Perform scanning operations via internal MASSCAN program, as shown below:
Perform scanning operations via internal Nmap program, as shown below:
Attacks are launched against any vulnerable targets discovered.
The following shows an EternalBlue attack CrackerMS17010 in progress:
Attacks are launched by exploiting the CrackerCCTV vulnerability in CCTV IoT-capable devices, as shown below:
Attacks are launched by leveraging the CrackerMSSQL vulnerability in MSSQL, as shown below:
Database commands are executed, as shown below:
Malicious code is written in database storage, as shown below:
CrackerRDP conducts an attack against RDP, as shown below:
CrackerTelnet conducts an attack against Telnet, as shown below:
3. Creating Admin Account
The attacker downloads and decrypts the corresponding configuration file from a remote server, as shown below:
The downloaded config file is decrypted as an XML file to download and run the malicious program, as shown below:
The downloaded executable file CSRS is created with a python script. It is an exploit used for creating accounts, leveraging the vulnerability MS17010, as shown below:
An admin account is created on the host, as shown below:
An attacked is launched using the vulnerability MS17010, as shown below:
Attack parameters are as shown below:
4. Cryptomining and Dark Cloud Trojan
Decrypt the above XML script, as shown below:
Upsnew2 drops Dark Cloud Trojan item.dat and c3.bat script. The c3.bat script has the following functions:
Removes other viruses:
Alters registry and scheduled task settings to allow the virus to auto launch at host startup:
Loads the Dark Cloud Trojan:
Alters firewall configuration to disable ports (135, 137, 138, 139 and 445), preventing the host from being infected by other viruses.
1. Isolate the infected hosts, end all connections and disable network adapter.
2. Stop virus spread channel by disabling network sharing SMB port 445 and ending all suspicious outgoing connections. Sangfor NGAF customers should update the signature database to 20181204 and above as well as enable IPS and APT detection.
4. Fix the vulnerability by installing the patch ms17-010 from Microsoft
for Eternal Blue