicates that Get-WmiObject cmdlet which means that an attacker using WMI to enumerate both 32bit or 64bit machine to ensure the correct payload will be downloaded and executed.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.

The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

It also contains some binary blob some more obfuscated text with more code that intended to run .NET compiler in order to compile a .NET DLL file.

Later researchers found the PingCastle scanner when they load that DLL into a .NET disassembler.

PingCastle is a defence Tool  whose the vulnerability scanner module has been stolen and its job is to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers.

In this case, attacker copied PowerShell script from various GitHub repositories. for example, PowerShell Mimikatz implementation is straight from the invoke-mimikatz repository and the Mimikatz was implemented While PingCastle is running.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.”

Once the vicitms machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

The script will then try to list all the processes that are connecting to IP address ports 3333, 5555 and 7777 and, if there are any active processes, the script will terminate them.

“This Wannamine variant connects to mining pools on port 14444 while other variants of this attack are connecting to mining pools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are connected to mining pools on the standard ports, they will be terminated.”

In this case, wannamine malware is keep leveraging the unpatched system in many  organization around the world, so Organizations need to install security patches and update machines.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...