Urgent Alert: WannaMine Ransomware v3.0 Break Out !

22/11/2018 14:57:11

Recently, several customers turned to Sangfor for help, as a great many of their hosts and servers encountered system lags and blue screen. Through a full scan of endpoints with Sangfor Endpoint Detection and Response (EDR) clients, Sangfor discovered that the hosts and servers were infected by the same previously undiscovered WannaMine ransomware virus.

The Sangfor security team found that the virus, WannaMine 3.0, was the latest variant to evolve from WannaMine 1.0 and WannaMine 2.0.

As its name indicates, this ransomware variant applies a similar propagation scheme (rapid lateral movement over SMB on local area network) as WannaCry and can evade antivirus detection. As of writing, Sangfor Technologies was the first to find this particular variant and no other security vendor has reported this event.

Sangfor acquired and analyzed the sample and found that the source site was codidled.com, a domain registered on Nov. 11, 2018, making it clear that the virus was re-encoded from WannaMine to WannaMine 3.0 on or after Nov. 11, 2018.



The propagation speed of this variant is shockingly fast, having infiltrated the networks of several hospitals just in days. The scope of the infection may be as wide as seen with WannaMine 1.0 and WannaMine 2.0.


1. Attack Scenario

Sangfor has determined that this attack event was carefully designed like WannaMine 1.0 and WannaMine 2.0, in that the involved modules are varied, scope of infection is wide and relations are sophisticated.



One of the differences this variant employs is that the original compressed package has been changed to MarsTraceDiagnostics.xml, an exploit kit that contains all the components to perform attacks. The original versions’ compressed files could be decompressed directly, however this virus can only be decompressed by the virus itself, enabling it to evade antivirus detection. The decompressed components include spoolsv.exe, snmpstorsrv.dll and the EternalBlue exploit kit (svchost.exe, spoolsv.exe, x86.dll/x64.dll), stored in the following directories:

C:\Windows\System32\MarsTraceDiagnostics.xml

C:\Windows\AppDiagnostics\

C:\Windows\System32\TrustedHostex.exe



Attack Procedure:

The DLL file snmpstorsrv.dll corresponds to the service snmpstorsrv and is loaded through the executable svchost.exe. Every time it starts during system startup, another executable file named spoolsv.exe is loaded.

Next, spoolsv.exe scans the local area network on port 445 for target hosts and starts the vulnerability exploit programs svchost.exe and spoolsv.exe.

Svchost.exe performs EternalBlue buffer overflow attacks against the hosts targeted in Step 2. Upon successful intrusion, spoolsv.exe (a NSA-linked exploit kit - DoublePulsar) installs a backdoor and malicious payload (x86.dll/x64.dll).

The payload (x86.dll/x64.dll) is executed to duplicate MarsTraceDiagnostics.xml from the local host to target host, decompress the file, register snmpstorsrv service and start spoolsv to perform attacks.

Each host is infected in the above mentioned ways, step by step.



2. Removing Earlier Version of WannaMine

WannaMine 3.0 purposely removes earlier versions of WannaMine, including deleting or disabling files, services and tasks of WannaMine 1.0 and WannaMine 2.0.

The WannaMine virus sample before removal is shown as follows:



1. Service wmassrv is stopped.


2. UPnPHostServices task is deleted:


3. EnrollCertXaml.dll is deleted:


4. EternalBlue and mining programs are terminated and files deleted:



The process files are:

C:\Windows\SpeechsTracing\spoolsv.exe

C:\Windows\System32\TasksHostServices.exe

C:\Windows\SpeechsTracing\Microsoft\svchost.exe

C:\Windows\SpeechsTracing\Microsoft\spoolsv.exe

5. The original wmassrv.dll file is deleted:



6. The file directories of earlier versions are traversed and deleted:



The corresponding directories are:

C:\Windows\SpeechsTracing\Microsoft\

C:\Windows\SpeechsTracing\Microsoft\

7.Uninstall previous mining module HalPluginsServices.dll:


Process rundll32.exe is terminated:



Then the mining file is deleted.


3. Mining

Similar to WannaMine 1.0 and 2.0, WannaMine 3.0 aims to mine cryptocurrency collectively on a large scale (taking advantage of the EternalBlue vulnerability to spread on the local area network rapidly). The mining file is TrustedHostex.exe.



Connection is initiated by codidled.com.



4. Solution

a. Isolate the virus-infected host as soon as possible and disable all its connections and network adapters.

b. Disable the SMB port 445 and cut communication between the host and any external network.

c. Fix the vulnerability by installing the patch ms17-010 from Microsoft for Eternal Blue (https://support.microsoft.com/)

d. Sangfor NGAF customers can enable IPS and ATP detection to block attacks. Sangfor Engine Zero, with the latest engine and database, and Neural-X with cloud security capability, are both able to detect and prevent WannaMine.

e. Scan for and remove the viruses with Sangfor EDR tool: http://go.sangfor.com/edr-tool-20181122


Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.