Monitoring shows that competition for mining resources has intensified, and WannaMine has used various methods to drive out competitors

On January 7th, Tencent Yumi Threat Intelligence Center (WeChat public account) issued a post stating that the Tencent Security Mimi Threat Intelligence Center detected that the WannaMine mining botnet was updated again. WannaMine was first discovered at the end of 2017, mainly using Powershell "no file "The attack formed a mining botnet. The updated WannaMine has stronger dissemination, will use multiple methods to clean up and prevent the mining behavior of competing Trojans, while installing remote control Trojans to completely control the poisoning system. The updated WannaMine virus has the following characteristics: 1. Using the "Eternal Blue" vulnerability to spread attacks; 2. Using mimiktaz to capture domain login passwords and WMI remote execution functions to move horizontally on the internal network; 3. Preventing this by adding an IP policy The machine connects to the 47 mining pools of the opponent's Trojan to prevent other viruses from invading through the "Eternal Blue" vulnerability; 4. Add scheduled tasks, WMI event consumers perform persistent attacks, and delete the WMI backdoor of the "MyKings" virus; 5. Use COM The component registration program regsvr32 executes malicious scripts; 6. Uses WMIClass to access malicious code; 7. Downloads Gh0st remote control Trojan horse connenece.exe and Monero coin mining Trojan steam.exe on the infected machine.