{ "id": "b260aeaf-b08a-4f1b-9b7e-b6210e61796d", "created_at": "2026-04-06T00:12:59.671552Z", "updated_at": "2026-04-10T13:12:43.256639Z", "deleted_at": null, "sha1_hash": "7e87348095fa0b186002e885cf6adac51138079a", "title": "WannaMine Cryptominer that uses EternalBlue still active", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1317800, "plain_text": "WannaMine Cryptominer that uses EternalBlue still active\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 22:39:22 UTC\r\nResearch by Amit Serper\r\nA few days ago the Nocturnus team investigated a new outbreak of Wannamine. Wannamine is an attack based on\r\nthe EternalBlue exploits that were leaked from the NSA last year. You probably remember those exploits since\r\nthey were used in last year’s WannaCry and NotPetya attacks.\r\nLearn about our most recent cutting-edge research: Sign up for the Operation Soft Cell webinar\r\nWannamine penetrates computer systems through an unpatched SMB service and gains code execution with high\r\nprivileges to then propagate across the network, gaining persistence and arbitrary code execution abilities on as\r\nmany machines possible.\r\nFirst off, WannaMine isn’t a new attack. Other researchers have written about it and tech reporters have news\r\narticles have covered it. And that’s part of the problem (and why I’m publishing this research): the EternalBlue\r\nexploits are well known. And how to prevent attacks that use these exploits is also well known: apply a patch that\r\nMicrosoft issued in March 2017. Yet companies are still facing threats that use the EternalBlue exploits. And until\r\norganizations patch and update their computers, they’ll continue to see attackers use these exploits for a simple\r\nreason: they lead to successful campaigns. Part of giving the defenders an advantage means making the attacker’s\r\njob more difficult by taking steps to boost an organization’s security. Patching vulnerabilities, especially the ones\r\nassociated with EternalBlue, falls into this category.\r\nNow that I’ve made the case for patching, let’s look into the technical details of this latest Wannamine outbreak.\r\nThe initial attack vector was exploitation of EternalBlue via an unpatched SMB server, like we saw with the\r\nWannaCry attack last May. Once code execution was gained, a PowerShell instance was spawned:\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 1 of 10\n\nNotice the Get-WmiObject cmdlet: The attackers are using WMI to enumerate the bitness of the victim machine -\r\n32bit or 64bit. Once the bitness is enumerated, the correct payload will be downloaded and executed - in3.ps1 for\r\n32 bit machines and in6.ps1 for 64bit machines.\r\nThe downloaded payload is a very large text file. Most of it is base64 encoded along with some other text\r\nencoding and obfuscation tricks. In fact, the downloaded payload is so large (thanks to all of the obfuscation) that\r\nit makes most of the text editors hang and it’s quite impossible to load the entire base64’d string into an interactive\r\nipython session.\r\nOnce deobfuscated we can see more PowerShell code. Reading through the PowerShell code, it is very easy to\r\nunderstand its purpose: WannaMine uses WMI and PowerShell extensively to move laterally across a network. In\r\naddition to the PowerShell code, which is written in plain ASCII strings, there are also other unidentified strings\r\nand some binary blobs inside that huge heap of text (since I simply de-base64’d everything in that file).\r\nThat binary blob, along with some more obfuscated text, is actually more code and a command to run the .NET\r\ncompiler in order to compile a .NET DLL file.\r\nImportant note: the DLL will be compiled to a different, random, file name each time.\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 2 of 10\n\nWhen we load that DLL into a .NET disassembler, we can clearly see that this is the PingCastle scanner, which\r\nwas also mentioned in past reports about WannaMine. PingCastle’s job is to map the network and find the shortest\r\npath to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB\r\nservers.\r\nWhile PingCastle is running, there are other parts from the main PowerShell script still in motion, including a\r\nPowerShell implementation of Mimikatz. The interesting thing is that this made me realize that most of the code\r\nin that PowerShell script was copied verbatim from various GitHub repositories. For example, the PowerShell\r\nMimikatz implementation is straight from the invoke-mimikatz repository:\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 3 of 10\n\nPowerShell Mimikatz code from the dropped PowerShell script\r\nPowerShell Mimikatz code from the original GitHub repository\r\nPowerShell Mimikatz code from the dropped PowerShell script\r\nPowerShell Mimikatz code from the original GitHub repository\r\nThe PowerShell script will also change the power management settings on the infected machine just before the\r\nminers are dropped to prevent the machine from going to sleep and maximize mining power availability:\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 4 of 10\n\nAfter the power settings on the machine was reconfigured, we started seeing hundreds of powershell.exe processes\r\nusing a lot of CPU cycles and connecting to mining pool servers:\r\nThat tells us that the cryptominers are actually running within PowerShell. However, when looking at the\r\ncommand line in these PowerShell executions, we don’t really see anything indicative of that behavior.\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 5 of 10\n\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoP -NonI -W Hidden \"$mon = ([WmiClass]\r\n'root\\default:systemcore_Updater').Properties['mon'].Value;$funs = ([WmiClass]\r\n'root\\default:systemcore_Updater').Properties['funs'].Value ;iex\r\n([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command -\r\nScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')\"\r\nWhen examining the command line, we can see that a WMI class, root\\default:systemcore_Updater, is being\r\naccessed. This class holds the version of the currently installed version of the Wannamine malware.\r\nAs for persistence, we can see that the malware installed a WMI filter, consumer and binder to gain persistent\r\nexecution through WMI intrinsic events.\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 6 of 10\n\nQuerying for WMI persistent objects across the entire organization\r\nWhen looking at WMI persistent objects across the entire organization, we can see that many machines have a\r\nWMI autorun associated with them. When we look at the consumer action (which defines which action to take\r\nonce the intrinsic WMI event is consumed and handled) we  see, yet again, a blob of base64 encoded data.\r\nWhen decoded, we get about 120 lines of PowerShell code. Here are some of its highlights:\r\nThis block extracts the functions from the root\\default:Office_Updater WMI class in their base64 and then\r\ndecodes them. Once decoded, the script will execute those commands by invoking them (iex $defun).\r\nThe script then looks for other FilterToConsumerBinders and removes them.\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 7 of 10\n\nImportant note: The script will then try to list all the processes that are connecting to IP address ports 3333,\r\n5555 and 7777 and, if there are any active processes, the script will terminate them. This Wannamine\r\nvariant connects to mining pools on port 14444 while other variants of this attack are connecting to mining\r\npools on more standardized ports like 3333, 5555 and 7777. If any other processes on this machine are\r\nconnected to mining pools on the standard ports, they will be terminated.\r\nOnce that process is finished, it’s time to extract more values from the data that is stored within the WMI classes:\r\nThe long (and truncated since it’s too big to fit in that screenshot) command will execute the cryptominer by\r\ninvoking all of the commands that are stored in the $funs variable. Then, additional functionality will be extracted\r\nfrom other values in the Office_Updater class.\r\nThese are the most notable variables:\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 8 of 10\n\n$mimi = PowerShell Mimikatz\r\n$NTLM  = Extracted NTLM hashes for lateral movement\r\n$scba = Scheduled task information for persistence\r\n$i17 = A list of IP addresses to be targeted. The IP addresses in $i17 are vulnerable to EternalBlue as\r\ngathered by the PingCastle scanner:\r\nAs I mentioned earlier, Wannamine isn’t a new attack. It leverages the EternalBlue vulnerabilities that were used\r\nto wreak havoc around the world almost a year and a half ago. But more than a year later, we’re still seeing\r\norganizations severely impacted by attacks based on these exploits. There’s no reason for security analysts to still\r\nbe handling incidents that involve attackers leveraging EternalBlue. And there’s no reason why these exploits\r\nshould remain unpatched. Organizations need to install security patches and update machines.\r\nBut that’s not all. Some of the IP addresses associated with Wannamine servers are still active although they were\r\ndisclosed in security reports more than a year ago. We emailed the providers hosting those servers and haven’t\r\nheard back yet. In the meantime, we strongly recommend blocking these IPs:\r\n118.184.48.95\r\n104.148.42.153\r\n107.179.67.243\r\n172.247.116.8\r\n172.247.116.87\r\n45.199.154.141\r\nThe code and mechanisms behind the Wannamine attack aren’t sophisticated: they are the product of hacking third\r\nparty code (like the PingCastle scanner) and copying and pasting massive amounts of code, sometimes verbatim,\r\nfrom a Github repositories.\r\nProtect your team with a strong defense.\r\nRead how to create a closed-loop security process with MITRE ATT\u0026CK.\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 9 of 10\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nhttps://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry" ], "report_names": [ "wannamine-cryptominer-eternalblue-wannacry" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434379, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e87348095fa0b186002e885cf6adac51138079a.pdf", "text": "https://archive.orkl.eu/7e87348095fa0b186002e885cf6adac51138079a.txt", "img": "https://archive.orkl.eu/7e87348095fa0b186002e885cf6adac51138079a.jpg" } }