Security firms have recently seen numerous attacks whose main objective is to infect systems with crypto-mining software in an effort to profit off the rise of cryptocurrencies, such as Bitcoin, Ethereum and Monero.
Cryptocurrency mining is the process of validating or authenticating transactions in return for earning a new cryptocurrency reward. The process is resource intensive and can cause systems to crash.
Crowdstrike has observed more sophisticated capabilities built into a cryptomining malware dubbed WannaMine that uses “living off the land” techniques to include using Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism.
WannaMine uses the NSA-linked EternalBlue tool to propagate and target unpatched Windows systems and remotely exploit unpatched vulnerabilities (such as the SMB vulnerability MS17-010 fixed in early 2017).
The malware also leverages a credential harvester Mimikatz to steal legitimate credentials and move laterally to other infected systems.
These attacks follow similar exploits from other malware families such as WannaCry and NotPetya.
WannaMine is a fileless malware that uses WMI and PowerShell to make it more difficult to discover and block using monitoring and antivirus tools. WannaMine was originally discovered by PandaSecurity.
As researchers from Sophos also warned, systems vulnerable to WannaMine are also vulnerable to other ransomware if left unpatched.