Security researchers have discovered a new strain of malware that uses the National Security Agency's EternalBlue exploit to hijack computers and secretly mine cryptocurrency. In April last year, the exploit was leaked as part of a cache of alleged NSA hacking tools released by the hacker group Shadow Brokers.
Cybersecurity experts had warned that the exploit would soon be leveraged by other threat actors to power their own sophisticated and likely frequent cyberattacks. Shortly after, the Windows exploit was used to launch the massive global WannaCry and NotPetya ransomware attacks in May and June.
Now, researchers at CrowdStrike have observed hackers leveraging the exploit to hijack victims' computers and CPU processing power to mine cryptocurrency in a new attack dubbed WannaMine.
In recent months, CrowdStrike observed a rise in cyberattacks focusing on cryptomining tools that covertly hijack CPU cycles to generate digital currencies. In some cases, the heavy mining and high CPU utilisation speeds even affected business operations and caused systems to crash, "rendering some companies unable to operate for days and weeks at a time".
"CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors," the researchers said in a blog post published on 25 January.
"WannaMine employs 'living off the land' techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry."
Since it is fileless and uses legitimate system software such as WMI and PowerShell, the researchers say it is "difficult, if not impossible" for companies to detect and block it without some form of next-generation antivirus software.
However, WannaMine doesn't immediately look to leverage the EternalBlue exploit.
First, it uses credentials acquired using the tool Mimikatz to harvest the necessary legitimate data needed to infiltrate the system. If it doesn't work, it uses EternalBlue to break in. Once the system is infected, it quietly uses the CPU processing power to generate Monero coins in the background.
"The WannaMine worm uses advanced techniques to maintain persistence within an infected network and move laterally from system to system," the researchers said. "In one case, a client informed CrowdStrike that nearly 100% of its environment was rendered unusable due to overutilisation of systems' CPUs."
Given the rise in infections over the past few months, the researchers anticipate the threat actors behind WannaMine will likely continue to evolve their capabilities to go undetected.
This isn't the first time the EternalBlue exploit has been used by hackers to generate cryptocurrency. Last year, Trend Micro researchers found the exploit was used to boost the spread of the cryptocurrency-mining malware CoinMiner.
"While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors," the researchers said. "Whatever these threat actors may lack in sophistication, they made up for in resourcefulness.
"Improved defences will become even more critical in 2018 as we expect to see continued convergence of sophisticated statecraft and tradecraft."