Experts in the field of information security from CrowdStrike reported a significant increase in WinnerMine's cyber attacks, intended for the hidden mining of the Monero crypto currency. As part of the program, hackers use the EternalBlue exploit, stolen from the US National Security Agency.
According to experts, in some cases, the work of companies affected by WannaMine, was stopped for several days or weeks. To establish the fact of infection is not easy, because the malicious program does not download any applications to the victim device.
WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry. Its fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.
It is worth noting that EternalBlue is not the main component of WannaMine. First of all, the program uses the Mimikatz utility in order to get logins and passwords from the computer's memory. If this fails, WannaMine resorts to EternalBlue.Thanks to this feature WannaMine can hack any system, even with the latest updates.
For the first time, WannaMine's attack was recorded by Panda Security experts in October of last year.