Malware campaign uses multiple propagation methods, including EternalBlue

Pierluigi Paganini April 13, 2019

Hackers are using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

Security experts at Trend Micro have uncovered a malware campaign that is targeting Asian entities using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

The threat actors behind this campaign leveraged the exploit leaked by the Shadow Brokers in 2017, the EternalBlue exploit was exploited by several families of malware, including WannaCry and NotPetya ransomware.

The same campaign was first observed in January by experts at Qihoo 360, at the time attackers hit Chinese targets leveraging the Invoke-SMBClient and the PowerDump open source tools.

Researchers observed that the recent attacks initially targeted Japanese users, later they also hit people in Australia, Taiwan, Vietnam, Hong Kong, and India.

“Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware.” reads the analysis published by Trend Micro.

“The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.”

The malicious code also uses the pass the hash attack method, wherein it authenticates itself to remote servers using the user’s hashed password. The malicious code acquires the hashes stored in the machine by using the Get-PassHashes command, as well as the hashes of the weak passwords listed. The malware used the obtained hashes with the Invoke-SMBClient script to perform various file operations, such as deleting files dropped by older versions of the malware and gaining persistence by adding itself to the Windows Startup folder.

In case the victim has a stronger password, the malware leverages EternalBlue to propagate.

Once the malware has infected a machine, it will download an obfuscated PowerShell script from the command-and-control (C&C) server, that acts as dropper. The script also collects and exfiltrates the machine’s MAC address and the list of installed antimalware software.

“The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.” continues the analysis.

In the next stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI that gathers other system information, including computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

The malware also downloads a PowerShell implementation of a Mimikatz tool, it also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. This component scans IP blocks for vulnerable devices that attempt to exploit by using EternalBlue.

A fifth component is an XMRig Monero cryptominer that is deployed using PowerShell and injected into its PowerShell process using the open source Invoke-ReflectivePEInjection tool.

“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these.” concludes Trend Micro. “And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment