Check Point Forensic Files: Monero CryptoMiner Campaign Adapts APT Techniques

By Richard Clayton, March 19th 2019

Since mid-January, our Sand Blast Agent Forensics team noticed a new variant of the Monero mining malware spreading throughout organizations worldwide. Interestingly, this malware showed similarities with the infection and propagation techniques of APT attacks and made use of legitimate IT admin tools, Windows system tools and previously disclosed Windows vulnerabilities to carry out the attack.

 

Before we dive into this particular campaign, though, it will serve us well to understand a little bit about APT attacks, how they work and why they are so dangerous to an IT network.

 

There are essentially 6 main steps taken during an APT Attack:

 

  1. The attack’s entry point is initially gained via an email, network, file, or application vulnerability and inserts malware into an organization’s network. At this point, the network is considered compromised but not yet breached.
  2. The malware then probes for additional network access and vulnerabilities or communicates with command-and-control (C&C) servers to receive additional instructions and/or malicious code.
  3. The malware will then typically establish additional points of compromise to ensure that the attack can continue if one point is subsequently closed.
  4. Once a threat actor determines that they have established reliable network access, they gather target data, such as account names and passwords, even if they are encrypted.
  5. The malware collects this data on a staging server and then exfiltrates it off the network to be placed under the full control of the threat actor. At this point, the network is considered breached.
  6. Evidence of the attack is then removed, but the network remains compromised. This allows for the attacker to be able to return at any time to continue the breach and carry out additional malicious operations.

Fig 1: Attack overview as seen by Forensics Report – Click here for full report.

 

A Monero APT Campaign

 

Since mid-January, we noticed a new variant of the Monero mining malware starting to spread. In fact, the malware showed similarities with the infection and propagation techniques of APT attacks. In addition, the highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs.

 

The malware used in the attack consists of two variants of Trojans identified as “Trojan.Win32.Fsysna” and a variant of a Monero cryptominer.

 

Fig 2: Incident Tree overview as seen by CheckPoint Forensics Report. Click here for full report.

 

The Attack Flow

 

It is unclear how the initial infection of an unprotected PC in a network occurs but since the malware utilizes Mimikatz, it is clear that it spreads through unpatched network systems easily and rapidly.

 

After being dropped and executed in the ‘User Temporary’ folder, its first action is to drop a copy of itself in the ‘Windows Temp’ folder for persistence. This will be described shortly.

 

The Trojan’s first instruction is to stop other/older instances of itself that have previously run on the machine. It uses Windows’ default Taskkill application to achieve this purpose. It additionally uses the WMI application to stop other processes that running from Windows Temp folder and have names as its payload. Next is to use Netsh Windows utility to open the proper ports it needs for connection to the mining network. Finally in order to establish persistence, it cleans up older versions of itself and continues to create new tasks to start a new process on continuous basis.

Fig 3: “Updater” writing secondary payloads into the Temp folder.

A secondary payload is then dropped in the Temp folder which is essentially a slightly modified version of the Trojan but set to run from different paths on the system. Just like the Updater.exe, the new payload stops all previous versions of the Trojan that was running from the temp location and moves itself as ‘wmiex.exe’ to the system folder. From then on, using Windows as a legitimate tool, it creates a scheduled task to mimic a web server application and run on startup. It goes on to flush the dns cache of the system and start the scheduled task it has created.

 

As seen in the above diagram of the report file, the ‘Suspicious Events’ tab also shows another abnormality.

 

All the Trojan binaries are signed by Shenzhen Smartspace Software technology. However, the SandBlast engine detects the invalid signature, which was most likely stolen from another binary, and marks it as suspicious activity. Currently, not all vendors on the market detect this fake certificate and some competitors actually mark it as a signed process.

 

Fig 5: All binaries are signed with invalidated certificates from Shenzhen Smartspace Software technology.

 

After reboot the Trojan repeats all the persistent techniques from the Windows Command line in order to survive any automated clean-up utility, or updates its binaries to the latest clients. You can see CMD’s arguments in the below diagram and how the process uses WMI commands to replace legitimate Windows processes with the Trojan and the cryptominer’s binaries.

 

Fig 6: Legitimate methods used by the Miner in order stablish persistence and skip detection

During the attack chain, a PowerShell script launch was observed that attempts to connect to a series of predefined IP addresses and potentially infects other machines as well. Closer Inspection of the content of the PowerShell script shows the script is a custom version of the popular Invoke-SMBClient utility along with a mixture of other scripts that uses Windows tools in order to obtain data from the local machine and pass it on to the CnC server. This could potentially download other payloads. In our lab, we observed the script sending script version, a MAC address of the virtual machine, along with the installed Anti-Virus and its version.

Fig 7: Deobfucated version of script as seen in the Content tab pointing to open source utility Invoke-SMBClient

 

A secondary PowerShell script is then launched at a later stage by the Trojan that upon closer inspection points to the Invoke-Cats, an obfuscated script based version of Mimikatz. The content of the script is an exact match to the script observed in the Github repository.

Fig 8: Invoke-Cats being launched by the persistent Trojan.

 

The Trojan also connects to the C&C server and updates the server with the latest info from the infected machine. At a later stage, a Bitcoin Miner is also downloaded to the infected machine which runs parallel to Miner Miner.

 

Fig 9: Network activity of the Minero Miner process and connection to C&C servers.

An Addition to Check Point’s SandBlast Agent Forensics Report is the Reputation details page which summarizes all the malicious indicators of comprise in one page. This helps to assist the analyst and ease detection of false positives. This view contains reputation, where available, from Threat Cloud for all non-trusted URLs, Domains and Hashes found in the Forensics Analysis.

 

Fig 10: Reputation Details page which is part of Enterprise Endpoint Security E80.92 Windows Clients.

 

 

 

Conclusion

 

The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no so easy steps for remediation.

 

The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistency would make these attacks harder to detect without increasing false positive detection in the organization.

 

The use of Open Source and script based tools in order to make lateral movements in the organization, and increase infection rates in loosely secured organizations, also indicates highly skilled actors are behind this attack.

 

To avoid being a victim of this attack we advise IT professionals to download patches and updates and ensure an advanced threat prevention solution is implemented across all parts of your IT network.

 

 

IOCs:

d4e2ebcf92cf1b2e759ff7ce1f5688ca

59b18d6146a2aa066f661599c496090d

a4b7940b3d6b03269194f728610784d6

1c791ae1e8356395f0c4a9a4a8fb65e8

5ab6f8ca1f22d88b8ef9a4e39fca0c03

d81233988ec80f56ea4094bad7ab5814

http://i.haqo.net/i.png

https://ift.tt/2HG2zVu

http://i.haqo.net

https://ift.tt/2HvEmBQ

https://ift.tt/2HEMdwh.

https://ift.tt/2HvEnFU

https://ift.tt/2HEMfEp

http://sv.symcd.com

https://ift.tt/2HrGcni

https://ift.tt/2HG2AZy

http://p.beahh.com

http://d.beahh.com

224.0.0.22

68.183.178.71

153.92.4.49

185.243.114.99

172.104.177.202

The post Check Point Forensic Files: Monero CryptoMiner Campaign Adapts APT Techniques appeared first on Check Point Software Blog.



from Check Point Software Blog https://ift.tt/2HvaOEI

Comments

Post a Comment

Popular posts from this blog

AR18-312A: JexBoss – JBoss Verify and EXploitation Tool

Image
Original release date: November 08, 2018 Summary JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal. This report provides a detailed analysis of JexBoss’ functionality, along with detection, response, prevention, and mitigation recommendations. Description JexBoss JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programming language using standard Python libraries. JexBoss is run from the command-line inter
Keep reading

SB18-141: Vulnerability Summary for the Week of May 14, 2018

Original release date: May 21, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity
Keep reading

SB18-029: Vulnerability Summary for the Week of January 22, 2018

Original release date: January 29, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Learn Python Programming – 7 Courses Video Training Bundle

Image
It's no secret that learning how to code is one of the most important things you can do when it comes to the beginning or furthering practically any career in programming and technology. The only problem a beginner often faces is that there are seemingly countless programming languages to choose from, which makes it exceedingly difficult for aspiring or even seasoned programmers to know which from The Hacker News http://bit.ly/2Ug9eJ8
Keep reading

SB18-043: Vulnerability Summary for the Week of February 5, 2018

Original release date: February 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-057: Vulnerability Summary for the Week of February 19, 2018

Original release date: February 26, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-008: Vulnerability Summary for the Week of January 1, 2018

Original release date: January 08, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Vulnerability Summary for the Week of October 19, 2020

Original release date: October 26, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info acronis -- cyber_backup Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges. 2020-10-21 7.2 CVE-2020-10138 MIS
Keep reading

SB18-071: Vulnerability Summary for the Week of March 5, 2018

Original release date: March 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severit
Keep reading

Vulnerability Summary for the Week of March 2, 2020

Original release date: March 9, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info apple -- multiple_products   A denial of service issue was addressed with improved input validation. 2020-02-28 7.8 CVE-2019-8741 MISC MISC MISC MISC MISC MISC MISC centreon -- centreon   An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter. 2020-03-05 7.5 CVE-2019-17647 CONFIRM CONFIRM CONFIRM MISC CONFIRM CONFIRM centreon -- centreon   Centreon 19.10 allows remote authenticated users to ex
Keep reading