Evidence suggests that the analyzed sample was first identified around September 20, 2017. The initial infection vector is unknown as of this publication. The malware includes the following features:
- Multiple layers of obfuscation that appear to change per sample, causing file hashes to vary
- Support for 32-bit and 64-bit architecture
- Support for multiple Windows operating systems
- Multiple encoded resources:
- Monero cryptocurrency miner executable
- Mimikatz DLL
- Eternalblue exploitation shellcode
- Legitimate MSVCR120.dll
- Legitimate MSVCP120.dll
- PowerShell script that enables the following capabilities:
- Credential dumping via Mimikatz
- Reflective PE injection used to execute Mimikatz and Monero miner
- Remote code execution via SMB authentication using dumped credentials
- Remote code execution via EternalBlue SMB exploitation
- WMI objects to persistently store and execute the aforementioned resources within memory
- Anti-analysis measures
Successful execution and spread of this malware could result in significant network and system performance degradation within a compromised environment. The malware first attempts to spread laterally using cached credentials that it dumps via Mimikatz. If no cached credentials are available, the malware attempts to exploit the Eternalblue vulnerability on the remote host.
Figure 1 shows the malware's execution flow of this malware, following the corresponding steps that start when the info3.ps1 script launches.
Figure 1. Cryptocurrency worm execution flow. (Source: Secureworks)
- Checks for 64-bit architecture. If it is present, the malware downloads info6.ps1 from the command and control (C2) server, executes it, and exits from info3.ps1.
- Stores encoded resources into the properties of a newly created WMI object named Win32_TaskService.
- Executes the $funs PowerShell script to create a ms17_010scanner object via PS Add-Type.
- Checks if msvcp120.dll is present in C:\Windows\System32\. If it is not, the malware drops it ($vcp).
- Checks if msvcr120.dll is present in C:\Windows\System32\. If it is not, the malware drops it ($vcr).
- Removes any existing "SCM Event" WMI objects.
- Creates a new instance of CommandLineEventConsumer that executes an embedded script containing a stripped-down version of info3.ps1.
- Deletes any scheduled tasks named yastcat.
- Deletes C:\Windows\temp\y1.bat if it is present.
- Checks if PowerShell is already running and if it has an existing TCP connection to port 80. If it does not:
- Calls the funs PowerShell script stored within the WMI object.
- Funs extracts the Monero miner executable also stored within the WMI object.
- Funs executes the Monero miner using the ReflectivePEInjection technique.
- Kills any process that has established connections on port 3333 or 5555 (connections to Monero mining pools).
- Dumps credentials using Mimikatz:
- Calls the funs PowerShell script stored within the WMI object.
- Funs extracts the Mimikatz DLL also stored within the WMI object.
- Funs executes the Mimikatz DLL using the ReflectivePEInjection technique
- Attempts to spread by scanning for available hosts on the network. For each host that is found, the malware attempts to authenticate to the available host via SMB using dumped credentials (if any).
- If successful, the malware behaves differently based on the target host's OS major version. Malicious code running on systems that have an OS major version of 5 cannot spread to other systems and will only mine cryptocurrency.
- If the major version equals 5 (e.g., Windows XP or Vista) and is 32-bit:
- Drops and executes %WINDIR%\11.vbs.
- 11.vbs downloads and executes %WINDIR%\info.vbs.
- %WINDIR%\info.vbs drops and executes the Monero miner.
- If the major version is not 5 (e.g., Windows 7/8) and is 32-bit or 64-bit:
- Downloads info3.ps1 (32-bit) or info6.ps1 (64-bit) as %TEMP%\y1.bat.
- Creates a new Scheduled Task named "yastcat" that is set to execute %TEMP%\y1.bat weekly under the SYSTEM context.
- Starts the scheduled task yastcat.
- If the major version equals 5 (e.g., Windows XP or Vista) and is 32-bit:
- If authentication failed, the malware attempts remote code execution via the Eternalblue exploit. If successful:
- Downloads info3.ps1 (32-bit) or info6.ps1 (64-bit) as %TEMP%\y1.bat.
- Creates a new Scheduled Task named "yastcat" that is set to execute %TEMP%\y1.bat weekly under the SYSTEM context.
- Starts the yastcat scheduled task.
- If successful, the malware behaves differently based on the target host's OS major version. Malicious code running on systems that have an OS major version of 5 cannot spread to other systems and will only mine cryptocurrency.
Based on the following evidence, CTU researchers assess that either this malware is used in a small number of targeted attacks or it is in development and the author has not deemed it ready for full deployment:
- The malware was first detected in September 2017, but the total number of submissions to the VirusTotal analysis service remains low as of this publication.
- There are only a few antivirus engine detections.
- Code analysis across multiple samples reveals constant development and maturity.
Tracking associated financial transactions for Monero cryptocurrency is not possible as of this publication. The following Monero wallet IDs are associated with this threat actor:
The CTU(TM) research team has developed the countermeasures listed in Tables 1 and 2 to detect this threat. Third-party devices receive updated protection as it is released from the respective vendors and deployed by Secureworks device management security teams.
|
Signature ID |
Alert Message |
|
53995 |
VID83071 Microsoft Windows SMB Echo Reply - MSF ETERNALBLUE Exploit (MS17-010) |
|
53996 |
VID83071 Microsoft Windows SMB Echo Request Inbound flowbits setter - MSF ETERNALBLUE Exploit 2 (MS17-010) |
|
53997 |
VID83071 Microsoft Windows SMB Echo Reply - MSF ETERNALBLUE Exploit 2 (MS17-010) |
|
54137 |
VID83071 Large SMB NT RENAME Request Inbound - Possible Microsoft Windows SMB Server RCE Attempt - ETERNALBLUE Exploit (MS17-010 CVE-2017-0144) |
|
54138 |
VID83071 Suspicious SMB NT Trans Request Inbound (A) - Possible Microsoft Windows SMB Server RCE Attempt - ETERNALBLUE Exploit (MS17-010 CVE-2017-0144) |
|
54139 |
VID83071 Suspicious SMB NT Trans Request Inbound (B) - Possible Microsoft Windows SMB Server RCE Attempt - ETERNALBLUE Exploit (MS17-010 CVE-2017-0144) |
Table 1. Secureworks iSensor countermeasures covering this threat.
|
Name |
GUID |
|
PowerShell Download Execute Activity Using cmd.exe |
dca116bb-c340-49e6-82c0-5fe050040612 |
|
PowerShell Downloading Remote Resource |
d4fd4647-06e7-4f3e-b26f-3d55311a8924 |
|
Invoke-wmimethod used to create remote process |
6eebbf40-aebb-4123-90d0-db3720609e67 |
|
PowerShell constructs command using environment variable |
d09a3ae0-ef4b-4589-b510-77d9a22935d5 |
|
Mimikatz Activity - sekurlsa |
30753ea3-5172-4914-8590-39742f58dd15 |
|
Malicious VBS Command |
0ed0822d-501f-4c94-8d3b-651dfd9844d9 |
Table 2. Secureworks Red Cloak rules covering this threat.
To mitigate exposure to this threat, CTU researchers recommend that clients use available controls to review and possibly restrict access using the indicators in Table 3. Note that IP addresses can be reallocated. The domains, URLs, and IP addresses may contain malicious content, so consider the risks before opening them in a browser.
|
Indicator |
Type |
Context |
|
1acdbc75b3747febc4f9f4e24603b01954e25ea62be498b6e6f5aeb05a5baa77 |
SHA256 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
3f287e29bcb10b200439626d97dd49521816c8dc847797f5acc7ebfe25b4efc4 |
SHA256 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
a5e6253b9fe9f7b1589958cf08087da7cffe8e5fd540dd656913735b769021ee |
SHA256 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
127f7fcffbe9be5901e253e8975fbd17 |
MD5 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
f79f028888c1eed2806179fd256fb239 |
MD5 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
1b7b16bf94dcff7433c34736f56c72f9 |
MD5 hash |
Cryptocurrency worm info3.ps1 main script executes on 32-bit architecture |
|
0432e8ccfbf4b1182061a9f2fd4559de09e16aace478b54d30162e8ce2f97b85 |
SHA256 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
10ad4969ccabd8e5a2d205a4048bd548cbd22d32a8e2b8216954ae916c8a9e9b |
SHA256 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
fab7ef7833704763e7bf2b6d938294fa9b613f524c8f76117726997a4f7edd28 |
SHA256 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
df551d53d51c13d65d73faa16e5c685ed0c93e652c858149671ea8fe0d4228bd |
SHA256 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
e8ca62d48c7771bd155fbda44817852a6611a71e776781bf92afe62be0623e10 |
SHA256 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
55a42c9de591c6096fe0078845866ed1 |
MD5 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
357346878d4d1ecd64b66c68c4f6ac3c |
MD5 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
de1407a62448ca9edfb61ab3dfa25914 |
MD5 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
cce9c624adc146e7bf4a2e9d64f1c89f |
MD5 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
b6fcd1223719c8f6daf4ab7fbeb9a20a |
MD5 hash |
Cryptocurrency worm info6.ps1 script downloaded and executed by info3.ps1 on 64-bit architectures |
|
9f03b87f780dce8b4d85e5a3116efb3f52e1fa2b935db5faae698dac52aff07e |
SHA256 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
a74fca15cba0c5311579a820805a12ddbf4af08180230d025ef59259564a62a0 |
SHA256 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
f9716daf35926d9091719158fd737cce62be80c0393bd0e19572194a1b0532db |
SHA256 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
e45b4264c049b470fe881433fc2d017a |
MD5 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
28ace00fa0870cc2cbec804312bcf2d2 |
MD5 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
a3aa7d3505bd3b9ab11e18d160cd9daa |
MD5 hash |
Cryptocurrency worm y1.bat script (info3.ps1 or info6.ps1, depending on architecture) downloaded and executed in %temp% after successful Eternalblue exploitation |
|
1aa48b024e6bf59d5ad95214774a26fa82903b4b7960303b8c09dfba8457adc2 |
SHA256 hash |
Cryptocurrency worm info.vbs containing Monero miner; drops and executes as %temp%\taskservice.exe. Downloaded and executed by 11.vbs. |
|
2c3351d6664f59e94dca0408d94ebf2c9ad02211178c798f8e338a223b414e1f |
SHA256 hash |
Cryptocurrency worm info.vbs containing Monero miner; drops and executes as %temp%\taskservice.exe. Downloaded and executed by 11.vbs. |
|
27e4f61ee65668d4c9ab4d9bf5d0a9e7 |
MD5 hash |
Cryptocurrency worm info.vbs containing Monero miner; drops and executes as %temp%\taskservice.exe. Downloaded and executed by 11.vbs. |
|
2ac305eb28229e886ebfc18ef23a6c61 |
MD5 hash |
Cryptocurrency worm info.vbs containing Monero miner; drops and executes as %temp%\taskservice.exe. Downloaded and executed by 11.vbs. |
|
038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309 |
SHA256 hash |
Monero miner executable dropped by cryptocurrency worm |
|
9ac3bdb9378cd1fafbb8e08def738481 |
MD5 hash |
Monero miner executable dropped by cryptocurrency worm |
|
118 . 184 . 48 . 95:8000 |
IP address:port |
Cryptocurrency worm C2 server |
|
107 . 179 . 67 . 243:8000 |
IP address:port |
Cryptocurrency worm C2 server |
|
stafftest . spdns . eu:8000 |
URL |
Cryptocurrency worm C2 server |
|
|
URL |
C2 server hosting cryptocurrency worm (mate3.ps1 is a renamed instance of info3.ps1) |
|
. spdns . eu:8000/mate6.ps1 |
URL |
C2 server hosting cryptocurrency worm (mate6.ps1 is a renamed instance of info6.ps1) |
|
http://107 . 179 . 67 . 243:8000/mate3.ps1 |
URL |
C2 server hosting cryptocurrency worm (mate3.ps1 is a renamed instance of info3.ps1) |
|
http://107 . 179 . 67 . 243:8000/mate6.ps1 |
URL |
C2 server hosting cryptocurrency worm (mate6.ps1 is a renamed instance of info6.ps1) |
|
http://107 . 179 . 67 . 243:8000/info3.ps1 |
URL |
C2 server hosting cryptocurrency worm |
|
http://107 . 179 . 67 . 243:8000/info6.ps1 |
URL |
C2 server hosting cryptocurrency worm |
|
http://107 . 179 . 67 . 243:8000/info.vbs |
URL |
C2 server hosting cryptocurrency worm |
|
http://118 . 184 . 48 . 95:8000/info3.ps1 |
URL | d
C2 server hosting cryptocurrency worm |
|
http://118 . 184 . 48 . 95:8000/info6.ps1 |
URL |
C2 server hosting cryptocurrency worm |
|
http://118 . 184 . 48 . 95:8000/info.vbs |
URL |
C2 server hosting cryptocurrency worm |
|
C:\Windows\11.vbs |
Filename |
Cryptocurrency worm info3.ps1 or info6.ps1 script (depending on architecture) drops in %windir% after successful SMB authentication if OS Major Version = 5 (WinXP). Downloads info.vbs from attacker's server to %windir% and executes it. |
|
C:\Windows\info.vbs |
Filename |
Drops and executes Monero Miner as %temp%\taskservice.exe; downloaded and executed by 11.vbs |
|
yastcat |
Other |
Weekly scheduled task that executes cryptocurrency worm y1.bat script |
|
46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE |
Other |
Monero wallet controlled by cryptocurrency worm threat actors |
|
46gVfDm99aq9JqESFxXFp5AyFCZPHsbTn48dWAtVASddf4TmhQMkxvQadhKPvAjszJV8cQKVHHLQ7WpNrh33ogkGUPHhpVP |
Other |
Monero wallet controlled by cryptocurrency worm threat actors |
Table 3. Indicators for this threat.
References:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://portal.secureworks.com/portal/intel/tip/5917
https://clymb3r.wordpress.com/2013/04/06..dll-injection-with-powershell/
http://securityaffairs.co/wordpress/6348..dvanced-memory-cryptoworm.html
https://www.pandasecurity.com/mediacente..reat-hunting-fileless-attacks/
