The “EternalBlue” exploit (MS017-010)
was initially used by WannaCry ransomware and Adylkuzz cryptocurrency
miner. Now more threat actors are leveraging the vulnerability in Microsoft
Server Message Block (SMB) protocol – this time to distribute
Backdoor.Nitol and Trojan Gh0st RAT.
FireEye Dynamic Threat Intelligence (DTI) has historically observed
similar payloads delivered via exploitation of CVE-2014-6332
vulnerability as well as in some email spam campaigns using powershell
commands. Specifically, Backdoor.Nitol has also been linked to
campaigns involving a remote code execution vulnerability using the
ADODB.Stream ActiveX Object that affects older versions of Internet
Explorer. Both payloads have previously been involved in targeted cyber-attacks
against the aerospace and defense industry.
We observed lab machines vulnerable to SMB exploit were attacked by
a threat actor using the EternalBlue exploit to gain shell access to
Figure 1 shows an EternalBlue exploitation attempt.
Figure 1. Network traffic showing EternalBlue
The initial exploit technique used at the SMB
level is similar to what we have been seen in WannaCry
campaigns; however, once a machine is successfully infected, this
particular attack opens a shell to write instructions into a VBScript
file and then executes it to fetch the payload on another server.
We have observed the same EternalBlue and VBScript combination used
to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being
delivered in the South Asia region.
Figure 2. VBScript instructions in ‘1.vbs’
The full VBScript instructions can be seen in Figure 2. The attacker
echoes instructions into a new ‘1.vbs’ file to be executed later.
These instructions fetch the payload ‘taskmgr.exe’ from another
server in a synchronous call (as indicated by the second parameter
‘0’). This action creates an ActiveX object ADODB.Stream, which
allows reading the file coming from the server and writes the result
of the binary data in a stream. Mode ‘3’ is used for read/write
permissions while type ‘1’ indicates stream as binary data.
Thereafter, it saves the binary stream to a location at “c:/” with
option ‘2’ in order to overwrite any binary with the same name at that location.
Later, we see that ‘1.vbs’ executes through a command-line version
of the Windows Script Host which deletes the vbs file. Once the
executable is fetched and saved, the attacker uses a shell to launch
the backdoor from the saved location.
Figure 3 shows Backdoor.Nitol being downloaded and infecting the machine.
Figure 3. Network traffic showing Backdoor.Nitol download
The command and control (C2) for the Backdoor.Nitol sample is
hackqz.f3322[.]org (18.104.22.168). See Figure 4.
Figure 4. Backdoor.Nitol C2 communication
The other malware that we’ve observed being deployed in this manner
is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from
beiyeye.401hk[.]com (Figure 5).
Figure 5. Gh0st RAT C2 communication
The first five bytes in the header of the Gh0st RAT traffic is an
indication of the Gh0st variant used. Historically we have seen
wide-spread usage of variants employing the ‘cb1st’ magic
header against the Education, Energy/Utilities, Manufacturing,
Services/Consulting, and Telecom industries. For more information on
this and other widely used variants of Gh0st RAT, please review GH0ST
in the Machine: GH0ST RAT Remains Active in Financial Services
Sector available on our subscription MySight portal.
The Gh0St RAT sample observed in this attack, as well as other
associated samples identified by FireEye are all signed with a common
digital certificate purporting to be from 北京研创达科技有限公司 (Beijing
Institute of Science and Technology Co., Ltd). Stolen or
illegitimately purchased code signing certificates are increasingly
used to lend legitimacy to malware. See the appendix for full details
on the observed code signing certificate.
The addition of the EternalBlue exploit to Metasploit has made it
easy for threat actors to exploit these vulnerabilities. In the coming
weeks and months, we expect to see more attackers leveraging these
vulnerabilities and to spread such infections with different payloads.
It is critical that Microsoft Windowsusers patch their machines and
update to the latest software versions as soon as possible.
FireEye Labs authors would like to thank Shahzad Ahmad and Kean
Siong Tan for their contributions in this discovery.
22.214.171.124:45988 / taskmgr.exe (Nitol)
beiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)