| Name | Wannamine |
| Type of Malware | Cryptominer |
| Date of Initial Activity | 2017 |
| Motivation | Cryptojacking |
| Attack Vectors | Exploitation of EternalBlue via an unpatched SMB server |
| Targeted System | Windows |
Overview
WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
Targets
Regular and corporate users.
Tools/ Techniques Used
WannaMine leverages the EternalBlue exploit to spread and compromise vulnerable hosts. It stores the EternalBlue exploit binaries in a directory located in C:\Windows renamed as “NetworkDistribution.” WannaMine will randomly generate a .dll and service name based on a list of hard-coded strings. It does this in order to maintain persistence on the host. An important behavior to note is that WannaMine doesn’t immediately look to force the EternalBlue exploit.
It first uses a tool called MimiKatz to recover logins and passwords from system memory and infiltrate the system once. If that fails, WannaMine turns to the EternalBlue exploit to complete the task and break in.
Due to the file-less nature of this malware, the following modules never touch the disk so traditional antvirus software cannot detect and clean the infection: Malicious WMI scripts, EternalBlue exploitation module, Mimikatz credential harvesting tool.
