Follow by Email

Thursday, December 21, 2017

Next trend CyberAttack? Monero Mining Malware "Brings down BCP" How is it different from Ransomware:

Ransomware could be dwarfed by a new malware that effectively enslaves Windows machines into botnets to mine for Monero.
It snuck under the radar, however, since it does not encrypt and lockdown files to demand bitcoin ransoms.
Instead, the stealthy malware brings monetary gains to attackers by discreetly mining Monero, a cryptocurrency with enhanced privacy features compared to bitcoin. Most victims are unlikely to even know that their Windows computers are compromised.
The only symptoms of an infection are sluggish PC and server performance and the loss of access to shared Windows drives.

Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency.
 cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.

 It reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency.
 The vulnerability (CVE-2017-7269) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.

 Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.
 Another reason of hackers favouring Monero is that it uses a proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware.

 Researchers say the hacker uses a combination of old vulnerabilities and weak user/password combinations to attack mostly old and unsupported Windows Server machines.

 The most common flaws exploited by the botnet operator include known phpMyAdmin configuration flaws, exploits in JBoss, and bugs in Oracle Web Application Testing Suite, MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, and other services.
 Once the hacker gain access to a Windows Server machine, he deploys Visual Basic files to gather information about the infected system and then install a Remote Access Trojan (RAT) and a cryptocurrency miner to make a huge profit from the hacked servers.


The following image shows the general view of the entire attack path. As you might see from the picture, that flow could be considered a complex flow since many specific artifacts were included in the attack phases.  The initial stage starts by abusing the user inexperience taking him/her to click on a first stage file called  (in my case) y1.bat. Nowadays eMail vector is one of the most favorite vectors used by attackers and easily implemented to deliver malicious contents. Once the first stage is run, it downloads and executes a second stage file called info6.ps1: a heavy obfuscated PowerShell script which drops (by de-obfuscate it directly on body) three internal resources: 
  1. Mimikatz.dll. This module is used to steal user administrative credentials.
  2. Utilities. This module is used to scan internal networks in order to propagate the infection, it is used to run several internal utilities such as (but not limited to): de-obfuscation routines,  ordering arrays and running exploits. This module is also used to drop and execute an additional file (from the same server) named info.vbs.
  3. Exploits. This module is a set of known exploits such as eternalblue7_exploit and eternal_blue_powershell used from the initial stage of attack to infect internal machines .

The last stage (info.vbs) drops and runs an executable file which has been recognized to be XMRig. XMRig is an open sourced Monero CPU Miner, freely available on github. The infection tries to propagate itself by scanning and attacking internal resources through the Exploit module, while the XMRig module mines Monero cryptocurrency giving to the attacker fresh "crypto money" by stealing victims resources. 
A romantic but still "working" .bat file is propagated to the victim by email or message. Once the user clicks on it, the .bat file would run the following command spawning a powershell able to download and run a script called info6.ps1 from

Stage1: Downloads and Run 

The downloaded powershell file is clearly divided into two macro blocks both of them obfuscated. The following image shows the two visual sections which I am going to call them: "half up" (section before the "new line") and "half down" (section after the "new line").

Stage2: Two Visual Sections to be explored

While the "half up" section fairly appears to be a Base64 encoded text file, the "half down" section looks like encoded through a crafted function which, fortunately (and certain), appears in clear text at the end of such a file. By editing that function it is possible to modify the decoding process making it saving the decoded text file directly to a desired folder. The following image shows the decoded second stage "half down" section.  


Decoded Second Stage "Half Down"
Analyzing the section code it would be easy to agree that the main used functions are dynamically extracted from the file itself, by performing a substring operations on the current content.




The content of $fa variable and every function related to it is placed in the "half up" section which after being decoded looks like the following image.

Decoded Second Stage "Half Up"