What's Yours is Cryptomine: How Endgame Stops WannaMine

Cryptomining malware has garnered significant attention in light of a range of disconnected and impactful incidents, including attacks on water utilities, hospitals, Android devices and government websites. With the cryptocurrency market anticipated to hit $1 trillion in 2018, the recent surge in cryptomining malware is not surprising. In cryptomining attacks, attackers often hijack a computer through unauthorized access, consuming CPU cycles from its victims to inject scripts enabling the pooled mining of cryptocurrencies. Similar to other attacks, cryptomining malware often gains a foothold through legitimate software, altering widely used website software to insert a malicious script. This causes the computer of a visitor to an affected site to mine cryptocurrencies, slowing down the system to the point of unusability in some cases.

One of the most impactful cryptomining malware to date is WannaMine, which integrates the self-propagating capabilities and ETERNALBLUE exploit found in the WannaCry ransomware. Unlike some instances of cryptomining malware where the attack takes place in the browser, WannaMine has characteristics similar to other forms of malware. This has some advantages from the attacker point of view.  An in-browser script-based attack only runs when the browser window is open.  A malware-based miner can run whenever the computer is on. WannaMine employs a range of behaviors, including credential theft, lateral movement, persistence, and the malicious use of Powershell. The Endgame platform catches the various TTPs at numerous stages throughout our layered defenses. We’ll describe this latest cryptomining attack, demonstrate how the Endgame platform stops the cryptomining malware, and discuss the potential evolution of cryptomining attacks in the years ahead.

 

WannaMine Overview

The WannaMine family of cryptominers is one of the most widespread in the wild. The name reflects the shared ETERNALBLUE heritage of WannaCry, the self-propagating ransomware that struck over 150 countries and caused hundreds of millions of dollars in damage last year. WannaMine achieves broad lateral movement through credential harvesting, and then relies on the ETERNALBLUE SMB exploit for additional lateral movement and living off the land to gain persistence and evade detection.

During the earliest stages of infection, WannaMine uses the native PowerShell framework to download and execute a series of PowerShell scripts onto the victim computer. Depending on the architecture of the system, additional scripts corresponding to that architecture are downloaded and executed in a chain of behavior that eventually creates and launches a malicious WannaMine cryptominer application.

 

Stopping WannaMine

Endgame successfully blocked the execution of WannaMine (038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309) before it computed a single hash. MalwareScore® identified the nature of the malicious file and prevented execution as depicted in Figure 1. Organizations with access to VirusTotal Intelligence can confirm MalwareScore® detection of numerous WannaMine samples as well as other cryptominer variants.

Figure 1: Endgame’s MalwareScore®  prevents execution of WannaMine


This malware family doesn’t deploy a WannaMine payload until several other unauthorized actions occur, including the execution of PowerShell to download and run a number of scripts to the victim computer. Figure 2 shows a timeline view from Endgame Resolver™, which depicts the suspicious command line arguments passed to PowerShell and is caught by our tradecraft analytics. These arguments launch PowerShell in a hidden window that a user wouldn’t see and execute a script, “info6.ps1”, which corresponds to the 64-bit test system we used. WannaMine uses a number of heavily-obfuscated PowerShell scripts to perform system profiling and download operations during the early stages of infection, behaviors Endgame quickly prioritizes for analysts so action can be taken before a WannaMine outbreak.

 

Figure 2: Tradecraft analytics alert on the initial execution of malicious PowerShell scripts

 

Conclusion

Cryptomining malware hijacks machines to consume their CPU cycles and use them as vehicles for mining cryptocurrencies. This can cause networks to slow down and has the potential for widespread business disruption, especially if it impacts business-critical applications. WannaMine is one of the more prominent variants of crytpomining malware. It contains several of the key characteristics exhibited by other forms of malware, such as a self-propagating nature, integration of an open source exploit, and access via legitimate third-party software, as well as common tactics such as credential harvesting, lateral movement, and persistence. Like other forms of malware, cryptomining malware is likely to innovate and potentially limit the CPU usage to help evade detection. Fortunately, even as these attacks evolve, Endgame’s multi-layer protections will continue to protect against cryptomining malware and the broad range of attacker techniques before they can cause damage to enterprise networks.