The WannaCry Attack, May 2017 – a file-encrypting ransomware blamed by the United States to North Korea – elevated the resolve of patching weaknesses in the Windows OS that had been uncovered by a leak of NSA (National Security Agency) “exploits”. The WannaCry Ransomware knock-off leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to crawl across networks, wreaking chaos as it spread quickly across affected networks.
Other cryptocurrency-mining worms followed, including WannaMine – a fileless, PowerShell-based, Monero-mining malware attack that cybersecurity experts have been tracking since last October. But only a year later, WannaMine is still spreading. Cybereason’s head of security research, Amit Serper has just released a research of a recent attack on one of his company’s clients – a Fortune 500 company that was heavily hit by WannaMine. The malware infected and almost destroyed “dozens of domain controllers and about 3,000 endpoints,” Serper said. All of this happened through an unpatched SMB server.
WannaMine isn’t purely fileless by any means – the PowerShell script that launches its position downloads a huge file full of base64-encoded text. “In fact, the acquired payload is so large that it makes most of the text editors lag in performance and it’s quite impossible to load the entire base64’d string into an interactive ipython session,” Serper said in his research.
WannaMine’s PowerShell code does a number of things to make itself at home in its infected environment. It uses the Windows Management Instrumentation to discover whether it has landed on a 32-bit or 64-bit system in order to choose which version of its payload to download. It configures itself as a scheduled process to ensure it persists after a system shutdown, and it changes the power management settings of the infected computer to make sure the machine doesn’t go to sleep and its mining activities go uninterrupted.
The thing that is perhaps the most annoying about the continued spread of WannaMine is that the malware continues to use some of the same servers that were originally reported to be associated with it. Serper tried to get in touch with all of the hosting providers he could identify based on their addresses.
The command and control servers based on their IPs are:
188.8.131.52, hosted by Anchnet Network Technology Stock Co., Ltd in Shanghai, China.
184.108.40.206 and 220.127.116.11, hosted by Global Frag Servers in Los Angeles
18.104.22.168 and 22.214.171.124, hosted by CloudRadium L.L.C., a company also located in LA.
126.96.36.199, hosted in the US by CloudInnovation, which claims to be based in South Africa but has a Seychelles address in its network registration.
As of this writing, none of these companies gave any response when reached out for comments.