Friday, October 4, 2024
HomeComputer SecurityWannamine Malware Still Penetrate the Unpatched SMB Computers using NSA's EternalBlue Exploit

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

Published on

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access.

Eternalblue Exploit leaked from NSA last year that made a huge impact around the world by exploiting the SMB flow and that leads to massive WannaCry and NotPetya attacks.

Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targetted by cybercriminals to inject Wannamine crypto mining malware.

- Advertisement - EHA

Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

How Does Wannamine Malware Works

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Here we can see the PowerShell script in the bottom of the image that indicates that Get-WmiObject cmdlet which means that an attacker using WMI to enumerate both 32bit or 64bit machine to ensure the correct payload will be downloaded and executed.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.

The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

It also contains some binary blob some more obfuscated text with more code that intended to run .NET compiler in order to compile a .NET DLL file.

Later researchers found the PingCastle scanner when they load that DLL into a .NET disassembler.

PingCastle is a defence Tool  whose the vulnerability scanner module has been stolen and its job is to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers.

In this case, attacker copied PowerShell script from various GitHub repositories. for example, PowerShell Mimikatz implementation is straight from the invoke-mimikatz repository and the Mimikatz was implemented While PingCastle is running.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.”

Once the vicitms machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

The script will then try to list all the processes that are connecting to IP address ports 3333, 5555 and 7777 and, if there are any active processes, the script will terminate them.

“This Wannamine variant connects to mining pools on port 14444 while other variants of this attack are connecting to mining pools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are connected to mining pools on the standard ports, they will be terminated.”

In this case, wannamine malware is keep leveraging the unpatched system in many  organization around the world, so Organizations need to install security patches and update machines.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...