Threat Advisory: Eternalrocks
Total Page:16
File Type:pdf, Size:1020Kb
McAfee Labs Threat Advisory EternalRocks June 6, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent A malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to n mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. d To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary EternalRocks is a network worm which uses the SMB exploits ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread. McAfee products detect this threat under the following detection names: • Trojan-EtrnlRock • Trojan.EternalRocks • Trojan-Bluedoom • HackTool-Shadowbrokers • RDN/Generic.grp • RDN/Generic.dx • RDN/Trojan-EtrnlRock • RDN/Generic Downloader.x Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections: • Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services Infection and Propagation Vectors Even though this has not been confirmed, the malware’s initial vector is expected to be spam email. The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have used publicly available exploit code and embedded it as a part of their dropper. On execution, the malware connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it. During replication, we observed that it generates a random set of IP addresses for the purposes of propagation. These IPs are not restricted to internal IPs. Affected systems: Microsoft Windows XP, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012 and R2, Windows 10, and Windows Server 2016. Characteristics and Symptoms This section describes various components of the malware: Dropper Component: 994bd0b23cce98b86e58218b9032ffab The dropper component is an .exe file compiled using Microsoft Visual Basic 6 having size 332 KB. After execution, it creates the following folders and files: • C:\Program Files\Microsoft Updates : Base install directory of the malware • C:\Program Files\Microsoft Updates\SharpZLib.zip : Zip file containing library files for unzipping archives. • C:\Program Files\Microsoft Updates\SharpZLib\ : Folder into which the SharpZLib zip archive is unzipped. • C:\Program Files\Microsoft Updates\svchost.exe : Second stage component described in a subsequent section in this Threat Advisory. • C:\Program Files\Microsoft Updates\installed.fgh: Text file containing the current installed version of the malware. • C:\Program Files\Microsoft Updates\ICSharpCode.SharpZipLib.dll : SharpZLib library file. • C:\Program Files\Microsoft Updates\TaskScheduler.zip : File and libraries required to set up a Schedule Task on the system programmatically. • C:\Program Files\Microsoft Updates\TaskScheduler\ : Folder into which TaskScheduler.zip is unzipped. • C:\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll : TaskScheduler related library file. • C:\Program Files\Microsoft Updates\temp\tor.zip : Zip file containing the Tor module to communicate with the malware’s Command & Control (C&C) server. • C:\Program Files\Microsoft Updates\Tor\ : Contains the unzipped contents of Tor.zip • C:\Program Files\Microsoft Updates\torunzip.exe : Binary used for unzipping the contents of tor.zip into the Tor folder. • C:\Program Files\Microsoft Updates\required.glo : Data file containing the installation info for the malware. This acts as a log file keeping track of the activities the malware has completed. • C:\Program Files\Microsoft Updates\taskhost.exe : Another second stage malware component that downloads and executes various exploits. This file is embedded in the svchost.exe file. The dropper creates the following mutex: Global\20b70e57-1c2e-4de9-99e5-69f369006912 (created by dropper process/binary) The dropper component then checks for the Dot Net version, and if it is not installed it can download it from the following locations: • http://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe • http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe It then downloads TaskScheduler and SharpZLib packages from the following URLs: • https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg • https://api.nuget.org/packages/sharpziplib.0.86.0.nupkg It extracts these into the following locations, respectively: • C:\Program Files\Microsoft Updates\SharpZLib • C:\Program Files\Microsoft Updates\TaskScheduler The dropper then extracts the malicious svchost.exe file from its binary (resources) to the following location: • C:\Program Files\Microsoft Updates\svchost.exe The dropper then executes the dropped svchost.exe file [MD5: 5c9f450f2488140c21b6a0bd37db6a40]. Second stage Component: 5c9f450f2488140c21b6a0bd37db6a40 The second stage component downloads the Windows Tor package from: • hxxps://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip and uses torunzip.exe to unzip the archive into the Tor folder located in the install directory: • C:\Program Files\Microsoft Updates\Tor\ The second stage component drops torrc, which is a tor configuration file to the following path: • C:\Program Files\Microsoft Updates\Tor\torrc The second stage component executes tor.exe to install the tor hidden service: • C:\Program Files\Microsoft Updates\Tor\tor.exe" --defaults-torrc "C:\Program Files\Microsoft Updates\Tor\torrc The tor.exe binary drops following files: • C:\Program Files\Microsoft Updates\Tor\cached-certs • C:\Program Files\Microsoft Updates\Tor\cached-microdesc-consensus • C:\Program Files\Microsoft Updates\Tor\cached-microdescs.new • C:\Program Files\Microsoft Updates\Tor\hidden_service\hostname • C:\Program Files\Microsoft Updates\Tor\hidden_service\private_key • C:\Program Files\Microsoft Updates\Tor\state Tor generates an onion address (example: 32sxljhplsaxdzxb.onion) as a hidden service based on the configuration present in the torrc file, and the address is written to a file named hostname. The second stage component executes various networking commands such as: a) netstat.exe –a : To generate the list of open TCP (listening) and UDP ports to be used for configuring firewall rules. b) To allow the various components of the malware to communicate freely over the network, the malware then sets up various firewall rules: • firewall add allowedprogram <Install_dir>\svchost.exe “Microsoft Update Service” ENABLE • firewall add allowedprogram <Install_dir>\taskhost.exe “Microsoft Update Service” ENABLE • firewall add allowedprogram <Install_dir>\Tor\tor.exe “Microsoft Update Service” ENABLE c) The malware also adds exceptions to the firewall for each open and listening port on the target machine to allow incoming connections via netsh.exe commands: • firewall add portopening TCP <port_number> “Open TCP Port <port_number>” • advfirewall firewall add rule name=”Open TCP Port <port_number>” dir=in action=allow protocol=TCP localport=<port_number> • firewall add portopening UDP <port_number> “Open UDP Port <port_number>” • advfirewall firewall add rule name=”Open UDP Port <port_number>” dir=in action=allow protocol=UDP localport=<port_number> d) It also disables file and printer sharing devices by setting up another firewall rule: • netsh.exe firewall set service fileandprint disable e) The malware also attempts to CLOSE the default SMB port on the target machine: "Malware SMB Block” rule to block SMB port 445: netsh.exe advfirewall firewall add rule name="Malware SMB Block" dir=in localport=445 protocol=TCP action=block f) When the various firewall rules have been configured, the malware starts up the firewall on the target system: • netsh.exe" firewall set opmode ENABLE Updater Component: The second stage component (svchost.exe) may also contain an updater component in some cases. The updater checks to make sure that the target machine is running the latest version of the third stage component (taskhost.exe). If not, the second stage component contacts the CnC server to download the latest version of taskhost.exe. Infected systems will see communications to the CnC URLs such as: • hxxp :// ubgdgno5eswkhmpy[dot]onion/updates/info?id=<Hostname>&v1.<version_number>&download=next • hxxp :// ubgdgno5eswkhmpy[dot]onion/updates/download?id=<Hostname> The following mutex is created by the second stage dropper component (svchost.exe): {8F6F0AC4-B9A1-45fd-A8CF-72FDEFF} Third stage Component: C52F20A854EFB013A0A1248FD84AAA95 The third stage component is named taskhost.exe. This is the module responsible for the worm’s propagation. This is a .Net binary embedded inside the resources of the second stage component (svchost.exe). This binary (third stage) may also be downloaded from the CnC as part of the update process by the second stage component into the install directory: C:\Program Files\Microsoft Updates\ The third stage binary is responsible for downloading shadowbrokers.zip exploit pack and unpacking the contained “payloads/”, “configs/” and “bins/” directories. This archive