In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks.
The core exploit used by WannaCry has been leveraged by other malware authors, including the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining worm that began to spread even before WannaCry. Other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware attack that threat researchers have been tracking since at least last October. The servers behind the attack were widely published, and some of them went away.
But a year later, WannaMine is still spreading. Amit Serper, head of security research at Cybereason, has just published research into a recent attack on one of his company’s clients—a Fortune 500 company that Serper told Ars was heavily hit by WannaMine. The malware affected “dozens of domain controllers and about 2,000 endpoints,” Serper said, after gaining access through an unpatched SMB server.
WannaMine is “fileless,” sort of. It uses PowerShell scripts pulled from remote servers to establish a foothold on computers and run all of its components. But WannaMine isn’t purely fileless by any means—the PowerShell script that establishes its foothold downloads a huge file full of base64-encoded text. “In fact, the downloaded payload is so large (thanks to all of the obfuscation) that it makes most of the text editors hang and it’s quite impossible to load the entire base64’d string into an interactive ipython session,” Serper wrote in his post.
Inside that file is more PowerShell code, including a PowerShell version of the Mimikatz credential-stealing tool copied directly from a GitHub repository. There’s also a huge binary blob—a Windows .NET compiler—which the malware uses to compile a dynamic-link library version of the PingCastle network scanning tool for locating potentially vulnerable targets elsewhere on the network. The harvested credentials and network data are then used to attempt to connect to other computers and install more copies of the malware. The DLL is given a random name, so it’s different on every infected system.
WannaMine’s PowerShell code does a number of things to make itself at home. It uses the Windows Management Instrumentation to detect whether it has landed on a 32-bit or 64-bit system to pick which version of its payload to download. It configures itself as a scheduled process to ensure it persists after a system shutdown, and it changes the power management settings of the infected computer to make sure the machine doesn’t go to sleep and its mining activities go uninterrupted. This code shuts down any process using Internet Protocol ports associated with cryptocurrency-mining pools (3333, 5555, and 7777). And then it runs PowerShell-based miners of its own, connecting to mining pools on port 14444.
The thing that is perhaps the most aggravating about the continued spread of WannaMine is that the malware continues to use some of the same servers that were originally reported to be associated with it. Serper reached out to all of the hosting providers he could identify from the addresses and got no response. The command and control servers are:
- 126.96.36.199, hosted by Shanghai Anchnet Network Technology Stock Co., Ltd in Shanghai.
- 188.8.131.52 and 184.108.40.206, both hosted by the DDoS mitigation hosting company Global Frag Servers in Los Angeles (though the company also appears to be a Chinese network operator).
- 220.127.116.11 and 18.104.22.168, both hosted by CloudRadium L.L.C., a company with a disconnected phone number and a Los Angeles address shared with a number of other hosting and co-location service providers.
- 22.214.171.124, hosted in the US by CloudInnovation, which claims to be based in South Africa but gives a Seychelles address in its network registration.
None of these organizations responded to requests for comment from Ars.