Friday, March 29, 2024

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access.

Eternalblue Exploit leaked from NSA last year that made a huge impact around the world by exploiting the SMB flow and that leads to massive WannaCry and NotPetya attacks.

Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targetted by cybercriminals to inject Wannamine crypto mining malware.

Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

How Does Wannamine Malware Works

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Here we can see the PowerShell script in the bottom of the image that indicates that Get-WmiObject cmdlet which means that an attacker using WMI to enumerate both 32bit or 64bit machine to ensure the correct payload will be downloaded and executed.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.

The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

It also contains some binary blob some more obfuscated text with more code that intended to run .NET compiler in order to compile a .NET DLL file.

Later researchers found the PingCastle scanner when they load that DLL into a .NET disassembler.

PingCastle is a defence Tool  whose the vulnerability scanner module has been stolen and its job is to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers.

In this case, attacker copied PowerShell script from various GitHub repositories. for example, PowerShell Mimikatz implementation is straight from the invoke-mimikatz repository and the Mimikatz was implemented While PingCastle is running.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.”

Once the vicitms machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

The script will then try to list all the processes that are connecting to IP address ports 3333, 5555 and 7777 and, if there are any active processes, the script will terminate them.

“This Wannamine variant connects to mining pools on port 14444 while other variants of this attack are connecting to mining pools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are connected to mining pools on the standard ports, they will be terminated.”

In this case, wannamine malware is keep leveraging the unpatched system in many  organization around the world, so Organizations need to install security patches and update machines.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles