Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz

Fibo Quantum

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

This cryptojacking campaign was previously detected by Qihoo 360’s research team attacking Chinese targets during January 2019, and it was observed while using the Invoke-SMBClient and the PowerDump open source tools “to complete password hashing and pass the hash attacks.”

As Trend Micro now discovered, the malware has also added the NSA-developed EternalBlue exploit, famously used as part of the WannaCry (see here and here) and NotPetya ransomware attacks of 2017.

The exploit used by this campaign targets the SMBv1 protocol got leaked by the Shadow Brokers two years ago and is now a run-of-the-mill tool in the arsenal of most malware developers and this is definitely proven by the flood of malware which uses it to spread among vulnerable machines.

Eternalblue payload
Eternalblue payload

While Trend Micro’s initial research showed that the malware was only attacking Japanese computers, later on, the targets moved on to other victims, this time from Australia, Taiwan, Vietnam, Hong Kong, and India.

The malware drops multiple malicious components on machines it compromises by “trying a list of weak credentials to log into other computers connected to the network”, with the help of “pass the hash” attacks, launching Invoke-WMIMethod​​​​​​-based attacks against targets with weak passwords, or using the EternalBlue exploit.

If it successfully gets in using weak credentials, it will change “the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware” instead of sending itself onto the compromised computer.

On the other hand, if it manages to authenticate and slide in using hashed passwords, it will use the Invoke-SMBClient script to run various file operations, from deleting files dropped by older versions of the malware and achieving persistence by adding itself to the Windows Startup folder.

After successfully infecting a target, the malware will download a PowerShell dropper script from its command-and-control (C&C) server, as well as collect and exfiltrate the machine’s MAC address and the list of installed antimalware software.

Collecting MAC and AV information
Collecting MAC and AV information

During the next infection stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI which will start the system information collection process again, this time gathering the computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

A PowerShell implementation of a Mimikatz variant is also downloaded which adds to the malware’s self-propagation capabilities.

“The malware also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access,” says Trend Micro. “Like the main file, the component scans IP blocks for vulnerable devices that can be exploited using EternalBlue by reusing publicly available codes related to previous exploits.”

Last but not least, the final malicious payload, an XMRig Monero cryptominer, is deployed using PowerShell and injected straight into its own process using the open source Invoke-ReflectivePEInjection tool.

XMRig payload
XMRig payload

As shown by Symantec’s 2019 Internet Security Threat Report, the use of malicious PowerShell scripts increased by a remarkable 1,000% during 2018, following the overall trend of bad actors moving to LotL techniques designed to allow their malicious tools to remain undetected after the initial insertion for as much time as possible.

This cryptojacking campaign shows that malware developers haven’t yet given up on readily available tools such as the omnipresent PowerShell to run their malicious dropper scripts.

Although cryptojacking followed a downward trend during 2018, it’s still in the arsenal of threat actors as also shown by the PsMiner cryptojacking malware with a worm-like behavior detected in March by the Qihoo 360’s research team.

This is further confirmed by a collection of eight apps found to be dropping malicious Monero cryptomining scripts on the computers of Microsoft Store users and by hundreds of exposed and vulnerable Docker hosts actively being abused in cryptojacking campaigns.

Additionally, during February, a new coinminer malware using the XMR-Stak Cryptonight cryptocurrency miner targeted servers running multiple Linux distributions and a newly discovered Backdoor Trojan dubbed SpeakUp by the Check Point researchers dropped XMRig miners on its victims.