Cryptocurrencies have hit the headlines again this week, but this time it is not for good reasons. Nicknamed “WannaMine”, a new malware variant has been taking over computers around the world, hijacking them to mine a cryptocurrency called Monero.
WannaMine was first discovered by Panda Security in October last year, but the malware is only just coming to the attention of the general public, thanks to a number of high profile infections. But unlike other malware variants, WannaMine is proving particularly hard to detect and block.
What does WannaMine do?
At the most basic level, WannaMine has been designed to mine a cryptocurrency called Monero. The malware silently infects a victim’s computer, and then uses it to run complex decryption routines that create new Monero. The currency is then added to a digital wallet belonging to the hackers, ready to be spent whenever they choose.
This may sound relatively harmless, but the mining process takes priority over legitimate activities. An infected computer begins to slow down – a particularly frustrating experience for users.
What is the problem?
There are several serious problems with WannaMine. First, the way in which it tries to make maximum use of the processor and RAM places the computer under great strain. Eventually the computer will begin to fail, requiring costly repairs – or even complete replacement.
The second major problem is to do with the way in which WannaMine spreads itself. Initially there is nothing unusual about the malware – users are tricked into downloading the malware via email attachments or infected websites. Once installed however, WannaMine uses some very clever tricks to spread across the network.
By using two (important) built-in Windows tools – PowerShell and Windows Management Instrumentation – WannaMine tries to capture login details that allow it to connect to other computers remotely. If that technique fails, WannaMine then falls back on the same security exploit (EternalBlue) used by the WannaCry ransomware to spread itself.
Because it uses built-in Windows tools WannaMine is being described as “fileless”, making it incredibly hard to detect and block. In fact, some reports suggest that many traditional anti-virus applications cannot detect WannaMine, or protect users against it.
Protecting against WannaMine
The only way to spot a WannaMine infection is by carefully monitoring the applications and services running on a computer, using a technique that Panda Security call “Adaptive Defense”. Panda Security scans all incoming files and prevents infection before WannaMine can compromise a computer.
As well as having a robust, modern anti-virus application installed on all your computers, it is vital that they are all routinely updated and patched to close the loopholes used by malware. The EternalBlue exploit used by WannaMine and WannaCry was patched by Microsoft in March 2017 – but many Windows users have not applied the update, leaving themselves vulnerable.
Keeping your computer up-to-date and installing security tools like Panda Antivirus will help to block cryptocurrency malware before it can take over your computer. And as WannaMine shows – if your computer is infected, it may soon spread to other computers and devices on your network.
11 comments
Not right now its not, its fell $10,000 in a matter of weeks.
Lend a thought for those that bought at or near the top just before Christmas after they said it would go to $100,000.
Wouldn’t disabling SMB1.0/CIFS File Sharing Support be a workaround?
And could you not build functionality into your AV software that monitors and warns the user when high CPU/RAM usage is detected (which users could turn off by activating the game/multimedia mode to prevent false positives)?
These are all derivatives of the EnteralBlue zero day’s developed by the NSA. Microsoft has issued patches, however this exploit appears to use a different vulnerability.
It is a little dissapointing however that you would panic users now about something you’ve known for several months, and not offer a definitive fix/patch.
Sono d’accordo con Bob Shafer che cosa avete fatto per fermarli?
Ciao Gianluca, non appena i tecnici di PandaLabs lo hanno scoperto lo hanno reso pubblico: Non è alarmismo è piuttosto informazione. Non ti preoccupare, con qualsiasi dei nostri prodotti Panda sarai al sicuro. Ti raccomandiamo, inoltre, di attualizzare il sistema operativo del tuo dispositivo.
Ti ringraziamo di aver lasciato il commento.
Panda Security.
Hi Bob,
As soon as PandaLabs discovered it we made it public: https://www.pandasecurity.com/en/mediacenter/pandalabs/threat-hunting-fileless-attacks/
It is not a matter of alarming our users, but informing them. You don’t have to worry about it, with any of Panda products you are protected, we do recommend however to always keep your OS updated.
Thanks for your comment.
Since I subscribe with you aren’t you suppose to be protecting my computer.
Hi Linda,
Our malware laboratory, PandaLabs, was the first discovering it: https://www.pandasecurity.com/en/mediacenter/pandalabs/threat-hunting-fileless-attacks/
You don’t have to worry about it, with any of our Panda products you are protected, we do recommend however to always keep your OS updated.
Thanks for your comment!
Kind Regards,
Panda Security.
You say that you’re not trying to panic people, yet say that a malware infection could require you to replace your computer. Indeed this is amazing malware if it is that self-embedding that it requires a computer to be replaced due to software!
At the most basic level, WannaMine has been designed to mine a cryptocurrency called Monero.
This is good
We are glad you enjoy our content!
Keep visiting us for more updated news about technology and cybersecurity.
Best regards,
Panda Security.