Urgent Alert: WannaMine Ransomware v3.0 Break Out !
  

Sangfor Elsa Posted 22 Nov 2018 16:53

Last edited by Sangfor Elsa 22 Nov 2018 16:56.

Recently, several customers turned to Sangfor for help, as a great many of their hosts and servers encountered system lags and blue screen. Through a full scan of endpoints with Sangfor Endpoint Detection and Response (EDR) clients, Sangfor discovered that the hosts and servers were infected by the same previously undiscovered WannaMine ransomware virus.

The Sangfor security team found that the virus, WannaMine 3.0, was the latest variant to evolve from WannaMine 1.0 and WannaMine 2.0.

As its name indicates, this ransomware variant applies a similar propagation scheme (rapid lateral movement over SMB on local area network) as WannaCry and can evade antivirus detection. As of writing, Sangfor Technologies was the first to find this particular variant and no other security vendor has reported this event.

Sangfor acquired and analyzed the sample and found that the source site was codidled.com, a domain registered on Nov. 11, 2018, making it clear that the virus was re-encoded from WannaMine to WannaMine 3.0 on or after Nov. 11, 2018.

1.png

The propagation speed of this variant is shockingly fast, having infiltrated the networks of several hospitals just in days. The scope of the infection may be as wide as seen with WannaMine 1.0 and WannaMine 2.0.

1. Attack Scenario
Sangfor has determined that this attack event was carefully designed like WannaMine 1.0 and WannaMine 2.0, in that the involved modules are varied, scope of infection is wide and relations are sophisticated.

2.png

One of the differences this variant employs is that the original compressed package has been changed to MarsTraceDiagnostics.xml, an exploit kit that contains all the components to perform attacks. The original versions’ compressed files could be decompressed directly, however this virus can only be decompressed by the virus itself, enabling it to evade antivirus detection. The decompressed components include spoolsv.exe, snmpstorsrv.dll and the EternalBlue exploit kit (svchost.exe, spoolsv.exe, x86.dll/x64.dll), stored in the following directories:

C:\Windows\System32\MarsTraceDiagnostics.xml
C:\Windows\AppDiagnostics\
C:\Windows\System32\TrustedHostex.exe

3.png


Attack Procedure:
The DLL file snmpstorsrv.dll corresponds to the service snmpstorsrv and is loaded through the executable svchost.exe. Every time it starts during system startup, another executable file named spoolsv.exe is loaded.
Next, spoolsv.exe scans the local area network on port 445 for target hosts and starts the vulnerability exploit programs svchost.exe and spoolsv.exe.

Svchost.exe performs EternalBlue buffer overflow attacks against the hosts targeted in Step 2. Upon successful intrusion, spoolsv.exe (a NSA-linked exploit kit - DoublePulsar) installs a backdoor and malicious payload (x86.dll/x64.dll).

The payload (x86.dll/x64.dll) is executed to duplicate MarsTraceDiagnostics.xml from the local host to target host, decompress the file, register snmpstorsrv service and start spoolsv to perform attacks.

Each host is infected in the above-mentioned ways, step by step.

4.png

2. Removing Earlier Version of WannaMine
WannaMine 3.0 purposely removes earlier versions of WannaMine, including deleting or disabling files, services and tasks of WannaMine 1.0 and WannaMine 2.0.

The WannaMine virus sample before removal is shown as follows:

5.png

1. Service wmassrv is stopped.

6.png

2. UPnPHostServices task is deleted:

7.png

3. EnrollCertXaml.dll is deleted:

8.png

4. EternalBlue and mining programs are terminated and files deleted:

9.png

The process files are:

C:\Windows\SpeechsTracing\spoolsv.exe
C:\Windows\System32\TasksHostServices.exe
C:\Windows\SpeechsTracing\Microsoft\svchost.exe
C:\Windows\SpeechsTracing\Microsoft\spoolsv.exe

5. The original wmassrv.dll file is deleted:

10.png

6. The file directories of earlier versions are traversed and deleted:

11.png

The corresponding directories are:

C:\Windows\SpeechsTracing\Microsoft\
C:\Windows\SpeechsTracing\Microsoft\

7.Uninstall previous mining module HalPluginsServices.dll:

12.png

Process rundll32.exe is terminated:

13.png

Then the mining file is deleted.

3. Mining
Similar to WannaMine 1.0 and 2.0, WannaMine 3.0 aims to mine cryptocurrency collectively on a large scale (taking advantage of the EternalBlue vulnerability to spread on the local area network rapidly). The mining file is TrustedHostex.exe.

14.png

The connection is initiated by codidled.com.

15.png

4. Solution

a. Isolate the virus-infected host as soon as possible and disable all its connections and network adapters.
b. Disable the SMB port 445 and cut communication between the host and any external network.
c. Fix the vulnerability by installing the patch ms17-010 from Microsoft for Eternal Blue.
d. Sangfor NGAF customers can enable IPS and ATP detection to block attacks. Sangfor Engine Zero, with the latest engine and database, and Neural-X with cloud security capability, are both able to detect and prevent WannaMine.
e. Scan for and remove the viruses with Sangfor EDR tool: http://go.sangfor.com/edr-tool-20181122

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Faisal Lv8Posted 16 Jul 2020 18:46
  
WannaMine Ransomware v3.0 Break Out ... good
Faisal Lv8Posted 16 Jul 2020 22:03
  
Thank for this information ...
Muhammad Bilal Lv4Posted 06 Aug 2020 16:31
  
Great sharing.
jetjetd Lv5Posted 08 Aug 2020 20:26
  
worth reading.
Faisal Lv8Posted 04 Sep 2020 11:57
  
Thank you very much for the information ...
Faisal Lv8Posted 28 Dec 2020 08:24
  
Nice article ...
Faisal Lv8Posted 07 May 2021 09:00
  
Very informative
Newbie259600 Lv2Posted 26 Oct 2021 10:51
  


Thank you very much for the information ...

Trending Topics

Board Leaders