Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an analysis report on how to understand the malicious spread of virtual currency mining machines using Windows SMB loopholes. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Sample description

The malware takes advantage of the WindowsSMB vulnerability to spread, release the broiler cluster mined by the virtual currency miner, and disguise it as the system process spoolsv.exe. After releasing the attack load, the malware itself will start a crazy scan of the LAN port 445. once it finds the open port 445in the LAN, it will write the target IP address and port to the configuration file of EternalBlue, and then carry out an overflow attack. The infected person will panning for gold according to the address of the mining pool and the account number of the mining machine.

two。 Sample analysis

1. Through the inspection of the system process, it is found that spoolsv.exe is a compressed file. After decompressing the file with zip, we found the NSA attack kit. At the same time, two executables with the same name as the sample and the xml configuration file with the same name were also found in the extracted file.

Spoolsv.exe does not simply release the attack packet. After releasing the attack load, it will start a crazy scan of port 445 of the local area network. Once it finds the open port 445 in the local area network, it will write the target IP address and port to the configuration file of EternalBlue, and then launch svchost.exe to carry out the first step overflow attack. The result of step 1 attack will be recorded in stage1.txt. After the attack is completed, the mother will check whether the attack is successful. If the attack is successful, she will continue to modify the configuration file of DoublePulsar and launch spoolsv.exe (DoublePulsar in the compressed package, not the parent) to install the backdoor on the target computer. This is called step 2 attack, and the result will be recorded in stage2.txt.

On the computer with the DoublePulsar backdoor installed, the lsass.exe process is injected with a piece of shellcode, which is exactly the same as the behavior of the DoublePulsar published on the external network, but the shellcode in the sample uses the lsass.exe process to download another mysterious executable file on other computers infected with the LAN:

Download a matrix file on other computers in the local area network to facilitate secondary transmission. Third, release a ServicesHost.exe process and execute it with the specified parameters.

Continue to track the ServicesHost.exe and startup parameters, from the startup parameters of the program to see a variety of foreign digital currency mining pool, the website provides a variety of digital currency mine pool address, as long as you register an account on the website, you can use the mining machine to participate in mining, mining is not a very common digital currency-Monroe currency.

3. Analysis conclusion

The author exploits a newer SMB vulnerability to enable malware to spread, release, and execute mining processes to earn virtual currency.

4. Defense advice

1. Update operating system patches in time

two。 Strengthen the audit of internal network area access to ports such as 445 (other associated ports such as 135, 137, 139) to detect unauthorized or potential attacks in a timely manner.

3. Users who have been hit by Trojans can use antivirus tools to check and kill them all and maintain good Internet habits. Do not run unfamiliar programs and install security software.

The above is the analysis report shared by Xiaobian on how to understand the malicious spread of virtual currency mining machines using Windows SMB loopholes. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.