WannaMine is an advanced cryptocurrency mining malware campaign. Its aim is to use the CPU resources of infected systems to mine Monero and achieves this goal by leveraging advanced tactics characteristic of advanced persistent threat (APT) or state actors.
The first phase of the campaign initially spreads via email and other social engineering campaigns to get a user to download and execute a malicious .bat file.
The second phase downloads and executes a heavily obfuscated PowerShell script which drops three internal resources:
Mimikatz.dll. An administration credential harvesting module developed by Benjamin Delpy.
A utility module used to scan internal networks in order to propagate the infection, download and run additional scripts to maintain persistence, and drop the Monero CPU miner.
The NSA-attributed EternalBlue exploit along with a PowerShell script to deploy it against the network.
The third phase of the infection downloads and runs the Monero CPU miner and then sets out to harvest the credentials of other connected machines. As a backup, it will deploy the EternalBlue exploit to move laterally within the network.
Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).