NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. SummaryDescriptionThis submission includes four unique files. The first is an installer for additional malware: a Remote Access Trojan (RAT) and a malicious Dynamic Link Library (DLL) that functions as a Server Message Block (SMB) Worm. The fourth file is another SMB worm in the form of a Windows 32-bit executable.
Both SMB worms attempt to spread locally and to random IP addresses on the public Internet by attempting to brute force vulnerable systems using a built-in list of common passwords. The RAT included with the SMB worm provides the attacker with the ability to deliver additional malware, run local commands, and exfiltrate data.
As of May 31, 2018, this report has been updated to correct the email addresses used by Wmmvsvc.dll (ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781). For a downloadable copy of IOCs, see: Emails (2)misswang8107@gmail.com redhat@gmail.com Submitted Files (4)077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885 (4731CBAEE7ACA37B596E38690160A7...) a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717 (scardprv.dll) ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 (Wmmvsvc.dll) fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16 (298775B04A166FF4B8FBD3609E7169...) Findings077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885Tagsbackdoortrojanworm DetailsAntivirusYara Rulesssdeep MatchesNo matches found. PE MetadataPE SectionsPackers/Compilers/CryptorsProcess ListRelationshipsDescriptionThis 32-bit Windows executable file drops two malicious applications.
The first (a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717) is a fully functioning RAT.
The second application (ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781) is a SMB worm that will spread to local subnets and external networks. a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717Tagsbackdoorbottrojanworm DetailsAntivirusYara Rulesssdeep MatchesNo matches found. PE MetadataPE SectionsPackers/Compilers/CryptorsRelationshipsDescriptionThis 32-bit Windows DLL is written to disk and then loaded by the file "4731CBAEE7ACA37B596E38690160A749".
This malware has been identified as a RAT, providing a remote actor with the ability to exfiltrate data, drop and run secondary payloads, and provide proxy capabilities on a compromised Windows device. The malware binds to port 443 and listens for incoming connections from a remote operator, using the Rivest Cipher 4 (RC4) encryption algorithm to protect communications with its Command and Control (C2).
The malware also creates a log entry in a file named "mssscardprv.ax", located in the %WINDIR%\system32 folder. The log entry includes the victim's Internet Protocol (IP) address, host name, and current system time. ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781Tagsbackdoorbottrojanworm DetailsAntivirusYara Rulesssdeep MatchesNo matches found. PE MetadataPE SectionsPackers/Compilers/CryptorsRelationshipsDescriptionThis file is a malicious 32-bit Windows DLL that is written to disk then loaded by the file "4731CBAEE7ACA37B596E38690160A749".
When executed, the DLL attempts to contact all of the Internet Protocol (IP) addresses on the victim's local subnet. If the malware is able to connect to these IP addresses, it will attempt to gain unauthorized access via the SMB protocol on port 445 using a brute-force password attack. The malware contains an embedded password list consisting of commonly used passwords and generates random external IP addresses, which it attempts to attack.
If the malware successfully gains access to another system, it will send an email containing the system's IP address, hostname, username, and password to the following address:
--Begin email address-- misswang8107@gmail.com --End email address--
The email will appear to be from the following address (Refer to Figure 1):
--Begin email address-- redhat@gmail.com --End email address--
The malware uses the victim's system folder to create a shared folder named "adnim$" by running the following commands via a remotely run service:
--Begin commands utilized to create SMB share-- cmd.exe /q /c net share adnim$=%SystemRoot% cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL --End commands utilized to create SMB share--
The malware will then copy itself to newly created shared folder as a file named "mssscardprv.ax". After copying the malware to the new system it then runs the file on the victim system using a malicious service. The adnim$ share will then be deleted from the remote system using the following command:
--Begin command used to delete share-- 'cmd.exe /q /c net share adnim$ /delete' --End command used to delete share--
The malware determines if Remote Desktop Protocol (RDP) is enabled by attempting to connect to port 3389. If it is able to connect to this port, the malware will report RDP is available on the compromised system. This information is provided to the operator using the malicious email address provided earlier.
This malware can communicate with the RAT identified as "scardprv.dll" (4613f51087f01715bf9132c704aea2c2). The communication is protected with the Rivest Cipher 4 (RC4) encryption protocol. When attempting to propagate, the malware uses the following three usernames combined with a password brute-force attack:
--Begin malicious usernames used by SMB worm-- Administrateur Administrador Administrator --End malicious usernames used by SMB worm--
Although the malware uses numerous embedded passwords in its brute force attacks, within our environment the malware consistently used the following "Lan Manager Response" in its SMB attacks:
--Begin static Lan Manager response-- 8C15084FA541079A000000000000000000 --End static Lan Manager response--
This hexadecimal value may be useful in detecting this worm as it communicates over port 445 and attempts to spread. Specifically, when the malware attempts to run a remote service to create the "adnim$" share, the following network traffic is generated:
--Begin network signature-- ASCII: cmd.exe /q /c net share adnim$=%SystemRoot% /GRANT:Administrator,FULL HEX: 636D642E657865202F71202F63206E65742073686172652061646E696D243D2553797374656D526F6F7425202F4752414E543A41646D696E6973747261746F722C46554C4C --End network signature-- ScreenshotsFigure 1 - The screenshot illustrates the to and from email addresses for data exfiltration. fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16Tagsbackdoortrojanworm DetailsAntivirusYara Rulesssdeep MatchesNo matches found. PE MetadataPE SectionsPackers/Compilers/CryptorsProcess ListDescriptionThis file is a malicious 32-bit Windows executable file designed to scan the local network and the Internet for machines that are accessible and have open SMB ports. Once the malware gains access to a remote machine, it will deliver a malicious payload. This file accepts the following command-line arguments for execution:
--Begin arguments-- -i ==> Create service -u ==> Control and delete service -s ==> Start service -r ==> Run not as a service -k ==> ControlService --End arguments--
When executed with the "-i" argument, the malware installs and executes itself as the following service:
--Begin service information-- ServiceName = "RdpCertification" DisplayName = "Remote Desktop Certification Services" DesiredAccess = SERVICE_ALL_ACCESS ServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS StartType = SERVICE_AUTO_START BinaryPathName = "%current directory%\298775B04A166FF4B8FBD3609E716945.exe" --End service information--
The malware creates a mutual exclusion (Mutex) object named "PlatFormSDK20150201", then generates a list of IP addresses using a domain generation algorithm (DGA). The DGA uses the system time in the algorithm to create the list of IP addresses.
It generates network traffic over Transmission Control Protocol (TCP) ports 80 and 445 via the victims' IP addresses and the generated IP addresses.
Sample HTTP request:
--Begin HTTP request-- OPTIONS / HTTP/1.1 translate: f User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: 159.154.100.0 Content-Length: 0 Connection: Keep-Alive --End HTTP request--
Once successfully connected to other Windows hosts or the generated IP addresses using port 445, the malware attempts to use a hard-coded list of passwords for SMB connections. If the password is correctly guessed, a file share is established. The malware uses the following methods to access shares on the remote systems:
To gain access to remote systems it uses ($IPC) share via "\\remote system IP\$IPC" It checks for existing shares by using "\\hostname\adnim$\system32"
It will create a new share named "adnim$" using the following command:
--Begin new share command-- "cmd.exe /q /c net share adnim$=%SystemRoot%" "cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL" --End new share command—
Once a file share is successfully established, the malware uploads a copy of a payload "C:\WINDOWS\TEMP\TMP1.tmp" and installs it as a service. The malware payload that is uploaded and then run on the newly infected host was not available at the time of analysis.
The remote network share is removed after infection using the following command:
--Begin command-- "cmd.exe /q /c net share adnim$ /delete" --End command--
Once the payload has been uploaded and executed, the malware uses Simple Mail Transfer Protocol (SMTP) to send collected data. The data provides infection status to a remote operator.
Displayed below are the domain names of the service providers used to send data:
--Begin SMTP domain information-- "www.hotmail.com" --End SMTP domain information--
Displayed is the structure of the email sent:
--Begin email structure format-- SUBJECT: %s%s%s TO: Joana <%s>%s FROM: <%s>%s DATA%s RCPT TO: <%s>%s MAIL FROM: <%s>%s AUTH LOGIN%s HELO %s%s --End email structure format--
Displayed is a list of brute force passwords used to establish connections:
--Begin brute force password-- !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* !@#$%^&*() "KGS!@#$%" 0000 00000 000000 00000000 1111 11111 111111 11111111 11122212 1212 121212 123123 123321 1234 12345 123456 1234567 12345678 123456789 123456^%$#@! 1234qwer 123abc 123asd 123qwe 1313 1q2w3e 1q2w3e4r 1qaz2wsx 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 4321 54321 654321 6969 666666 7777 8888 88888 888888 8888888 88888888 Admin abc123 abc@123 abcd admin admin123 admin!23 admin!@# administrator administrador asdf asdfg asdfgh asdf123 asdf!23 baseball backup blank cisco compaq control computer cookie123 database dbpassword db1234 default dell enable fish foobar gateway guest golf harley home iloveyou internet letmein Login login love manager oracle owner pass passwd password p@ssword password1 password! passw0rd Password1 pa55w0rd pw123 q1w2e3 q1w2e3r4 q1w2e3r4t5 q1w2e3r4t5y6 qazwsx qazwsxedc qwer qwert qwerty !QAZxsw2 root secret server sqlexec shadow super sybase temp temp123 test test! test1 test123 test!23 winxp win2000 win2003 Welcome1 Welcome123 xxxx yxcv zxcv Administrator Admin --End brute force password-- Relationship SummaryRecommendationsNCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. - Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate ACLs.
Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops. Contact InformationNCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact NCCIC and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to NCCIC at 1-888-282-0870 or soc@us-cert.gov. Can I submit malware to NCCIC? Malware samples can be submitted via three methods: NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at www.us-cert.gov. |
No comments:
Post a Comment