Delaware, USA – January 29, 2018 – CrowdStrike reported in their blog about a new round of WannaMine fileless malware activity. The operations of several companies were almost completely paralyzed due to infection with this virus. WannaMine was first discovered at the end of October 2017 by researchers from PandaLabs, but shortly after detection, its C&C servers were disabled.
This advanced malware uses Mimikatz utility and EternalBlue exploit for lateral movement. To maintain persistence in the infected system, this malware uses Windows Management Instrumentation and scheduled PowerShell commands. After getting a foothold on the targeted system, the malware attempts to get the administrator credentials for lateral movement using Mimikatz tool and installs Monero cryptocurrency miner. Attackers do not try to hide the result of infecting: they use CPU of compromised systems for mining without any restrictions.
It is not known how the initial infection occurs, but in order to reduce the possible damage from infection by cryptominers, you can use Mimikatz Defense Framework use case for ArcSight, QRadar and Splunk. With its help, your SIEM can notify the administrator about malicious use of Mimikatz tool in your organization.