- Sputnik International
Asia
Find top stories and features from Asia and the Pacific region. Keep updated on major political stories and analyses from Asia and the Pacific. All you want to know about China, Japan, North and South Korea, India and Pakistan, Southeast Asia and Oceania.

WannaCry Copycat WannaMine Spreads as Corporate, Gov’t Server Networks Hit

© REUTERS / Bobby YipHigh-end graphic cards are installed in a cryptocurrency mining computer
High-end graphic cards are installed in a cryptocurrency mining computer - Sputnik International
Subscribe
Since October 2017, researchers have been noting the spread of cryptocurrency-mining malware WannaMine, a loose knockoff of the early 2017 WannaCry file-encrypting ransomware.

Large organizations running Windows-based networks have been attacked by the WannaMine worm and, according to industry watchers, no end is in sight.

Ransomware attacks global IT systems - Sputnik International
Mainstream Media Warns of 'Russian Malware', Ignores CIA's Own Virus Development

The core exploit used in WannaCry is a potent US National Security Agency (NSA) software tool released online called EternalBlue. Originally created to make use of vulnerabilities within the Windows environment for the purpose of widespread surveillance, the NSA code is now being leveraged by the WannaMine worm, although with some enhancements.

Cryptocurrency-mining malware acts to take over the resources of a computer or a network for the purpose of generating cryptocurrency, rendering the machines useless for any other task.

Other malware attacks over the past year that made use of the NSA's EternalBlue tool include NotPetya and Adylkuzz.

Although many servers around the world spreading WannaMine were quickly taken down, the malware continues to replicate.

Recently-published research by Cybereason security chief Amit Serper noted an earlier attack on a Fortune 500 company — a Cybereason client — that was devastated by WannaMine.

According to Serper, the malware infected "dozens of domain controllers and about 2,000 endpoints," after entering a network through a Windows Server Message Block (SMB) network file sharing protocol server that — despite a massive WannaCry malware alert campaign — had not been patched.

a French solider watches code lines on his computer at the French Defense ministry stand during an International Cybersecurity forum in Lille, northern France - Sputnik International
Up to Their Old Tricks: New DPRK Malware Release Detected

WannaMine, another in a long series of parasitic malware, uses multiple tricks to ensure its continued existence.

The cryptocurrency-mining worm first establishes a foothold in a computer by downloading itself as an enormous file of base64-encoded text, according to Serper.

"In fact, the downloaded payload is so large […] that it makes most text editors hang and it's quite impossible to load the entire base64'd string into an interactive ipython session," he noted, cited by Ars Technica.

Contained within the enormous downloaded malware file is more discrete code, including a credential-stealing tool and an unwieldy Windows.NET compiler used by WannaMine to put together a scanning tool for locating other vulnerable targets within a network.

Any credentials and network data harvested by the scan are quickly used to continue the process by attempting to gain access to other computers and installing additional copies of the worm.

Each time the file successfully infects a new device, it randomly renames itself, making it challenging to identify, much less mitigate.

Once installed on a computer, WannaMine does some interior design manipulation to make its environment homey, first using the Windows Management Instrumentation tool to identify its host as a 32-bit or 64-bit system. Then the software parasite reconfigures itself to be a scheduled process so that a system shutdown does not take it out.

WannaMIne even modifies the power settings of its hardware host to ensure that the computer does not go into sleep mode, thereby guaranteeing uninterrupted cryptocurrency mining. If the unwitting host computer is already rnining cryptocurrency, WannaMine shuts off access to various Internet Protocol ports and simply runs its own miners instead.

In this July 18, 2012, file photo, a pedestrian walks past credit card logos posted on a downtown storefront in Atlanta. After a stint of frugality, Americans have returned to their borrowing ways. But are they getting into the kinds of debt trouble that lead to recessions? In 2017, U.S. consumers now owe roughly $12.73 trillion to banks and other lenders for mortgages, car loans and credit card spending, according to the New York Federal Reserve. That exceeds even the total before the last financial crisis. - Sputnik International
Massive Cyberattack on US Retail Sees Data From 5Mln Bank Cards Stolen - Reports

Particularly frustrating is the continued use of servers disseminating the worm, including some that were identified a year ago as being sources for WannaMine but remain up and running, according to Ars Technica.

Cybereason security head Serper reported that although he attempted to make contact with every hosting provider that he could identify he has received no response.

Ars Technica provided a list of known WannaMine command and control servers, which we take the liberty of reproducing below so as to safeguard networks from inadvertent download and infection.

118.184.48.95, hosted by Shanghai Anchnet Network Technology Stock Co., Ltd in Shanghai.

104.148.42.153 and 107.179.67.243, both hosted by the DDoS mitigation hosting company Global Frag Servers in Los Angeles (this company also appears to be a Chinese network operator).

172.247.116.8 and 172.247.166.87, both hosted by CloudRadium LLC, a company with a disconnected phone number and a Los Angeles address shared with a number of other hosting and colocation service providers.

45.199.154.141, hosted in the US by CloudInnovation, which claims to be based in South Africa but gives a Seychelles islands address in its network registration.

In its report, Ars Technica noted that none of the organizations listed above responded to its requests for comment.

Newsfeed
0
To participate in the discussion
log in or register
loader
Chats
Заголовок открываемого материала