Locked The NSA exploit is used to infect systems with a cryptomanager

[dEEpEst]

To infect systems, the WannaMine Miner uses the EternalBlue exploit and the Mimikatz utility.

 

The exploit, developed by the US National Security Agency and leaked last year, is now being used by hackers to spread the crypto currency miner.

 

This is an exploit for EternalBlue for Windows, published by the Shadow Brokers group in April 2017. Less than a month after the publication, how it was used to spread the global infection of WannaCry, and at the end of June EternalBlue helped spread the malware NotPetya. Now, IB experts report new attacks using an exploit, called WannaMine.

 

Attacks WannaMine is not so large in comparison with WannaCry, however, according to experts CrowdStrike, in some cases, the affected companies could not work for several days and even weeks. In addition, infection is difficult to detect, because the malware does not download any applications to the infected device.

 

Malicious software WannaMine, designed to secretly mine Montero crypto-currencies using the capacities of infected computers, was first discovered by Panda Security specialists in October 2017. Last week, CrowdStrike experts reported that the number of WannaMine infections has increased significantly over the past few months.

 

A malware enters the system in several ways, including when the user clicks on a malicious link in an email or on a web page. Once on the system, the malicious script uses two legitimate Windows applications - PowerShell and Windows Management Instrumentation. The EternalBlue exploit is not the main tool of WannaMine. First, the malware uses the Mimikatz utility to get logins and passwords from the computer's memory, and only if it does not succeed, resorts to EternalBlue.

 

Before the malware, armed with Mimikatz and EternalBlue, even the most updated system will not stand. If it is not affected by the vulnerability of EternalBlue, it can still be compromised with Mimikatz.