The State of EternalBlue Exploitation in the Wild
This is a joint investigation with fellow Ixia Application and Threat Intelligence (ATI) researcher, Mihai Vasilescu.
EternalBlue and Wannacry have been some of the hottest topics in the news for the past couple of weeks. ProofPoint’s unveiling of the Adylkuzz cryptocoin botnet has shown that there’s more than just ransomware being spread by leveraging EternalBlue. This made me wonder whether there are more than these two threats spreading via these means. The short answer is: yes.
To investigate this, Mihai Vasilescu and I, modified our existing SMB honeypot so it advertises itself as exploitable by EternalBlue and accepts DoublePulsar payloads. The payloads were then captured to allow further investigation. Most of them appear to be vanilla fuzzbunch-based exploits as the DoublePulsar shellcode is identical in most of their prefixes. Some have small manual modifications.
The rate of attacks is pretty impressive. Our honeypots get exploited, on average, eight times every hour. This means that a vulnerable machine will get exploited within ten minutes after connecting to the Internet.
All in all, I managed to extract 17 different payload SHA256 hashes (not counting WannaCry in here). Some couldn’t be investigated further since the remote servers from which they would download binaries were no longer available. Out of these, a couple seem to be related to the Adylkuzz bitcoin miner by correlating the few IOCs with those published by ProofPoint. The rest all bear interesting payloads that can be deciphered with a little work. Note that the SHA256 hashes I’ll add here are of the entire DoublePulsar payload – that means the DLL payload as well as the shellcode that prefixes it in the transfer. Also note that some different hashes correspond to a similar payload – I did not list all of these alternatives.
This sample downloaded an executable from a remote URL. The binary I obtained from there has SHA256 hash A4535B46859DA0CBC710944EF3AAE0A6ACE778148361726A822C40330092F323 and was already seen on VirusTotal. Detections ranged from the Zusy (Tinba) Trojan to different forms of cryptocoin miners.
String analysis found some interesting stuff – a remote cryptocoin mining pool (xmr-usa.dwarfpool.com:8005). Dynamic analysis finally proved that this is a cryptocoin bot mining Monero:
This payload begins by generating a VBS file that downloads a secondary payload entitled check.cmd from a remote server. The batch script looks as follows:
The script disables Avast! Antivirus and then downloads the “minerg.exe” executable. The SHA256 hash for this new file is 2876EB97F7A3BD363029BFA643559B944497137F4C929A3468AAF1F8397D9DE9 and it’s detected as a cryptocoin miner. The file is a self-extracting Winrar file that, after unarchiving, reveals CPUMiner and an execution script:
This starts CPUMiner on the infected computer, getting the victim to mine Monero on behalf of the malware creator.
This DoublePulsar payload fetches a file from a remote server. This file is a self-extracting RAR archive that unpacks three files, two .vbs files and one .exe. Upon execution, the following VBS code is executed:
This code snippet iterates through the existing processes and checks for “sys32.exe” – a file of the same name as the unpacked executable. If it does not exist, it starts 520.vbs and the second part of the malware chain:
This will run the sys32.exe file as a cryptocoin miner. The binary is a well-known mining executable on VirusTotal.
The DDoS Bot
This sample fetches its payload from a remote server. The downloaded binary has SHA256 hash 3EC21D093EDC24AA7FFAFF014CFA9EE2D5EA165F1434590BC0D1B0C31845C2A1 and had a very good detection rate on VirusTotal.
The sample is packed using the UPX packer. After unpacking, I was able to find a couple of interesting strings – something that resembled a basic password list as well as a large number of HTTP user-agent strings.
Dynamic analysis finally solved the dilemma – this is a distributed denial of service (DDoS) bot that connects to a remote server from which it receives its payload. Communication was done over port 1433. The remote party sent back an IP address that the bot then bombarded with large, mostly single-byte payloads via UDP on port 80 from multiple local ports.
Interestingly, the strings reveal a subdomain of 3322.org, a dynamic DNS provider that had previously been connected to the Nitol botnet infrastructure. However, 3322.org wasn’t used, so it might be that this reference is only historical because of a shared code base with the Nitol bot. Note also that many VirusTotal vendors detect this as the Nitol Trojan.
This file adds a new user on the local machine as a system administrator:
The next step is to download its payload from a remote server. The malicious file has SHA256 hash 86B6178314C57C51C67D91AE45EE25FAD1FB6D6E37D35BC4307FA5C49BDE2910 and had not been seen on VirusTotal by the time of writing. Dynamic analysis shows that this is an instance of Gh0st RAT that connects to multiple remote hosts on non-standard ports such as 3882, 8888, and others. Example traffic that matches Gh0st RAT:
Other Interesting Samples
This sample connected and attempted to download two executables from a remote server: hxxp://shop.digimas.com/admin/svchost.exe and hxxp://shop.digimas.com/admin/ex.exe. Unfortunately, ex.exe failed to download and dynamic analysis for svchost.exe (SHA256 hash 5316625DA25FB3B08AF3882C9CDE4263EB1F0CF68E2AB6433FBDFE44C0EB2322) failed. The downloaded file has a very small number of detections on VirusTotal – just five at the time of writing.
String analysis lends an interesting clue – two of the strings inside are “Your 1Password Browser Extension is Out Of Date”, “1Password needs a newer extension to be used with”. This makes it sound like an infostealer, but I can’t provide any further evidence in that direction at the moment.
This payload starts by downloading a file named “ok.txt” from a remote webserver. The new file will download a batch file from the server and execute a couple of commands around it:
The first part appears to be cleanup of sorts although its exact purpose eludes me – it might be the case that the botmaster is cleaning up his competition’s products. Then it downloads some more files and creates scheduled tasks for them to execute. Although most of the remote locations were no longer accessible, I was able to recover the “close.bat” file from the first section of the file:
This is another cleanup and download script. What is interesting is the fact that this sample blocks SMB access via the firewall and creates permit lists for its own connections. Although I couldn’t reach the final payload, some of these actions seem similar to the behavior of Adylkuzz and other bots.
The extent of EternalBlue exploitation isn’t limited to ransomware such as WannaCry – multiple parties have resorted to using this vulnerability to spread their malware, as shown initially by the Adylkuzz trojan. Believing that the activated killswitch has somehow reduced risk is incorrect. If you have an unpatched system that’s directly connected to the Internet and have managed to evade WannaCry, it might simply be because a “friendly” cryptocoin miner was “protecting” you all along. Or WannaCry missed you but a RAT has taken its place. Either way, it’s high time for updates!
For us, understanding how these attacks work makes us better at blocking them – Ixia’s ThreatARMOR customers are now protected from any EternalBlue exploit attempt, be it from WannaCry or other attackers. They are also protected from locations hosting the second-stage exploits. Ixia’s BreakingPoint customers will find samples of the DDoS bot and RAT in the upcoming malware pack.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.