Exploits & Vulnerabilities
After WannaCry, UIWIX Ransomware Follows Suit
Our ongoing analysis indicates that the UIWIX ransomware is a new family that uses the same SMB vulnerabilities (MS17-010) that WannaCry exploits to infect systems, propagate within networks, and scan the internet to infect more victims.
Updated on May 19, 2017, 3:10AM PDT to add more details on WannaCry and UIWIX's table of comparison, as well as UIWIX's fileless infection and encryption routines.
WannaCry ransomware’s outbreak during the weekend was mitigated by having its kill switch domain registered. It was only a matter of time, however, for other cybercriminals to follow suit. Case in point: the emergence of UIWIX ransomware (detected by Trend Micro as RANSOM_UIWIX.A) and one notable Trojan our sensors detected.
UIWIX is not WannaCry
Contrary to recent news citing UIWIX as WannaCry’s new—even evolved—version, our ongoing analysis indicates it’s a new family that uses the same Server Message Block (SMB) vulnerabilities (MS17-010, code named EternalBlue upon its public disclosure by Shadow Brokers) that WannaCry exploits to infect systems, propagate within networks and scan the internet to infect more victims.
So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer's disks, which greatly reduces its footprint and in turn makes detection trickier.
UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.
Here is a summary of WannaCry and UIWIX’s notable features:
WannaCry | UIWIX | |
Attack Vectors | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), TCP port 445 |
File Type | Executable (EXE) | Dynamic-link Library (DLL) |
Appended extension | {original filename}.WNCRY | ._{unique id}.UIWIX |
Autostart and persistence mechanisms | Registry | None |
Anti-VM, VM check, or anti-sandbox routines | None | Checks presence of VM and sandbox-related files or folders |
Network activity | On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser | Uses mini-tor.dll to connect to .onion site |
Exceptions (doesn’t execute if it detects certain system components) | None | Terminates itself if found running in Russia, Kazakhstan, and Belarus |
Exclusions (directories or file types it doesn’t encrypt) | Avoids encrypting files in certain directories | Avoids encrypting files in two directories, and files with certain strings in their file name |
Network scanning and propagation | Yes (worm-like propagation) | No |
Kill switch | Yes | No |
Number of targeted file types | 176 | All files in the affected system except those in its exclusion list |
Shadow copies deletion | Yes | No |
Languages supported (ransom notes, payment site) | Multilingual (27) | English only |
Figure 1: Test files encrypted by UIWIX (left) and one of the ransom notes (right)
UIWIX uses a different Bitcoin address for each victim it infects. If the victim accesses the URLs in the ransom note, it will ask for a “personal code” (which is also in the ransom note), then prompt the user to sign up for a Bitcoin wallet.
Figure 2: UIWIX’s payment site
UIWIX employs fileless infection
A part of UIWIX’s attack chain involves loading the ransomware directly into memory through a shellcode loader. In a word, the shellcode loader and the UIWIX payload are fileless; they do not create physical copies of UIWIX’s binary in the affected system. Our working inference is that UIWIX is spread by a separate tool or component that exploits EternalBlue to deliver the UIWIX payload.
UIWIX uses two encryption algorithms
UIWIX uses two algorithms for its encryption routine. It encrypts the file first with AES-256 in Cipher Block Chaining (CBC) mode before encrypting it again in RC4 algorithm. Though UIWIX overwrites the file with encrypted code, it doesn’t encrypt all of its data. The size of encryption is computed based on the file’s size. It will use the MoveFile Application Program Interface (API) to rename the file and append UIWIX’s extensions.
Figure 3: Code snapshot showing part of UIWIX’s encryption routine
The key used in the encryption will be sent to UIWIX’s command and control (C&C) server, along with the infection information. These will be encrypted by RC4 with the hardcoded key, 3kjl5h34kj5h34po io34saz5x3cb.
UIWIX encrypts all files in the infected machine except files in directories \Windows and \Program Files, as well as files with these strings in their file name: .com, .sys, boot.ini, Bootfont.bin, bootmgr, BOOTNXT, BOOTSECT.BAK, NTEDETECT.COM, ntldr, NTUSER.DAT, and PDOXUSRS.NET.
Other malware are cashing in on EternalBlue
It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.
Patch your systems and adopt best practices
UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching. Enterprises must balance how it sustains the efficiency of its business operations while also safeguarding them. IT/system administrators and information security professionals, their sentry, should enforce strong baselines that can mitigate attacks that threaten the integrity and security of their systems and networks.
Given how UIWIX uses the same attack vector as WannaCry’s, the best practices against UIWIX and other similar threats should be familiar (and intuitive):
- Patch and update your systems, and consider using virtual patching
- Enable your firewalls as well as intrusion detection and prevention systems
- Proactively monitor and validate traffic going in and out of the network
- Implement security mechanisms for other points of entry attackers can use, such as email and websites
- Deploy application control to prevent suspicious files from executing on top behavior monitoring that can thwart unwanted modifications to the system
- Employ data categorization and network segmentation to mitigate further exposure and damage to data
We will update with more details as more information from our analysis become available.
Trend Micro Solutions
Trend Micro OfficeScan™ with XGen endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and other threats. Trend Micro’s security solutions that come with Predictive Machine Learning and all relevant ransomware protection features enabled are already protected against threats like UIWIX and WannaCry.
Trend Micro Deep Security™ and Vulnerability Protection, Deep Discovery™ Inspector, TippingPoint and Trend Micro Home Network Security protect users and businesses against these threats.
Indicators of Compromise
- 146581F0B3FBE00026EE3EBE68797B0E57F39D1D8AECC99FDC3290E9CFADC4FC (SHA256) — detected as RANSOM_UIWIX.A
- C72BA80934DC955FA3E4B0894A5330714DD72C2CD4F7FF6988560FC04D2E6494 (SHA256) - detected as TROJ_COINMINER.WN
Command and Control (C&C) domains related to TROJ_COINMINER.WN:
- 07[.]super5566[.]com
- aa1[.]super5566[.]com