[Alert] WannaMine v4.0 Ransomware Outbreak

21/03/2019 14:07:20

In the recent days, Sangfor security team received feedbacks from several customers that a great many of their hosts and servers encountered lags and blue screen. We found that the virus is the latest variant of WannaMine, WannaMine4.0, which is evoluted from WannaMine1.0, WannaMine2.0, WannaMine3.0.

As its name indicates, this ransomware variant applies the similar propagation scheme (rapid lateral movement over SMB on local area network) with WannaCry but can evade antivirus detections. As of the time of writing, WannaMine4.0 is firstly found and no other security vendor has reported this event.

We acquired and analyzed the sample and found that the source site had become totonm.com, and the new domain was registered on March 17, 2019.

The virus was encoded the next day after registration, on March 18, 2019, and immediately started to spread. On March 20th, 2019, Sangfor security team firstly found this new variant in China.
We are surprised of its propagation speed as this variant intruded networks of several hospitals just in days. The scope of infection may be as wide as WannaMine1.0, WannaMine2.0 and WannaMine3.0.

0x01 Attack Scenario
This attack event is carefully designed like WannaMine3.0, in that involved modules are varied, scope of infection is wide and relations are sophisticated.
One of the differences is that the original compressed package is changed to rdpkax.xsl, an exploit kit that contains all components to perform attacks. Same to the previous version 3.0, this variant also adopts antivirus evasion techniques. rdpkax.xsl is a special data packet that requires the variant to decrypt itself and separate its components which include EternalBlue exploit kit (svchost.exe, spoolsv.exe, x86.dll/x64.dll, etc.), that are stored in the following directories:
Attack Procedure:
  1. The DLL file ApplicationNetBIOSClient.dll is corresponding to the service ApplicationNetBIOSClient and loaded through the executable svchost.exe. Every time it starts upon system startup, another executable spoolsv.exe is loaded.
  2. Then spoolsv.exe scans the local area network on port 445 to find target hosts and starts the vulnerability exploit program svchost.exe and spoolsv.exe. Svchost.exe performs EternalBlue butter overflow attacks against the hosts targeted in Step 2.
  3. Upon successful intrusion, spoolsv.exe (a NSA-linked exploit kit, DoublePulsar) installs backdoor and malicious payload (x86.dll/x64.dll).
  4. The payload (x86.dll/x64.dll) is executed to duplicate rdpkax.xsl from local host to target host, decompress the file, register ApplicationNetBIOSClient service and start spoolsv to perform attacks. Each host is infected in the above ways, step by step.

0x02 Combination Shift and Antivirus Evasion

Comparing with earlier versions, WannaMine4.0 stands out with the characteristics of combination shift and antivirus evasion.

The virus generates different main service module DLLs and data packets shown as following:

The generated main service module DLL then combines the following character strings randomly:

The main service module is also generated randomly according to the above three character string lists: Windows, Microsoft, Network, Remote, Function, Secure, Application
String list 2: Update, Time, NetBIOS, RPC, Protocol, SSDP, UPnP
String list 3: Service, Host, Client, Event, Manager, Helper, System
The encrypted data packets are appended with the following extensions: xml, log, dat, xsl, ini, tlb, msc

That is to say, ApplicationNetBIOSClient is a combination of character string 1, character string 2, and character string 3 in order of character string 1+ character string 2 + character string 3.

The main service ApplicationNetBIOSClient and its DLL change as above every time the virus starts due to complex combination. What is more, the randomly-combined character strings will be hardcoded to file when its vector generates main service module DLL, causing generated hash value different every time.

0x03 Mining

WannaMine4.0 follows the pattern of WannaMine family, targeting at collective mining in large scale (take advantage of Eternal Blue vulnerability to spread on the network rapidly). The main virus file is dllhostex.exe. Because of ExternalBlue vulnerability exploit, compromised hosts and server encountered drags and possibly blue screen, posing great impacts on business security.
The mining program activities are as follows:

The captured data packet is as shown in the following figure:

0X04 Solution

Ransomware Detection
Sangfor security product, NGAF and EDR are capable of detecting and removing this ransomware virus.

1. Install EternalBlue patch on victim computers to fix the vulnerability from the official site of Microsoft: https://technet.microsoft.com/library/security/MS17-010
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites.
4. Disable unnecessary file sharing on ports like 445.
5. For Sangfor NGAF customers, update NGAF to version 8.0.5 and above, and enable AI-based Sangfor Engine Zero to achieve best protection.
6. Deploy Sangfor security product and connect to cloud-based Sangfor Neural-X to detect for new threats.
7. Perform security scan and virus removal on the whole network to enhance network security. We recommend Sangfor NGAF to detect, prevent and protect your internal network.

Our Social Networks

Global Service Center: