The EternalBlue exploit, once stolen from the US National Security Agency, continues to be used by attackers as a component of the malicious software. The new WannaMine virus, created by EternalBlue, secretly minces the cryptocurrency on the computers of the victims.
WannaMine can infect a computer in many ways - from clicking on a malicious link to targeted remote penetration into the system. First, the virus uses the Mimikatz tool to access logins and passwords in the computer's memory. If Mimikatz cannot cope with the task, then EternalBlue comes to the rescue.
If the computer is part of a corporate network, for example, is in the office, WannaMine will infect other computers with stolen data, which can paralyze the company for a few days or even weeks.
Bryan York, director of the security agency CrowdStrike:
If earlier EternalBlue was used only by state-level hackers, now it becomes more common and appears in the viruses of ordinary cybercriminals.
Recall that in 2017, the EternalBlue exploits formed the basis of the global WannaCry virus, which hit 150 countries around the world. During this time, its creators earned a total of about $140,000 in bitcoins, and the total damage from the attack was estimated at $1 billion.
WannaMine at first glance seems a less aggressive version of its older brother WannaCry, as it does not block the user's computers, requiring a ransom. However, hidden mining leads to processor overloading and exit from the user equipment stack.
Observations of the experts of the company Recorded Future, conducted since May 2017, allow to conclude the tendency of the attackers to move from powerful attacks with the help of extortion viruses to long-term hidden mining.
The most popular hidden miners acquired among cybercriminals only in the second half of 2017. Most often, Monero and Zcash, for the extraction of which you can use the power of a central, rather than a graphics processor. Thus, the victims of intruders can become owners of virtually any computer.
Information Source: WannaMine