Last updated at Thu, 10 Aug 2023 21:06:28 GMT
Rapid7 is tracking a new, 使用黑月木马的更复杂、更有计划的行动, 似乎起源于2022年11月. The campaign is actively targeting various businesses primarily in the USA and Canada. However, it is not used to steal credentials, instead, it implements different evasion and persistence techniques to drop several unwanted programs and stay in victims’ environment for as long as possible.
Blackmoon,也被称为KRBanker,是一个银行木马 first spotted 2015年9月下旬,它被用来攻击韩国的银行. Back in 2015, it employed a “pharming” technique to steal credentials from targeted victims. This technique involved redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake site masquerades as the original site and urges visitors to submit their information and credentials.
Stage 1 - Blackmoon
The Blackmoon trojan was named after a debug string “blackmoon,” that is present in its code:
Blackmoon drops a dll into C:\Windows\Logs folder named RunDllExe.dll and implements a Port Monitor persistence technique. 端口监视器与Windows打印假脱机程序服务或 spoolsv.exe. When adding a printer Port Monitor, a user (or the attacker in our case) has the ability to add an arbitrary dll that acts as the monitor. There are two ways to add a Port Monitor: via Windows Registry for persistence or via a AddMonitor API call for immediate dll execution.
Our sample implements both, it calls AddMonitor API to immediately execute RunDllExe.dll:
It also sets a driver value in HKLM \ SYSTEM \ CurrentControlSet \ \印刷\监控\ RunDllExe控制 registry key to the malicious dll path.
Next, the malware adds a shutdown system privilege to the Spooler service by adding SeShutdownPrivilege to the RequiredPrivileges value of HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ \假脱机程序服务 registry key.
恶意软件通过设置禁用Windows Defender HKLM \ SOFTWARE \ \微软\ Windows后卫\ DisableAntiSpyware政策 value to “1”.
It also stops and disables “Lanman” service (the service that allows a computer to share files and printers with other devices on the network).
To block all incoming RPC and SMB communication the malware executes the set of following commands:
netsh ipsec static add policy name=Block
netsh ipsec static add filterlist name=Filter1
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh ipsec static add filteraction name=FilteraAtion1 action=block
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
netsh ipsec static set policy name=块分配=y
The malware sets two additional values under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ \ aspnet_staters服务: Work and Mining, both set to “1”.
Next, the malware checks if one of the following services exists on the victim’s computer:
- clr_optimization_v3.0.50727_32
- clr_optimization_v3.0.50727_64
- WinHelpsvcs
- Services
- Help Service
- KuGouMusic
- WinDefender
- Msubridge
- ChromeUpdater
- MicrosoftMysql
- MicrosoftMssql
- Conhost
- MicrosotMaims
- MicrosotMais
如果找到该服务,它将被禁用(通过设置“Start”值在 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ \服务名 到“4”)或通过使用DeleteService API调用删除.
的组合来枚举正在运行的进程 CreateToolhelp32Snapshot and Process32First and Process32Next 调用API终止服务的进程(如果正在运行).
Finally, a Powershell command is executed to delete the running process’ file and the malware exits.
Stage 2 - RunDllExe.dll - injector
RunDllExe.dll is executed by Spooler service and is responsible for injecting a next stage payload into the newly executed svchost.exe process. The malware implements Process Hollowing injection technique. The injected code is a C++ file downloader.
Stage 3 - File Downloader
下载程序首先检查“Work”和“Mining”值是否存在,并设置在下面 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ \ aspnet_staters服务 注册表项,如果值不存在,它将创建它们并将它们设置为“1”。.
This part of the attack flow checks if all the necessary downloaded files are present (by using PathFileExistsA API call) on the PC, if not, 恶意软件会在每次下载前休眠两分钟,然后使用 URLDownloadToFileA API call to download the following files:
- C:\WINDOWS\Temp\MpMgSvc.dll
- C:\WINDOWS\Temp\Hooks.exe
- C:\WINDOWS\Temp\MpMgSvc.exe
- C:\Windows\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe
After the download, all files except MpMgSvc.dll are executed:
Stage 4 - Hook.exe - dropper
Hook.exe 将一个额外的DLL放到用户的漫游文件夹中 C:\Users\Username\AppData\Roaming\ GraphicsPerfSvcs.dll and creates a new service named GraphicsPerfSvcs,在系统启动时自动执行. 服务的名称几乎与命名的合法服务相同 GraphicsPerfSvc,属于图形性能监控服务. Naming services and files similarly to those that exist on the victim’s OS is an evasion technique widely used by threat actors.
The dropper then starts the created service. It creates and executes a .vbs, which is responsible for deleting Hook.exe and the .vbs itself:
Stage 4.1 - MpMgSvc.exe - spreader MpMgSvc.exe first creates a new \BaseNamedObjects\Brute_2022 mutex. 因为它负责传播恶意软件,所以它会下降 Doublepulsar-1.3.1.exe, Eternalblue-2.2.0.exe, Eternalromance-1.4.0.exe 并将所有所需的文件库装入C:\Windows\Temp文件夹.
然后,它扫描网络中打开3306、445、1433端口的PC. If any open ports are found, the spreader will attempt to install a backdoor by using EternalBlue and send shellcode to inject dll with Doublepulsar as implemented in the Eternal-Pulsar github project .
有两个dll被删除,一个用于x64架构,另一个用于x86. When injected by Doublepulsar, it will download the first stage Blackmoon malware and follow the same execution stages described in this analysis.
Stage 4.2 - WmiPrvSER.exe - XMRig miner
WmiPrvSER.exe is a classic XMRig Monero miner. Our sample is the XMRig version 6.18, and it creates a BaseNamedObjects\\Win__Host mutex on the victim’s host. You can find a full report on XMRig here.
Stage 5 - GraphicsPerfSvcs service - dropper
As mentioned in the previous stage, the GraphicsPerfSvcs 服务将在系统启动时自动启动. 每次运行时,它将检查以下两个文件是否存在:
- C:\Windows\TEMP\ctfmoon.exe
- C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe
如果没有找到,它将删除这两个文件以及执行它们所需的所有dll.
The dropper also creates two new firewall rules that allow all outbound connections from dropped files by executing the following commands:
netsh advfirewall firewall add rule name=ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allownetsh advfirewall firewall add rule name=traffmonetizer dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
服务保持正常状态,并不断尝试从URL: http:/ /down读取数据.ftp21[.]cc/Update.txt. At the time of the analysis, this URL was down so we were not able to observe its content. However, following the service code, it seems to read the URL content and check if it contains one of the following commands:
[Delete File], [Kill Proccess], or [Delete Service],将相应删除文件、终止进程或删除服务.
Stage 6 - Ctfmoon.exe and Traffmonetizer.exe - Traffic Stealers
GraphicsPerfSvcs service executes two dropped files: Ctfmoon.exe and Traffmonetizer.exe, both appeared to be Potentially Unwanted Programs (PUP’s) in the form of traffic stealers. Both are using the “network bandwidth sharing” monetization scheme to make “passive income”.
Ctfmoon.exe is a cli version of the Iproyal Pawns application. It gets the user email address and password as execution parameters to associate the activity and collect the money to the passed account. GraphicsPerfSvcs 执行以下命令行启动Iproyal Pawns: ctfmoon.exe -email=usax138@protonmail.com -password=123456Aa. -device-name=Win32 -accept-tos
我们可以看到执行参数中提到的用户已经赚了169美元:
The Traffmonetizer.exe is similar to Ctfmoon.exe, created by Traffmonetizer. It reads the user account data from a settings.json file dropped in users roaming directory. Our .json file contains the following content:
{"Token":"1gUgURMzQiuGFgttIdjeZBS0G6fqFlVvhCKlqzfHd3o=","StartWithWindows":false,"Accepting":true}.
Conclusion
The analysis in this blog reveals the efforts threat actors put into the attack flow, by using several evasion and persistence techniques as well as different approaches to make passive income using victims’ resources.
MITRE ATT&CK Techniques:
| Persistence | 启动或登录自动启动执行:端口监视器(T1547.010) | 黑月木马(a95737adb2cd7b1af2291d143200a82d8d32 a868c64fb4acc542608f56a0aeda) is using the Port Monitor technique to establish persistence on the target host. |
|---|---|---|
| Persistence | 创建或修改系统进程:Windows Service (T1543).003) | The Hook.exe dropper (1A7A4B5E7C645316A6AD59E26054A95 654615219CC03657D6834C9DA7219E99F) creates a new service to establish persistence on the target host. |
| Defense Evasion | Process Injection: Process Hollowing (T1055.012) | 黑月掉落的dll (F5D508C816E485E05DF5F58450D623DC6B FA35A2A0682C238286D82B4B476FBB) is using the Process Hollowing technique to evade endpoint security detection. |
| Defense Evasion | 削弱防御:禁用或修改工具(T1562.001) | 黑月木马(a95737adb2cd7b1af2291d143200a82d8 d32a868c64fb4acc542608f56a0aeda) disables Windows Defender to evade end-point security detection. |
| Lateral Movement | Exploitation of Remote Services (T1210) | The MpMgSvc.(72B0DA797EA4FC76BA4DB6AD131056257965D . exe F9B2BCF26CE2189AF3DBEC5B1FC) uses EternalBlue and DoublePulsar to spread in organization’s environment. |
| Discovery | Network Share Discovery (T1135) | The MpMgSvc.(72B0DA797EA4FC76BA4DB6AD131056257965D . exe F9B2BCF26CE2189AF3DBEC5B1FC)扫描网络,发现开放的SMB端口. |
| Impact | Resource Hijacking (T1496) | XMRing矿机(ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02 A64A77817438D27FC31C69F7C1D3).exe (FDD762192D351CEA051C0170840F1D8D 171F334F06313A17EBA97CACB5F1E6E1) and Traffmonetizer trafficStealer (2923EACD0C99A2D385F7C989882B7CCA 执行83BFF133ECF176FDB411F8D17E7EF265)以使用受害者的资源. |
| Impact | Service Stop (T1489) | 黑月木马(a95737adb2cd7b1af2291d143200a82d8d 32a868c64fb4acc542608f56a0aeda)停止更新和安全产品服务. |
| Command and Control | 应用层协议:Web协议(T1071).001) | 下载器(E9A83C8811E7D7A6BF7EA7A656041BCD68968
7F8B23FA7655B28A8053F67BE99) downloads the next stage payloads over the HTTP protocol. GraphicsPerfSvcs服务(5AF88DBDC7F53BA359DDC47C3BCAF3F5FE 9BDE83211A6FF98556AF7E38CDA72B)使用HTTP协议从C获取命令&C server. |
IOC’s
| File name | SHA-256 | |
|---|---|---|
| 445.exe | a95737adb2cd7b1af2291d143200a82 d8d32a868c64fb4acc542608f56a0aeda | Blackmoon Trojan |
| RunDllExe.dll | F5D508C816E485E05DF5F58450D623DC 6BFA35A2A0682C238286D82B4B476FBB | Injector |
| Injected code | E9A83C8811E7D7A6BF7EA7A656041BCD 689687F8B23FA7655B28A8053F67BE99 | Downloader |
| MpMgSvc.dll | E9BD4A9C6EA27033BCB696E65D7441DC2D 42CD7F9F02084B5C704316F0A4FDDF | |
| Hooks.exe | 1A7A4B5E7C645316A6AD59E26054A95654615 219CC03657D6834C9DA7219E99F | Dropper |
| MpMgSvc.exe | 72B0DA797EA4FC76BA4DB6AD131056257965 DF9B2BCF26CE2189AF3DBEC5B1FC | Spreader |
| WmiPrvSER.exe | ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02 A64A77817438D27FC31C69F7C1D3 | XMRig |
| GraphicsPerfSvcs.dll | 5AF88DBDC7F53BA359DDC47C3BCAF3F5FE9BDE 83211A6FF98556AF7E38CDA72B | Dropper |
| Doublepulsar-1.3.1.exe | 15FFBB8D382CD2FF7B0BD4C87A7C0BFFD1541 C2FE86865AF445123BC0B770D13 | Shellcode installer |
| Eternalblue-2.2.0.exe | 85B936960FBE5100C170B777E1647CE9F0F0 1E3AB9742DFC23F37CB0825B30B5 | Exploit |
| Eternalromance-1.4.0.exe | B99C3CC1ACBB085C9A895A8C3510F6DAA F31F0D2D9CCB8477C7FB7119376F57B | Exploit |
| X64.dll | 275A9A7B99F3474CBF8A61964A6022E3CF 7BAF76E0EE2FBA31A708D8F1E25BD0 | shellcode |
| X86.dll | F247A48D3ECDBDF91FCD7A2D8728ADAAF 06149586ADDE62DE7212C6DE645AD58 | shellcode |
| Ctfmoon.exe | FDD762192D351CEA051C0170840F1D8D171 F334F06313A17EBA97CACB5F1E6E1 | Iproyal Pawns |
| Traffmonetizer.exe | 2923EACD0C99A2D385F7C989882B7CCA8 3BFF133ECF176FDB411F8D17E7EF265 | Traffmonetizer |
| usax138@protonmail.com | Iproyal Pawns account | |
| 1gUgURMzQiuGFgttIdjeZBS0 G6fqFlVvhCKlqzfHd3o= | Traffmonetizer token |
|
| hxxp://down.ftp21[.]cc | C&C server |
