Technical Analysis: Newly Observed Cryptominer

Pondurance’s Threat Hunting and Response (TH+R) team has encountered a variety of Cryptocurrency Miner outbreaks throughout the first quarter of 2018, led by the prevalent and crippling WannaMine Cryptominer that desires 100% CPU usage and renders affected systems virtually unusable. WannaMine is particularly innovative due to incorporating a credential-harvesting module and the EternalBlue SMBv1 exploit to perform lateral movements and privilege escalation on a victim network. On March 22, 2018, when Pondurance’s TH+R team observed a large quantity of systems downloading PowerShell .ps1 scripts combined with connections to cryptomining pools, their fear was another WannaMine outbreak. However, upon further observation, they realized the outbreak was from a newly observed Cryptominer.

About the author: Max Henderson has been a Security Analyst with Pondurance for over three years, with a main focus on Threat Hunting and Response as well as Digital Forensics and Incident Response. Max excels at network-based and host-based forensics, having responded to a variety of advanced scenarios stemming from potential nation-state sponsored attackers, financially motivated attackers, and destructive self-propagating malware. Max has also helped mold and provide a platform for all current network-based and host-based threat hunting tactics leveraged by the Pondurance Threat Hunting and Response team. Max specializes in manipulating large quantities of raw data to identify and extract suspicious activity that did not trigger any signatures or match any known Indicators of Compromise. Max holds a Bachelor of Science (BS) degree in Computer Criminology with a focus on Digital Forensics.