Ransomware could be dwarfed by a new malware that
effectively enslaves Windows machines into botnets to mine for Monero.
It snuck under the radar, however, since it does not
encrypt and lockdown files to demand bitcoin ransoms.
Instead, the stealthy malware brings monetary gains to
attackers by discreetly mining Monero, a cryptocurrency with enhanced privacy
features compared to bitcoin. Most victims are unlikely to even know that their
Windows computers are compromised.
The only symptoms of an infection are sluggish PC and
server performance and the loss of access to shared Windows drives.
Mining cryptocurrencies can be a costly investment as it
takes a monstrous amount of computing power, and thus hackers have started
using malware that steals computing resources of computers it hijacks to make
lots of dollars in digital currency.
cybercriminals
only made modifications to legitimate open source Monero mining software and
exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the
miner on unpatched Windows servers.
It reports that
the attackers have been infecting unpatched Windows web servers with the
cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like
cryptocurrency.
The vulnerability
(CVE-2017-7269) exploited by the attackers was discovered in March 2017 by
Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS
version 6.0—the web server in Windows Server 2003 R2.
Since the vulnerability
is on a web server, which is meant to be visible from the internet, it can be
accessed and exploited by anyone. Unlike Bitcoin, Monero offers untraceable
transactions and is anonymous cryptocurrency in the world today.
Another reason of
hackers favouring Monero is that it uses a proof-of-work algorithm called
CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining
requires specific mining hardware.
Researchers say
the hacker uses a combination of old vulnerabilities and weak user/password
combinations to attack mostly old and unsupported Windows Server machines.
The most common
flaws exploited by the botnet operator include known phpMyAdmin configuration
flaws, exploits in JBoss, and bugs in Oracle Web Application Testing Suite,
MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, and other
services.
Once the hacker
gain access to a Windows Server machine, he deploys Visual Basic files to
gather information about the infected system and then install a Remote Access
Trojan (RAT) and a cryptocurrency miner to make a huge profit from the hacked
servers.
The following image shows the general view of the entire
attack path. As you might see from the picture, that flow could be considered a
complex flow since many specific artifacts were included in the attack phases.
The initial stage starts by abusing the user inexperience taking him/her
to click on a first stage file called (in my case) y1.bat.
Nowadays eMail vector is one of the most favorite vectors used by attackers and
easily implemented to deliver malicious contents. Once the first stage is run,
it downloads and executes a second stage file called info6.ps1: a
heavy obfuscated PowerShell script which drops (by de-obfuscate it directly on
body) three internal resources:
- Mimikatz.dll. This module is used to steal user administrative credentials.
- Utilities. This module is used to scan internal networks in order to propagate the infection, it is used to run several internal utilities such as (but not limited to): de-obfuscation routines, ordering arrays and running exploits. This module is also used to drop and execute an additional file (from the same server) named info.vbs.
- Exploits. This module is a set of known exploits such as eternalblue7_exploit and eternal_blue_powershell used from the initial stage of attack to infect internal machines .
The last stage (info.vbs) drops and runs an executable
file which has been recognized to be XMRig. XMRig is an open
sourced Monero CPU Miner, freely available on github. The infection tries to
propagate itself by scanning and attacking internal resources through the
Exploit module, while the XMRig module mines Monero cryptocurrency giving to
the attacker fresh "crypto money" by stealing victims
resources.
Analysis.
A romantic but still "working" .bat file is
propagated to the victim by email or message. Once the user clicks on it, the
.bat file would run the following command spawning a powershell able to
download and run a script called info6.ps1 from http://118.184.48.95:8000/
Stage1: Downloads and Run
|
The downloaded powershell file is clearly divided into
two macro blocks both of them obfuscated. The following image shows the two
visual sections which I am going to call them: "half up" (section
before the "new line") and "half down" (section after the
"new line").
Stage2: Two Visual Sections to be explored
|
While the "half up" section fairly appears to
be a Base64 encoded text file, the "half down" section looks like
encoded through a crafted function which, fortunately (and certain), appears in
clear text at the end of such a file. By editing that function it is possible
to modify the decoding process making it saving the decoded text file directly
to a desired folder. The following image shows the decoded second stage
"half down" section.
Decoded Second Stage "Half Down"
|
Analyzing the section code it would be easy to agree that
the main used functions are dynamically extracted from the file itself, by
performing a substring operations on the current content.
$funs=$fa.SubsTrIng(0,406492)
$mimi=$fa.sUBStrInG(406494,1131864)
$mon=$fa.suBstrING(1538360,356352)
$vcp=$fa.sUBStRiNG(1894714,880172)
$vcr=$fa.sUBstrINg(2774888,1284312)
$sc=$fa.sUBsTrinG(4059202)
The content of $fa variable and every function related to
it is placed in the "half up" section which after being decoded looks
like the following image.
Decoded Second Stage "Half Up"
|