Wednesday, December 6, 2023

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access.

Eternalblue Exploit leaked from NSA last year that made a huge impact around the world by exploiting the SMB flow and that leads to massive WannaCry and NotPetya attacks.

Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targetted by cybercriminals to inject Wannamine crypto mining malware.

Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

How Does Wannamine Malware Works

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Here we can see the PowerShell script in the bottom of the image that indicates that Get-WmiObject cmdlet which means that an attacker using WMI to enumerate both 32bit or 64bit machine to ensure the correct payload will be downloaded and executed.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.

The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

It also contains some binary blob some more obfuscated text with more code that intended to run .NET compiler in order to compile a .NET DLL file.

Later researchers found the PingCastle scanner when they load that DLL into a .NET disassembler.

PingCastle is a defence Tool  whose the vulnerability scanner module has been stolen and its job is to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers.

In this case, attacker copied PowerShell script from various GitHub repositories. for example, PowerShell Mimikatz implementation is straight from the invoke-mimikatz repository and the Mimikatz was implemented While PingCastle is running.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.”

Once the vicitms machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

The script will then try to list all the processes that are connecting to IP address ports 3333, 5555 and 7777 and, if there are any active processes, the script will terminate them.

“This Wannamine variant connects to mining pools on port 14444 while other variants of this attack are connecting to mining pools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are connected to mining pools on the standard ports, they will be terminated.”

In this case, wannamine malware is keep leveraging the unpatched system in many  organization around the world, so Organizations need to install security patches and update machines.


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles