Petya and others. ESET discloses cyber attacks on corporate networks
The epidemic of the Petya encoder is in the spotlight. The problem is that this is only the last incident in a series of attacks on Ukrainian companies. The ESET report reveals some features of Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) and includes information about previously unlit attacks.
In December 2016, we published a study of the destructive attacks carried out by the cyber group, which we call TeleBots. The group attacked financial institutions and used a version of the destructive component KillDisk for Linux . In addition, TeleBots may be related to the BlackEnergy group related to cyber attacks on energy companies.
')
The KillDisk malware was used by the TeleBots group at the final stage of the attacks to overwrite files with certain extensions on the victim's disk. Looking ahead, the ransom was never a priority for this group.
In the first wave of attacks in December 2016, KillDisk rewrote target files, instead of encrypting data. The victim did not receive contacts to connect with the attackers, the malware simply displayed an image referring to the “Mr. Robot” series.
Figure 1. The image that KillDisk displayed on the screen during the first wave of attacks in December 2016.
In the second wave of attacks, the attackers modified KillDisk by adding encryption and contact information to the redemption message, which made it look like a typical extortionist program. At the same time, the authors requested a record amount for data recovery - 222 Bitcoins (about 250 thousand dollars at the current exchange rate). This may indicate that the hackers were not interested in obtaining a ransom, but were trying to harm the attacked companies.
Figure 2. KillDisk buyback, version of the second wave of attacks in December 2016.
In 2017, the TeleBots group continued attacks that became more sophisticated. From January to March 2017, the group compromised a Ukrainian software development company ( not MEDoc) and, using VPN tunnels, gained access to the internal networks of several financial institutions.
Figure 3. Supply-chain attacks in 2017
In the course of this attack, TeleBots replenished the arsenal with two samples of encoders and updated versions of the tools mentioned in our previous reports.
The first backdoor that the group largely relied on was Python / TeleBot.A, which was rewritten from the Python programming language to Rust. The functions have not changed - this is a standard backdoor that uses the Telegram Bot API to receive commands from operators and send responses.
Figure 4. Disassembled Win32 / TeleBot.AB trojan code.
The second backdoor, written on VBS and packed using the
Figure 5. Obfuscated version of the VBS backdoor.
This time the VBS backdoor uses the command C & C server 130.185.250 [.] 171. To make connections less suspicious for those who check the firewall logs, the attackers registered the domain transfinance.com [.] Ua and placed it on this IP address. As you can see in Figure 6, a mail server named
Figure 6. Information about the TeleBots group server.
In addition, the attackers used the following tools:
As stated earlier, at the final stage of the attack, TeleBots spread the encoder using PsExec and the stolen Windows credentials. ESET antivirus products detect it as Win32 / Filecoder.NKH. After running, malware encrypts all files (except those located in C: \ Windows) using the AES-128 and RSA-1024 algorithms. The malicious program adds the
When encryption is complete, the program creates a text file readme.txt with the following content:
Please contact us: openy0urm1nd@protonmail.ch
In addition to malware for Windows, the TeleBots group used a Linux encoder for other operating systems. ESET detects the threat as Python / Filecoder.R, it is written in Python. This time, attackers use third-party utilities to encrypt files, such as
Figure 7. Python code of the Python / Filecoder.R Linux encoder used by the TeleBots group.
In the Python script code, attackers leave a comment, including the following text:
feedback: openy0urm1nd [@] protonmail.ch
On May 18, we recorded the activity of another family's encoder, Win32 / Filecoder.AESNI.C, also known as XData.
The extortioner program was distributed mainly in Ukraine, which is associated with an interesting initial vector of infection. According to ESET telemetry, the encoder appeared on the computer immediately after launching the MEDoc reporting and workflow software, which is widespread in Ukrainian companies.
The Win32 / Filecoder.AESNI.C functionality allowed the encoder to be automatically distributed on the company's local network. In particular, the Mimikatz embedded DLL was used to extract Windows accounts from the memory of a compromised computer. Using credentials, malware was distributed within the network using the PsExec utility.
It seems that the attackers did not reach their goal during this attack, or they tested before a more effective strike. In any case, the master keys were published on the BleepingComputer forum, and a statement appeared there that the AESNI source code was stolen from the real author and was used in the Ukrainian incident.
ESET has released a decoder for Win32 / Filecoder.AESNI victims.
What really received wide media coverage was the Petya epidemic that began on June 27th. The malware has compromised many systems in critical infrastructures and corporate networks in Ukraine and abroad.
The encryptor used in this attack can replace the master boot record (MBR) with its own malicious code. The code is borrowed from the Win32 / Diskcoder.Petya ransomware program , so some researchers call the threat ExPetr, PetrWrap, Petya or NotPetya. Unlike the original Petya, the authors of Diskcoder.C changed the MBR code in such a way that it was impossible to recover the data. More precisely, the attackers cannot send the decryption key to the victim, and it cannot be entered in the appropriate field because it contains invalid characters.
Visually, the MBR part of Diskcoder.C looks like a slightly modified version of Petya: first, it shows a message in which it disguises itself as CHKDSK, a Microsoft disk check utility. In the fake scan process, Diskcoder.C actually encrypts the data.
Figure 8. Fake CHKDSK message displayed by Diskcoder.C.
When encryption is complete, the MBR code displays the following message with instructions for payment, but, as has already been proven, this information is useless.
Figure 9. Message Diskcoder.C with instructions for paying the ransom.
The rest of the code, in addition to the borrowed MBR, was written by the authors of the malware. It includes a file encryptor that can be used in addition to the MBR disk encryption. The malware uses the AES-128 and RSA-2048 algorithms.
It is worth noting that the authors made mistakes, which reduced the possibility of decrypting files. For example, Diskcoder.C encrypts only the first 1 MB of data and does not record the header and footer, only the original encrypted data. Malware does not rename files, so it’s hard to say which files are encrypted and which are not.
Interestingly, the list of targeted extensions, although not completely identical, is very similar to that used in the KillDisk attacks in December 2016 .
Figure 10. The list of target Diskcoder.C extensions.
After executing Diskcoder.C, it tries to increase the reach with the help of the EternalBlue exploit that uses the DoublePulsar backdoor operating in kernel mode. Exactly the same method was used in the extortionist WannaCryptor.D.
Diskcoder.C also used a method borrowed from Win32 / Filecoder.AESNI.C (XData) - it uses a simplified version of Mimikatz to get credentials, and then executes malware on other local network machines using SysInternals PsExec.
Finally, the authors of Diskcoder.C used the third distribution method, the WMI mechanism.
All three methods were used to distribute Diskcoder.C within networks. Unlike WannaCryptor, the new encoder used the EternalBlue exploit only on computers in the address range of the local network.
Why did the epidemic go beyond Ukraine? Our study showed that infected companies in other countries connected via VPN to their Ukrainian branches or business partners.
Both Diskcoder.C and Win32 / Filecoder.AESNI.C used supply-chain attack attacks as the initial infection vector. These families of malware were transmitted using the reporting and document management software MEDoc, which is widely used in accounting.
There are several options for conducting these attacks. MEDoc has an internal document and messaging system, so hackers could use phishing. In this case, user interaction is necessary, perhaps not without social engineering. Since Win32 / Filecoder.AESNI.C did not spread too widely, we first decided that it was these methods that were involved.
But the subsequent epidemic of Diskcoder.C suggests that hackers had access to the update server of legitimate MEDoc software. With it, attackers could send malicious updates with their installation automatically without user intervention. Therefore, so many systems in Ukraine suffered from this attack. It seems that the creators of Malvari underestimated the ability of Diskcoder.C to expand.
ESET researchers have confirmed this theory. We found a php backdoor in the
Figure 11. Directory with PHP backdoor on FTP.
It must be said that there are signs indicating that Diskcoder.C and Win32 / Filecoder.AESNI.C are not the only families of malicious programs that used this vector. We can assume that malicious updates were applied to hidden penetration into computer networks belonging to priority objects.
One of the malware spread by the compromised MEDoc update mechanism was the VBS backdoor, which the TeleBots group uses. This time the attackers again used domain names related to the financial theme: bankstat.kiev [.] Ua .
On the day of the outbreak of Diskcoder.C, the A-record of this domain was changed to 10.0.0.1.
The TeleBots group improves the tools of destructive attacks. Instead of sending phishing emails containing documents containing malicious macros, they used a more complex scheme known as supply-chain attack. Before the outbreak of the epidemic, the group attacked mainly the financial sector. It is likely that the last campaign was aimed at the Ukrainian business, but the attackers underestimated the possibilities of the malicious program - the malware got out of control.
Detection by ESET products:
C & C:
Legitimate servers used by malware authors:
VBS backdoor:
Mimikatz:
Win32 / TeleBot:
Win32 / PSW.Agent.ODE (CredRaptor):
Win32 / Filecoder.NKH:
Python / Filecoder.R:
Win32 / Filecoder.AESNI.C:
Win32 / Diskcoder.C:
PHP shell:
TeleBots
In December 2016, we published a study of the destructive attacks carried out by the cyber group, which we call TeleBots. The group attacked financial institutions and used a version of the destructive component KillDisk for Linux . In addition, TeleBots may be related to the BlackEnergy group related to cyber attacks on energy companies.
')
The KillDisk malware was used by the TeleBots group at the final stage of the attacks to overwrite files with certain extensions on the victim's disk. Looking ahead, the ransom was never a priority for this group.
In the first wave of attacks in December 2016, KillDisk rewrote target files, instead of encrypting data. The victim did not receive contacts to connect with the attackers, the malware simply displayed an image referring to the “Mr. Robot” series.
Figure 1. The image that KillDisk displayed on the screen during the first wave of attacks in December 2016.
In the second wave of attacks, the attackers modified KillDisk by adding encryption and contact information to the redemption message, which made it look like a typical extortionist program. At the same time, the authors requested a record amount for data recovery - 222 Bitcoins (about 250 thousand dollars at the current exchange rate). This may indicate that the hackers were not interested in obtaining a ransom, but were trying to harm the attacked companies.
Figure 2. KillDisk buyback, version of the second wave of attacks in December 2016.
In 2017, the TeleBots group continued attacks that became more sophisticated. From January to March 2017, the group compromised a Ukrainian software development company ( not MEDoc) and, using VPN tunnels, gained access to the internal networks of several financial institutions.
Figure 3. Supply-chain attacks in 2017
In the course of this attack, TeleBots replenished the arsenal with two samples of encoders and updated versions of the tools mentioned in our previous reports.
The first backdoor that the group largely relied on was Python / TeleBot.A, which was rewritten from the Python programming language to Rust. The functions have not changed - this is a standard backdoor that uses the Telegram Bot API to receive commands from operators and send responses.
Figure 4. Disassembled Win32 / TeleBot.AB trojan code.
The second backdoor, written on VBS and packed using the
script2exe program, was strongly obfuscated, but its functionality remained the same as in previous attacks.Figure 5. Obfuscated version of the VBS backdoor.
This time the VBS backdoor uses the command C & C server 130.185.250 [.] 171. To make connections less suspicious for those who check the firewall logs, the attackers registered the domain transfinance.com [.] Ua and placed it on this IP address. As you can see in Figure 6, a mail server named
severalwdadwajunior , which worked on the Tor network, was also launched.Figure 6. Information about the TeleBots group server.
In addition, the attackers used the following tools:
- CredRaptor (password theft)
- Plainpwd (modified Mimikatz is used to recover Windows credentials from memory)
- SysInternals' PsExec (used to spread threats inside the network)
As stated earlier, at the final stage of the attack, TeleBots spread the encoder using PsExec and the stolen Windows credentials. ESET antivirus products detect it as Win32 / Filecoder.NKH. After running, malware encrypts all files (except those located in C: \ Windows) using the AES-128 and RSA-1024 algorithms. The malicious program adds the
.xcrypted extension to the encrypted files .xcryptedWhen encryption is complete, the program creates a text file readme.txt with the following content:
Please contact us: openy0urm1nd@protonmail.ch
In addition to malware for Windows, the TeleBots group used a Linux encoder for other operating systems. ESET detects the threat as Python / Filecoder.R, it is written in Python. This time, attackers use third-party utilities to encrypt files, such as
openssl . Encryption is performed using RSA-2048 and AES-256 algorithms.Figure 7. Python code of the Python / Filecoder.R Linux encoder used by the TeleBots group.
In the Python script code, attackers leave a comment, including the following text:
feedback: openy0urm1nd [@] protonmail.ch
Win32 / Filecoder.AESNI.C
On May 18, we recorded the activity of another family's encoder, Win32 / Filecoder.AESNI.C, also known as XData.
The extortioner program was distributed mainly in Ukraine, which is associated with an interesting initial vector of infection. According to ESET telemetry, the encoder appeared on the computer immediately after launching the MEDoc reporting and workflow software, which is widespread in Ukrainian companies.
The Win32 / Filecoder.AESNI.C functionality allowed the encoder to be automatically distributed on the company's local network. In particular, the Mimikatz embedded DLL was used to extract Windows accounts from the memory of a compromised computer. Using credentials, malware was distributed within the network using the PsExec utility.
It seems that the attackers did not reach their goal during this attack, or they tested before a more effective strike. In any case, the master keys were published on the BleepingComputer forum, and a statement appeared there that the AESNI source code was stolen from the real author and was used in the Ukrainian incident.
ESET has released a decoder for Win32 / Filecoder.AESNI victims.
Epidemic Diskcoder.C (better known as Petya)
What really received wide media coverage was the Petya epidemic that began on June 27th. The malware has compromised many systems in critical infrastructures and corporate networks in Ukraine and abroad.
The encryptor used in this attack can replace the master boot record (MBR) with its own malicious code. The code is borrowed from the Win32 / Diskcoder.Petya ransomware program , so some researchers call the threat ExPetr, PetrWrap, Petya or NotPetya. Unlike the original Petya, the authors of Diskcoder.C changed the MBR code in such a way that it was impossible to recover the data. More precisely, the attackers cannot send the decryption key to the victim, and it cannot be entered in the appropriate field because it contains invalid characters.
Visually, the MBR part of Diskcoder.C looks like a slightly modified version of Petya: first, it shows a message in which it disguises itself as CHKDSK, a Microsoft disk check utility. In the fake scan process, Diskcoder.C actually encrypts the data.
Figure 8. Fake CHKDSK message displayed by Diskcoder.C.
When encryption is complete, the MBR code displays the following message with instructions for payment, but, as has already been proven, this information is useless.
Figure 9. Message Diskcoder.C with instructions for paying the ransom.
The rest of the code, in addition to the borrowed MBR, was written by the authors of the malware. It includes a file encryptor that can be used in addition to the MBR disk encryption. The malware uses the AES-128 and RSA-2048 algorithms.
It is worth noting that the authors made mistakes, which reduced the possibility of decrypting files. For example, Diskcoder.C encrypts only the first 1 MB of data and does not record the header and footer, only the original encrypted data. Malware does not rename files, so it’s hard to say which files are encrypted and which are not.
Interestingly, the list of targeted extensions, although not completely identical, is very similar to that used in the KillDisk attacks in December 2016 .
Figure 10. The list of target Diskcoder.C extensions.
After executing Diskcoder.C, it tries to increase the reach with the help of the EternalBlue exploit that uses the DoublePulsar backdoor operating in kernel mode. Exactly the same method was used in the extortionist WannaCryptor.D.
Diskcoder.C also used a method borrowed from Win32 / Filecoder.AESNI.C (XData) - it uses a simplified version of Mimikatz to get credentials, and then executes malware on other local network machines using SysInternals PsExec.
Finally, the authors of Diskcoder.C used the third distribution method, the WMI mechanism.
All three methods were used to distribute Diskcoder.C within networks. Unlike WannaCryptor, the new encoder used the EternalBlue exploit only on computers in the address range of the local network.
Why did the epidemic go beyond Ukraine? Our study showed that infected companies in other countries connected via VPN to their Ukrainian branches or business partners.
Initial vector of infection
Both Diskcoder.C and Win32 / Filecoder.AESNI.C used supply-chain attack attacks as the initial infection vector. These families of malware were transmitted using the reporting and document management software MEDoc, which is widely used in accounting.
There are several options for conducting these attacks. MEDoc has an internal document and messaging system, so hackers could use phishing. In this case, user interaction is necessary, perhaps not without social engineering. Since Win32 / Filecoder.AESNI.C did not spread too widely, we first decided that it was these methods that were involved.
But the subsequent epidemic of Diskcoder.C suggests that hackers had access to the update server of legitimate MEDoc software. With it, attackers could send malicious updates with their installation automatically without user intervention. Therefore, so many systems in Ukraine suffered from this attack. It seems that the creators of Malvari underestimated the ability of Diskcoder.C to expand.
ESET researchers have confirmed this theory. We found a php backdoor in the
medoc_online.php file in one of the directories on the MEDoc FTP server. Access to the backdoor could be obtained via HTTP, although it was encrypted and the attacker needed a password to use it.Figure 11. Directory with PHP backdoor on FTP.
It must be said that there are signs indicating that Diskcoder.C and Win32 / Filecoder.AESNI.C are not the only families of malicious programs that used this vector. We can assume that malicious updates were applied to hidden penetration into computer networks belonging to priority objects.
One of the malware spread by the compromised MEDoc update mechanism was the VBS backdoor, which the TeleBots group uses. This time the attackers again used domain names related to the financial theme: bankstat.kiev [.] Ua .
On the day of the outbreak of Diskcoder.C, the A-record of this domain was changed to 10.0.0.1.
findings
The TeleBots group improves the tools of destructive attacks. Instead of sending phishing emails containing documents containing malicious macros, they used a more complex scheme known as supply-chain attack. Before the outbreak of the epidemic, the group attacked mainly the financial sector. It is likely that the last campaign was aimed at the Ukrainian business, but the attackers underestimated the possibilities of the malicious program - the malware got out of control.
Infection Indicators (IoC)
Detection by ESET products:
Win32/TeleBot trojan
VBS/Agent.BB trojan
VBS/Agent.BD trojan
VBS/Agent.BE trojan
Win32/PSW.Agent.ODE trojan
Win64/PSW.Agent.K trojan
Python/Filecoder.R trojan
Win32/Filecoder.AESNI.C trojan
Win32/Filecoder.NKH trojan
Win32/Diskcoder.C trojan
Win64/Riskware.Mimikatz application
Win32/RiskWare.Mimikatz applicationC & C:
transfinance.com[.]ua (IP: 130.185.250.171)
bankstat.kiev[.]ua (IP: 82.221.128.27)
www.capital-investing.com[.]ua (IP: 82.221.131.52)Legitimate servers used by malware authors:
api.telegram.org (IP: 149.154.167.200, 149.154.167.197, 149.154.167.198, 149.154.167.199)VBS backdoor:
1557E59985FAAB8EE3630641378D232541A8F6F9
31098779CE95235FED873FF32BB547FFF02AC2F5
CF7B558726527551CDD94D71F7F21E2757ECD109Mimikatz:
91D955D6AC6264FBD4324DB2202F68D097DEB241
DCF47141069AECF6291746D4CDF10A6482F2EE2B
4CEA7E552C82FA986A8D99F9DF0EA04802C5AB5D
4134AE8F447659B465B294C131842009173A786B
698474A332580464D04162E6A75B89DE030AA768
00141A5F0B269CE182B7C4AC06C10DEA93C91664
271023936A084F52FEC50130755A41CD17D6B3B1
D7FB7927E19E483CD0F58A8AD4277686B2669831
56C03D8E43F50568741704AEE482704A4F5005AD
38E2855E11E353CEDF9A8A4F2F2747F1C5C07FCF
4EAAC7CFBAADE00BB526E6B52C43A45AA13FD82B
F4068E3528D7232CCC016975C89937B3C54AD0D1Win32 / TeleBot:
A4F2FF043693828A46321CCB11C5513F73444E34
5251EDD77D46511100FEF7EBAE10F633C1C5FC53Win32 / PSW.Agent.ODE (CredRaptor):
759DCDDDA26CF2CC61628611CF14CFABE4C27423
77C1C31AD4B9EBF5DB77CC8B9FE9782350294D70
EAEDC201D83328AF6A77AF3B1E7C4CAC65C05A88
EE275908790F63AFCD58E6963DC255A54FD7512A
EE9DC32621F52EDC857394E4F509C7D2559DA26B
FC68089D1A7DFB2EB4644576810068F7F451D5AAWin32 / Filecoder.NKH:
1C69F2F7DEE471B1369BF2036B94FDC8E4EDA03E
Python / Filecoder.R:
AF07AB5950D35424B1ECCC3DD0EEBC05AE7DDB5EWin32 / Filecoder.AESNI.C:
BDD2ECF290406B8A09EB01016C7658A283C407C3
9C694094BCBEB6E87CD8DD03B80B48AC1041ADC9
D2C8D76B1B97AE4CB57D0D8BE739586F82043DBDWin32 / Diskcoder.C:
34F917AABA5684FBE56D3C57D48EF2A1AA7CF06DPHP shell:
D297281C2BF03CE2DE2359F0CE68F16317BF0A86Source: https://habr.com/ru/post/332058/
All Articles