Fileless WannaMine Cryptojacking Malware Using NSA Exploit

Forget WannaCry and welcome WannaMine, a fileless cryptojacking malware using leaked NSA exploit called EternalBlue.

We cannot ignore the fact that cryptocurrencies are much in demand and monetary worth of digital currencies like Bitcoin, Ethereum, Litecoin, and Monero have soared tremendously, thereby, increasing the purchasing power and liquidity of cryptocurrency wallets.

In such a time, cybercriminals were expected to make use of the utterly profitable nature of cryptocurrencies and to do this, they have come up with an extremely productive process known as mining. Through cryptocurrency mining, they can drain energies from even the most powerful computer systems.

Whats more disturbing is that now cybercriminals have come up with cryptojacking malware that is solely created to suck the CPU power from computers. One such cryptojacking malware is WannaMine. It uses leaked hacking tools of the NSA (National Security Agency) to gain access to computers and drain off processor power to carry out mining.

Here, we must recall the NSA’s Windows exploit known as EternalBlue that was leaked in April 2017 by hacking group Shadow Brokers and was later used to launch the disastrous WannaCry ransomware that caused havoc worldwide and locked down NHS systems. WannaCry ransomware managed to infect around 230,000 computers in nearly 150 countries only to pave the way for another highly dangerous ransomware NotPetya. The same exploit is being used again to carry out Bitcoin and Monero mining using cryptojacking malware WanaMine.

WannaMine was identified by cybersecurity firm Panda in October 2017 while the malware was mining Monero after hijacking CPU cycles on the targeted computer. Another cybersecurity firm CrowdStrike stated that they have observed an increment in the distribution rate of WannaMine malware as infections caused by this malicious software have doubled in last few months. In fact, it crippled the operations of various companies for days and weeks and used the resources of their CPUs for Monero mining.

WannaMine is a fileless malware that utilizes advanced tactics and techniques to “maintain persistence within a network and move laterally from system to system. WannaMine uses credentials acquired with the credential harvester Mimikatz to attempt to propagate and move laterally with legitimate credentials.” wrote CrowdStrike security researchers.

Hackers are using a wide range of techniques to infect computers from email phishing attacks to remote access hack. Using Mimikatz means that the machines patched against the notorious EternalBlue exploit previously won’t be able to tolerate this malware too. “If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue exploit,” read the blog post by CrowdStrike researchers.

WannaMine uses built-in Windows components like Windows Management Instrumentation (WMI) and PowerShell to perform its malicious tasks. Since it is a fileless malware, hence, it becomes quite difficult to detect it or stop it from harming the computers. Although it isn’t the first ever fileless malware it is indeed quite sophisticated in comparison to other malware like Adyllkuzz that require downloading of an application called CPUMiner to operate.

It is worth noting that WannaMine malware isn’t as dangerous as NotPetya or WannaCry were because it does not lock the computers but it does drain off 100% of the IT environment capability of a client by excessively using the CPUs, which is concerning for firms running data centers or server farms.

While for individual users it would mean that their PCs or laptops’ performance will deteriorate considerably. To protect your computers, it is important to enhance anti-virus security and install cybersecurity tools to ensure endpoint protection and mitigate WannaMine threat.