Since October 2017, researchers have been noting the spread of cryptocurrency-mining malware WannaMine, a loose knockoff of the early 2017 WannaCry file-encrypting ransomware.
Large organizations running Windows-based networks have been attacked by the WannaMine worm and, according to industry watchers, no end is in sight.
The core exploit used in WannaCry is a potent US National Security Agency (NSA) software tool released online called EternalBlue. Originally created to make use of vulnerabilities within the Windows environment for the purpose of widespread surveillance, the NSA code is now being leveraged by the WannaMine worm, although with some enhancements.
Cryptocurrency-mining malware acts to take over the resources of a computer or a network for the purpose of generating cryptocurrency, rendering the machines useless for any other task.
Other malware attacks over the past year that made use of the NSA’s EternalBlue tool include NotPetya and Adylkuzz.
Although many servers around the world spreading WannaMine were quickly taken down, the malware continues to replicate.
Recently-published research by Cybereason security chief Amit Serper noted an earlier attack on a Fortune 500 company — a Cybereason client — that was devastated by WannaMine.
According to Serper, the malware infected “dozens of domain controllers and about 2,000 endpoints,” after entering a network through a Windows Server Message Block (SMB) network file sharing protocol server that — despite a massive WannaCry malware alert campaign — had not been patched.
WannaMine, another in a long series of parasitic malware, uses multiple tricks to ensure its continued existence.
The cryptocurrency-mining worm first establishes a foothold in a computer by downloading itself as an enormous file of base64-encoded text, according to Serper.
“In fact, the downloaded payload is so large […] that it makes most text editors hang and it’s quite impossible to load the entire base64’d string into an interactive ipython session,” he noted, cited by Ars Technica.
Contained within the enormous downloaded malware file is more discrete code, including a credential-stealing tool and an unwieldy Windows.NET compiler used by WannaMine to put together a scanning tool for locating other vulnerable targets within a network.
Any credentials and network data harvested by the scan are quickly used to continue the process by attempting to gain access to other computers and installing additional copies of the worm.
Each time the file successfully infects a new device, it randomly renames itself, making it challenging to identify, much less mitigate.
Once installed on a computer, WannaMine does some interior design manipulation to make its environment homey, first using the Windows Management Instrumentation tool to identify its host as a 32-bit or 64-bit system. Then the software parasite reconfigures itself to be a scheduled process so that a system shutdown does not take it out.
WannaMIne even modifies the power settings of its hardware host to ensure that the computer does not go into sleep mode, thereby guaranteeing uninterrupted cryptocurrency mining. If the unwitting host computer is already rnining cryptocurrency, WannaMine shuts off access to various Internet Protocol ports and simply runs its own miners instead.
Particularly frustrating is the continued use of servers disseminating the worm, including some that were identified a year ago as being sources for WannaMine but remain up and running, according to Ars Technica.
Cybereason security head Serper reported that although he attempted to make contact with every hosting provider that he could identify he has received no response.
Ars Technica provided a list of known WannaMine command and control servers, which we take the liberty of reproducing below so as to safeguard networks from inadvertent download and infection.
22.214.171.124, hosted by Shanghai Anchnet Network Technology Stock Co., Ltd in Shanghai.
126.96.36.199 and 188.8.131.52, both hosted by the DDoS mitigation hosting company Global Frag Servers in Los Angeles (this company also appears to be a Chinese network operator).
184.108.40.206 and 220.127.116.11, both hosted by CloudRadium LLC, a company with a disconnected phone number and a Los Angeles address shared with a number of other hosting and colocation service providers.
18.104.22.168, hosted in the US by CloudInnovation, which claims to be based in South Africa but gives a Seychelles islands address in its network registration.
In its report, Ars Technica noted that none of the organizations listed above responded to its requests for comment.