McAfee Labs Threat Advisory EternalRocks
June 6, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent A malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to n mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. d
To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html.
Summary EternalRocks is a network worm which uses the SMB exploits ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread.
McAfee products detect this threat under the following detection names: • Trojan-EtrnlRock • Trojan.EternalRocks • Trojan-Bluedoom • HackTool-Shadowbrokers • RDN/Generic.grp • RDN/Generic.dx • RDN/Trojan-EtrnlRock • RDN/Generic Downloader.x
Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:
• Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services
Infection and Propagation Vectors Even though this has not been confirmed, the malware’s initial vector is expected to be spam email. The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have used publicly available exploit code and embedded it as a part of their dropper. On execution, the malware connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it.
During replication, we observed that it generates a random set of IP addresses for the purposes of propagation. These IPs are not restricted to internal IPs.
Affected systems: Microsoft Windows XP, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012 and R2, Windows 10, and Windows Server 2016.
Characteristics and Symptoms This section describes various components of the malware:
Dropper Component: 994bd0b23cce98b86e58218b9032ffab
The dropper component is an .exe file compiled using Microsoft Visual Basic 6 having size 332 KB. After execution, it creates the following folders and files:
• C:\Program Files\Microsoft Updates : Base install directory of the malware • C:\Program Files\Microsoft Updates\SharpZLib.zip : Zip file containing library files for unzipping archives. • C:\Program Files\Microsoft Updates\SharpZLib\ : Folder into which the SharpZLib zip archive is unzipped. • C:\Program Files\Microsoft Updates\svchost.exe : Second stage component described in a subsequent section in this Threat Advisory. • C:\Program Files\Microsoft Updates\installed.fgh: Text file containing the current installed version of the malware. • C:\Program Files\Microsoft Updates\ICSharpCode.SharpZipLib.dll : SharpZLib library file. • C:\Program Files\Microsoft Updates\TaskScheduler.zip : File and libraries required to set up a Schedule Task on the system programmatically. • C:\Program Files\Microsoft Updates\TaskScheduler\ : Folder into which TaskScheduler.zip is unzipped. • C:\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll : TaskScheduler related library file. • C:\Program Files\Microsoft Updates\temp\tor.zip : Zip file containing the Tor module to communicate with the malware’s Command & Control (C&C) server. • C:\Program Files\Microsoft Updates\Tor\ : Contains the unzipped contents of Tor.zip • C:\Program Files\Microsoft Updates\torunzip.exe : Binary used for unzipping the contents of tor.zip into the Tor folder. • C:\Program Files\Microsoft Updates\required.glo : Data file containing the installation info for the malware. This acts as a log file keeping track of the activities the malware has completed. • C:\Program Files\Microsoft Updates\taskhost.exe : Another second stage malware component that downloads and executes various exploits. This file is embedded in the svchost.exe file.
The dropper creates the following mutex: Global\20b70e57-1c2e-4de9-99e5-69f369006912 (created by dropper process/binary)
The dropper component then checks for the Dot Net version, and if it is not installed it can download it from the following locations:
• http://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe • http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe
It then downloads TaskScheduler and SharpZLib packages from the following URLs:
• https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg • https://api.nuget.org/packages/sharpziplib.0.86.0.nupkg
It extracts these into the following locations, respectively:
• C:\Program Files\Microsoft Updates\SharpZLib • C:\Program Files\Microsoft Updates\TaskScheduler
The dropper then extracts the malicious svchost.exe file from its binary (resources) to the following location:
• C:\Program Files\Microsoft Updates\svchost.exe
The dropper then executes the dropped svchost.exe file [MD5: 5c9f450f2488140c21b6a0bd37db6a40].
Second stage Component: 5c9f450f2488140c21b6a0bd37db6a40
The second stage component downloads the Windows Tor package from:
• hxxps://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip and uses torunzip.exe to unzip the archive into the Tor folder located in the install directory:
• C:\Program Files\Microsoft Updates\Tor\
The second stage component drops torrc, which is a tor configuration file to the following path:
• C:\Program Files\Microsoft Updates\Tor\torrc
The second stage component executes tor.exe to install the tor hidden service:
• C:\Program Files\Microsoft Updates\Tor\tor.exe" --defaults-torrc "C:\Program Files\Microsoft Updates\Tor\torrc
The tor.exe binary drops following files: • C:\Program Files\Microsoft Updates\Tor\cached-certs • C:\Program Files\Microsoft Updates\Tor\cached-microdesc-consensus • C:\Program Files\Microsoft Updates\Tor\cached-microdescs.new • C:\Program Files\Microsoft Updates\Tor\hidden_service\hostname • C:\Program Files\Microsoft Updates\Tor\hidden_service\private_key • C:\Program Files\Microsoft Updates\Tor\state
Tor generates an onion address (example: 32sxljhplsaxdzxb.onion) as a hidden service based on the configuration present in the torrc file, and the address is written to a file named hostname.
The second stage component executes various networking commands such as:
a) netstat.exe –a : To generate the list of open TCP (listening) and UDP ports to be used for configuring firewall rules. b) To allow the various components of the malware to communicate freely over the network, the malware then sets up various firewall rules: • firewall add allowedprogram
c) The malware also adds exceptions to the firewall for each open and listening port on the target machine to allow incoming connections via netsh.exe commands: • firewall add portopening TCP
d) It also disables file and printer sharing devices by setting up another firewall rule: • netsh.exe firewall set service fileandprint disable
e) The malware also attempts to CLOSE the default SMB port on the target machine:
"Malware SMB Block” rule to block SMB port 445: netsh.exe advfirewall firewall add rule name="Malware SMB Block" dir=in localport=445 protocol=TCP action=block
f) When the various firewall rules have been configured, the malware starts up the firewall on the target system: • netsh.exe" firewall set opmode ENABLE
Updater Component: The second stage component (svchost.exe) may also contain an updater component in some cases. The updater checks to make sure that the target machine is running the latest version of the third stage component (taskhost.exe). If not, the second stage component contacts the CnC server to download the latest version of taskhost.exe.
Infected systems will see communications to the CnC URLs such as:
• hxxp :// ubgdgno5eswkhmpy[dot]onion/updates/info?id=
The following mutex is created by the second stage dropper component (svchost.exe): {8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}
Third stage Component: C52F20A854EFB013A0A1248FD84AAA95
The third stage component is named taskhost.exe. This is the module responsible for the worm’s propagation. This is a .Net binary embedded inside the resources of the second stage component (svchost.exe). This binary (third stage) may also be downloaded from the CnC as part of the update process by the second stage component into the install directory: C:\Program Files\Microsoft Updates\
The third stage binary is responsible for downloading shadowbrokers.zip exploit pack and unpacking the contained “payloads/”, “configs/” and “bins/” directories. This archive (shadowbrokers.zip) downloaded by the third stage component contains SMB exploits ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH.
When the exploit pack has been unzipped, the taskhost.exe component begins a random scan of open 445 ports on the Internet for vulnerable machines and then runs the exploits unpacked to “bins/” directory to push the first stage component contained in the “payloads/” directory.
Network Activity
The malware may try to contact the following URLs:
• hxxp://api.nuget.org/packages/taskscheduler.2.5.23.nupkg • hxxps://api.nuget.org/packages/taskscheduler.2.5.23.nupkg • hxxp://api.nuget.org/packages/sharpziplib.0.86.0.nupkg • hxxps://api.nuget.org/packages/sharpziplib.0.86.0.nupkg • hxxp://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe • hxxp://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe • hxxps://archive.torproject[dot]org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip • hxxp://ubgdgno5eswkhmpy[dot]onion/updates/download?id=
Restart Mechanism It adds the following schedule tasks for persistence:
1) C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip\TorHost The second stage component (svchost.exe) runs the relevant binary on system start, log on and daily: C:\Program Files\Microsoft Updates\Tor\tor.exe.
1) C:\Windows\System32\Tasks\Microsoft\Windows\ServiceHost The second stage component (svchost.exe) runs the relevant binary on system start, log on and daily: C:\Program Files\Microsoft Updates\svchost.exe.
2) C:\Windows\System32\Tasks\Microsoft\Windows\TaskHost The third stage component (taskhost.exe) runs the relevant binary on system start, log on and daily: C:\Program Files\Microsoft Updates\taskhost.exe.
Indicators of Compromise
Hashes: • 994BD0B23CCE98B86E58218B9032FFAB • 5C9F450F2488140C21B6A0BD37DB6A40 • C52F20A854EFB013A0A1248FD84AAA95
Mitigation • Update patch MS17-010 (Microsoft guidance) • Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee products. Browse the product guidelines available here to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.
Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.
You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html
This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice.
Copyright 2017 McAfee, Inc. All rights reserved.