Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access.

Eternalblue Exploit leaked from NSA last year that made a huge impact around the world by exploiting the SMB flow and that leads to massive WannaCry and NotPetya attacks.

Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targetted by cybercriminals to inject Wannamine crypto mining malware.

Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

How Does Wannamine Malware Works

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Here we can see the PowerShell script in the bottom of the image that indicates that Get-WmiObject cmdlet which means that an attacker using WMI to enumerate both 32bit or 64bit machine to ensure the correct payload will be downloaded and executed.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.

The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

It also contains some binary blob some more obfuscated text with more code that intended to run .NET compiler in order to compile a .NET DLL file.

Later researchers found the PingCastle scanner when they load that DLL into a .NET disassembler.

PingCastle is a defence Tool  whose the vulnerability scanner module has been stolen and its job is to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers.

In this case, attacker copied PowerShell script from various GitHub repositories. for example, PowerShell Mimikatz implementation is straight from the invoke-mimikatz repository and the Mimikatz was implemented While PingCastle is running.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.”

Once the vicitms machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

The script will then try to list all the processes that are connecting to IP address ports 3333, 5555 and 7777 and, if there are any active processes, the script will terminate them.

“This Wannamine variant connects to mining pools on port 14444 while other variants of this attack are connecting to mining pools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are connected to mining pools on the standard ports, they will be terminated.”

In this case, wannamine malware is keep leveraging the unpatched system in many  organization around the world, so Organizations need to install security patches and update machines.