Response to Attacks Detected by the Sandbox
1 BackgroundIn the morning of March 31, 2018, Huawei received a message that the FireHunter6000 series sandbox deployed on a customer's network generated a large number of alarms. Huawei engineers quickly responded to handle the alarms. Huawei engineers found that a large number of malicious PE files were repeatedly uploaded to the sandbox. The target was a server on the customer's network. The FTP service of the server allowed anonymous login, and many malicious programs were uploaded to the server within two days.
2 On-Site Investigation and Evidence Collection
Under the authorization of the customer, Huawei engineers log in to the server and find that two virus files Photo.scr and infor.zip, many 1 KB files of various types, and multiple HTML files are stored in every FTP directory. The server has been infected with various virus files, but fortunately no virus file has been run. Photo.scr and HTML files are found in sandbox logs. The sources of other virus files are unknown. Upon prompt communication with the customer, we know that the server is unavailable now. 3 Virus Sample Analysis3.1 HTML FilesAll the HTML files are of different normal web pages, but the following content is added to the bottom of each file:
Attackers upload these HTML files only to deceive users to click them and trigger virus running. To increase the attack success rate, the attackers place the virus files in all directories on the FTP server. 3.2 Photo.scrThis is a mining virus that uses techniques such as anti-debugging and VM detection. It is similar to IMG001.exe. Therefore, the two files are analyzed together in section 3.4. 3.3 info.zip
This compressed file contains redundant data in addition to the normal compressed data, but no valuable data is found. It contains two files, a mining program and a downloader. 3.4 IMG001.exeThis is a main miner, using a variety of means to achieve the purpose of mining. The following operations are performed: Add automatic startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk C:\Windows\System32\reg.exe reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ Release the miner:
Postpone the startup: The miner runs a period of time after its installation. Copy itself to the following directory: %TEMP% C:\ Create a scheduled task to disable the UAC: C:\Windows\System32\schtasks.exe schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' Change the power supply options: powercfg /CHANGE -standby-timeout-ac 0 powercfg /CHANGE -hibernate-timeout-ac 0 powercfg /CHANGE -standby-timeout-ac 0 powercfg /CHANGE -hibernate-timeout-ac 0 Anti-debugging detection: C:\Windows\WinSxS\FileMaps\users_anne_boleyn_appdata_roaming_nsminer_04c85a0b2cc38853.cdf-ms Connect to malicious URLs:
Initiate a mining request: Connect to the mine pool mine.moneropool.com. 3.5 Information.vbeThe file is an encrypted Visual Basic script in the compressed package. After decryption, it is found that the Visual Basic script is used to download PE files from the C&C server (http://testswork.ru/tmp2.exe). The hyperlink in the file is invalid now. Only the IP address (91.235.116.58) of the local server is displayed in the root directory of the website. The IP address is located in Romania.
3.6 1 KB FilesThe files have different filename extensions but the same content, as shown in the following figure:
The content contains a malicious URL. If you click the URL, the following web page is displayed: These files are located in each directory, but the sandbox does not detect traffic about such files. So we cannot determine whether these files are associated with mining virus attacks. 4 Attack Source TracingThe sandbox traffic record shows that two IP addresses are used to initiate the attack. The first is 183.177.101.254, which is located in Inner Mongolia. Only one HTML page is uploaded from this IP address. All subsequent files are from Ukraine's IP address 185.29.254.30, but now this IP address is inaccessible. Analyze the IP address located in Inner Mongolia:
The server is a router running MikroTik Router OS V5.19. It attempts to collect information about this service. No valuable information is found. It seems that the server has been attacked and used as a zombie host.
The IP address located in Ukraine is currently unavailable. Only a little information can be found in the threat intelligence system, indicating that this may be a threat server. A large number of similar files are found during file correlation search. "http://193.251.176.226:8080/gui/Photo.scr", "http://ling.uni-konstanz.de/pages/home/dehe/bibl/Photo.scr", "http://3g.jxhanmei.com/PHOTO.SCR", "http://60.37.170.180/Photo.scr", "http://www4.unileon.es/trabajo_social/Photo.scr", "http://m.qlcp888.com/photo.scr", "http://www4.unileon.es/trabajo_social/observ/photo.scr", "https://japanminigame.0am.jp/Photo.scr", "http://117.56.252.219/photo.scr", "http://ling.uni-konstanz.de/pages/home/dehe/bibl/photo.scr", "http://www.qptest.ru/Photo.zip", "http://qptest.ru/Photo.zip", "http://178.182.244.43:81/web/photo.scr", "http://124.158.4.239/~tomdominic/Photo.scr", "http://217.34.51.191:8080/mdd0/gui/lang/Photo.scr", "http://baiziyan1.net/photo.scr", "http://217.34.51.191/MDD0/Photo.scr", "https://mirrors.a-m-v.pl/Photo.scr", "http://baiziyan1.net/Photo.scr", "http://210.153.27.14/Photo.scr", "http://baiziyan1.net/about/Photo.scr", "http://89.160.124.115/Photo.scr", "http://217.34.51.191:8080/gui/lang/photo.scr", "http://123.207.87.38/CHONGFU/PHOTO.SCR", "http://domo-kenkou.com/ABOUT/PHOTO.SCR", "http://ftp.kliwent.com.pl/Photo.scr", "http://hunyin.org.cn/PHOTO.SCR", "http://185.147.116.114/Photo.scr", "http://www.kouda-seikei.or.jp/Photo.scr", http://www.nccydx.com/Photo.scr "http://spacetoremember.com/info.zip", "http://chervin.ru/info.zip", "http://daodaad.com/info.zip", "http://blooddonationcoin.org/info.zip", "http://www.spacetoremember.com/info.zip", "http://haoboy.cc/info.zip", "http://kpx360.com/info.zip", "http://nokia6700.77skidki.ru/admin/info.zip", "http://files.tmoblabs.com/Tappz/0a9e9f5c-a034-4a1e-8514-f4abfa428815/info.zip", "http://ptk.28y3.com/hyg/info.zip", "http://ptk.28y3.com/HYG/INFO.ZIP", "http://72.9.100.122/girikandcars/info.zip", "http://lining.cinsos.com/INFO.ZIP", "http://lianjiangguangdian.com/vod/2017-09-26/info.zip", "http://lianjiangguangdian.com/VOD/2017-09-26/INFO.ZIP", "http://kami.vxuan.cn/INFO.ZIP", "http://m.rtwine.cn/a/chanpinzhongxin/huangjinwu/info.zip", "http://www.daodaad.com/info.zip", "http://www.marveltea.com/js/responsive_menu/info.zip", "http://9599123.com/jwzz3/info.zip", "http://hbsr188.com/guangdongkuaileshifenyuce/info.zip", "http://ftp.edpsciences.org/pub/aa/bibtex/info.zip", "http://www.hbsr188.com/guangdongkuaileshifenyuce/info.zip", "http://51.254.122.35/MACAISSEPDV/info.zip", "http://www.37201.org/info.zip", "http://37201.org/info.zip", "http://ykaku.com/ginkokensaku/htmlfile/0005/info.zip", "http://ykaku.com/ginkokensaku/htmlfile/0001/info.zip", "http://ykaku.com/ginkokensaku/htmlfile/0009/info.zip" These servers are distributed around the world. The initial detection indicates that some are malicious servers, and some are compromised servers. During information.vbe correlation search, a honeypot capture analysis article (https://isc.sans.edu/diary/Honeypot+Logs+and+Tracking+a+VBE+Script/22177) is found. This indicates that the attack lasts for several years. Viruses can still be downloaded from certain servers for infection. All attack servers are in different areas, and the real attack sources cannot be determined. The two attack IP addresses are located in Ukraine and Inner Mongolia; the C&C servers are located in the Netherlands and Romania; the download server is located in Romania. The malicious promotional hyperlinks should not be directly related to this attack. 5 Protective Measures1. Block the connections to C&C servers according to the IOC information provided in the appendix, and block malicious samples to enter your enterprise network. 2. Set complex login passwords and do not perform high-risk operations such as password-free login. Manage user permissions by level. 3. Install the patch provided by the vendor to fix vulnerabilities or upgrade the software to the latest version without any vulnerability. 4. If suspected malicious files are found, submit them to Huawei cloud sandbox (https://isecurity.huawei.com/sec/web/cloudDetection.do) for detection and make decisions based on the detection results. 5. Deploy security products, such as Huawei NGFWs, to protect network traffic and block malicious download behavior in a timely manner. Appendix: IOC185.29.254.30 183.177.101.254 91.235.116.58 188.214.30.158 37.1.216.8 E9FFDB716AF3D355B25096A8ED4DE8EF FBBCF1E9501234D6661A0C9AE6DC01C9 ABA2D86ED17F587EB6D57E6C75F64F05 CBCB58FFE45C202C11BCF2070496AED6
|
