WannaMine worm: analysis and intervention
Our team recently detected, analysed and managed a compromise attempt by WannaMine malware.
WannaMine is a Worm-type malware (known since 2017) whose purpose is to propagate within corporate networks and perform cryptocurrency mining (Monero) on all compromised systems.
Its propagation capabilities via valid credentials (Mimikatz and Empire modules) and exploitation of SMB protocol vulnerabilities (EternalBlue CVE-2017-0144) render Incident Response activities more complex. Furthermore, the almost entirely fileless structure of the malware enables it to bypass classic Endpoint protections.
Analysis of the sample enabled our analysts to obtain information on the Worm’s compromise and propagation methods as well as the Monero Wallet address associated with this criminal group: 46gVfDm99aq9JqESFxXFp5AyFCZPHsbTn48dWAtVASddf4TmhQMkxvQadhKPvAjszJV8cQKVHHLQ7WpNrh33ogkGUPHhpVP
Some of the Tactics and Techniques associated with WannaMine Worm compromise:
| Tattica | ID Tecnica | Nome Tecnica |
| Initial Access | T1189 | Drive-by Compromise |
| T1566.001 | Spearphishing Attachments | |
| Persistence | T1546.003 | Windows Management Instrumentation Event Subscription |
| Credential Access | T1003.001 | OS Credential Dumping |
| Lateral Movement | T1210 | Exploitation of Remote Services |
| T1021.002 | Remote Services |
The malware, known since 2017, has undergone several modifications and is present in the wild with different variants and functionalities.
Article index:
Compromise Chain Analysis
Compromise Initiation
The attack vector used by the Worm is, with high probability, represented by Drive-By Compromise activity. Execution of the dropper (a Powershell script, in6.ps1) on the system triggers a long chain of events responsible for malware installation.
The first part of the code is used to bypass the Windows Anti-Malware Scan Interface (AMSI).
Within the dropper is a list of server URLs used for malware download during Lateral Movement activities:
The remaining code contains instructions for cryptominer installation on the system:
Persistence
The malware establishes persistence through the registration of Windows Management Instrumentation (WMI) events. WMI can be used to execute code when a specific event occurs.
For example, it is possible to trigger a command at a certain time of day, at user logon, or after a certain period of system inactivity. In this way, an event can be registered and arbitrary code executed when that event occurs, providing a perfect persistence mechanism.
- SCM Event8 Log Consumer executes approximately every 4 hours to resume the infection process in case the process previously failed;
- SCM Event8 Log Consumer2 executes 4/5 minutes after system startup.
Lateral Movement
Lateral movement is executed through the funs, mimi, and sc artefacts extracted from the $fa variable.
Funs is a PowerShell file containing all the functions necessary to infect other systems on the network.
Much of the funs code originates from the Empire framework.
Through Get-creds, it uses the mimi artefact, containing Mimikatz code, to extract usernames and passwords from the system. Subsequently, it uses test-net, to which an array with Class B and C IPs identified on the network is passed.
This function initiates propagation activity across internal corporate networks, a pattern we observed through Managed Detection and Response telemetry showing WMI-based lateral movement across multiple subnets:
The script contains a series of propagation mechanisms (in order of execution):
- Remote execution with WMI
- Remote execution with Samba
- Exploitation of the EternalBlue vulnerability, in which it uses the sc artefact as shellcode.
Cryptocurrency mining
To execute Monero mining activity, the malware uses two artefacts: mon and mue.
First method – MON
As a first attempt, the worm executes the mon artefact in fileless mode; the code is embedded in the systemcore_Updater8 class, which is invoked via PowerShell.
The code is a copy of the open-source miner XMRig.
XMRig software configuration:
- Cryptocurrency: Monero
- Wallet: 46gVfDm99aq9JqESFxXFp5AyFCZPHsbTn48dWAtVASddf4TmhQMkxvQadhKPvAjszJV8cQKVHHLQ7WpNrh33ogkGUPHhpVP
- Pool addresses:
- xmr-eu1.nanopool.org:14444
- xmr-asia1.nanopool.org:14444
- xmr-eu2.nanopool.org:14444
- xmr-us-east1.nanopool.org:14444
- xmr-us-west1.nanopool.org:14444
- pool.minexmr.com:80
- sg.minexmr.com:80
- ca.minexmr.com:80
The artifact ring is then installed on the system under the name WinRing0x64.sys.
This is a Microsoft driver used by mon to optimise the RandomX Monero mining algorithm.
The driver, although legitimate, contains several vulnerabilities that if exploited would allow an attacker to obtain SYSTEM privileges.
Second method – MUE
If the first execution does not succeed, WannaMine executes a different artifact, placing the file on disk via WMI, naming it mue.exe (system path C:\Windows\system32).
The executable is an obsolete version of XMRig that does not leverage the WinRing0x64.sys driver.
Static Analysis
Script: in6.ps1
Description
PowerShell file acting as a dropper.
It contains a variable $fa holding code encoded in Base64 used to extract all artifacts required for compromise.
A second code section is present with multiple obfuscation layers inserted to evade detection by AntiVirus endpoint protection solutions.
Details
| md5 | B73E5BF7274478FB8FA6CE94AF3F6921 |
| sha1 | 98BFD0AC4EE3469A331B4C99436B532E7D18B4D6 |
| sha256 | 3562E13CF2C2B0416B22286217602632A421AC6560FC3E4F9EBF8D13A19CA97E |
| file-size | 13 946 596 (bytes) |
| entropy | 4.000 |
Script: Funs
Description
File containing PowerShell script with auxiliary functions including those for Lateral Movement. Many of these functions are derived from frameworks such as Empire.
Details
| md5 | 03A5E1B8680B44A07DAAE5D5517FB38F |
| sha1 | 903AE5A3895D58FFAA384E926B581DCAD1C8CAB3 |
| sha256 | 809FE2FCCDDF5C788812F1CB18B76F0F1BA4BB8AD1CF24F55A5B95E6225E891C |
| file-size | 450 722 (bytes) |
| entropy | 5.181 |
Executable: mimi
Description
Contains Mimikatz, is a binary file and is executed via reflected injection so as not to be written to disk. It is used to extract credentials present on the system.
Details
| md5 | 1A89B3DEBD2B8F45B04A12116893BC9C |
| sha1 | 3147D48F8AEC7615CC803E449F3FF688663395F8 |
| sha256 | EE8275A57D7A80427131D126A19862D6889AB409F7EC4293721E3BD15AA11C9E |
| file-size | 1 293 314 (bytes) |
| entropy | 4.536 |
Executable: mon
Description
Contains a version of the open-source XMRig software, which is a cryptocurrency miner. It is executed in memory via PowerShell without being written to disk.
Details
| md5 | AE8A82C77FD56390B76F6B756DAD101C |
| sha1 | DA0CC3211B27616BFE3F9618658C14B65AAB97E2 |
| sha256 | 6DFCE5506FFBECE1CC1DD6AE05D7D4022AC6A73E0EC247A100FA32B04EDFFCF7 |
| file-size | 2715138 (bytes) |
| entropy | 4.800 |
Executable: WinRing0x64.sys
Description
Legitimate driver used by mon to optimise mining performance. Despite being a legitimate driver, it contains Privilege Escalation vulnerabilities; its installation renders the system less secure.
Details
| md5 | 0C0195C48B6B8582FA6F6373032118DA |
| sha1 | D25340AE8E92A6D29F599FEF426A2BC1B5217299 |
| sha256 | 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5 |
| file-size | 14544 (bytes) |
| entropy | 6.266 |
Executable: mue.exe
Description
Designed to inject the payload into a legitimate process via process hollowing. The injected payload is a version of XMRig.
Details
| md5 | D1AED5A1726D278D521D320D082C3E1E |
| sha1 | EFDB3916C2A21F75F1AD53B6C0CCDF90FDE52E44 |
| sha256 | 0A1CDC92BBB77C897723F21A376213480FD3484E45BDA05AA5958E84A7C2EDFF |
| file-size | 2863616 (bytes) |
| entropy | 7.952 |
Executable: sc
Description
Shellcode for exploiting the EternalBlue vulnerability. Used for Lateral Movement operations.
Details
| md5 | 777D2A050AB7FACE761C1A6449913BAA |
| sha1 | 061C3DF042325F69BB966ADAEC6D78742DDE2036 |
| sha256 | 9CDB5020DF269828480D77FE03758EF70046A71B11D4C8182BA5465C877715D0 |
| file-size | 2413 (bytes) |
| entropy | 5.260 |
