Monero Cryptocurrency Miner Leverages NSA Exploit

In a growing development, attackers have leveraged an exploit found in almost all generations of Microsoft Windows. EternalBlue is a security vulnerability that allowed WannaCry to run rampant in over 150 different countries and took down parts of the National Health Service (NHS), as well as Petya/NonPetya (a strain of ransomware that inspired NATO to assemble an entire cyber operation to combat it).

The newest malware continues to capitalize on the vulnerability and in many cases can take over nearly 100 percent of users CPU.

Mimikatz and Fileless Malware

While WannaMine was discovered by Pandalabs and reported on October 30, 2017, the growing popularity in cryptocurrencies has exposed more attack vectors since then.

In this attempt, victims’ CPU are hijacked by WannaMine and used to harvest the privacy-centric cryptocurrency Monero. Identifying an infection is equally tricky as minor symptoms simply slow down processing speeds. In more extreme cases, and if gone unchecked, whole businesses can be shut down.

In a related blog post, the cybersecurity firm CrowdStrike explained that a client reported that “nearly 100 percent of [their] environment was rendered unusable due to overutilization of systems’ CPU.”

An ideal attack vector thus sees WannaMine move from one individual computer all the way through corporate networks. From here, industrial servers can be taken over to mine Monero and slow whole companies down to a standstill.

This initial infection often occurs through phishing attempts via email or a remote access attack. The malware then gains a foothold by lancing Mimikatz, which is a package of tools that principally gives an individual access to passwords and a system’s memory.

The consequent takeover is then incredibly difficult to trace and eliminate as WannaMine qualifies as fileless malware. PandaLabs defines this malware as a type of Advanced Volatile Threat (AVT) because it uses “malicious code that is designed to not write itself onto the hard drive and work from the RAM.”

Current generation anti-virus software and defense systems are thus useless against attacks of this nature. Because WannaMine doesn’t inscribe any foreign data onto a computer’s hard drive, a software program like McAfee Security, for instance, cannot detect any foul play.

And so the code is able to move through systems deploying Mimikatz, leveraging EternalBlue, and taking hold of your precious CPU. While initially disconcerting, the complexity of new attacks on the crypto sector could spell developments in cybersecurity. In any case, keeping up to date with software patches for users’ operating is critical no matter your digital holdings.