Trojan.Win32.BLUEROH.RPF

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It takes advantage of certain vulnerabilities.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Downloaded by Trojan.Win32.BLUEROH.RPE

Installation

This Trojan drops a copy of itself in the following folders using different file names:

• %Windows%\IME\lliltbg.exe (slightly modified copy)
• %User Temp%\{random numbers}\TemporaryFile\TemporaryFile

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system and executes them:

• %Windows%\lggescur\lliltbg.exe (Modified Copy)

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This Trojan adds and runs the following services:

• Service Name: {random characters}
  Description: {random characters}
  Path to executable: {Malware path and filename}

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.bat
(Default) = txtfile

(Note: The default value data of the said registry entry is batfile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.cmd
(Default) = txtfile

(Note: The default value data of the said registry entry is cmdfile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.js
(Default) = txtfile

(Note: The default value data of the said registry entry is JSFile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.vbs
(Default) = txtfile

(Note: The default value data of the said registry entry is VBSFile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.VBE
(Default) = txtfile

(Note: The default value data of the said registry entry is VBEFile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.reg
(Default) = txtfile

(Note: The default value data of the said registry entry is regfile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.ps1
(Default) = txtfile

(Note: The default value data of the said registry entry is Microsoft.PowerShellScript.1.)

Process Termination

This Trojan terminates the following services if found on the affected system:

• SharedAccess
• MpsSvc
• WinDefend
• wuauserv

Dropping Routine

This Trojan drops the following files:

• Mimikatz:
  • %Windows%\lkbcceulc\Corporate\vfshost.exe
  • %Windows%\lkbcceulc\Corporate\mimidrv.sys
  • %Windows%\lkbcceulc\Corporate\mimilib.dll
  • %Windows%\lkbcceulc\Corporate\log.txt
• Port Scanner:
  • %Windows%\lkbcceulc\lufctctlt\heufwumyi.exe
  • %Windows%\lkbcceulc\lufctctlt\kekzurucp.exe
  • %Windows%\lkbcceulc\lufctctlt\Packet.dll
  • %Windows%\lkbcceulc\lufctctlt\wpcap.dll
  • %Windows%\lkbcceulc\lufctctlt\Result.txt
  • %Windows%\lkbcceulc\lufctctlt\Scant.txt
  • %Windows%\lkbcceulc\lufctctlt\ip.txt
• EternalBlue, DoublePulsar and Downloader payload:
  • %Windows%\lkbcceulc\UnattendGC\AppCapture32.dll (Malware downloader for 32-bit systems)
  • %Windows%\lkbcceulc\UnattendGC\AppCapture64.dll (Malware downloader for 64-bit systems)
  • %Windows%\lkbcceulc\UnattendGC\docmicfg.xml
  • %Windows%\lkbcceulc\UnattendGC\schoedcl.xml
  • %Windows%\lkbcceulc\UnattendGC\Shellcode.ini
  • %Windows%\lkbcceulc\UnattendGC\specials
  • %Windows%\lkbcceulc\UnattendGC\spoolsrv.xml
  • %Windows%\lkbcceulc\UnattendGC\svschost.xml
  • %Windows%\lkbcceulc\UnattendGC\vimpcsvc.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\cnli-1.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\coli-0.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\crli-0.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\docmicfg.exe
  • %Windows%\lkbcceulc\UnattendGC\specials\docmicfg.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\exma-1.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\libeay32.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\libxml2.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\posh-0.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\schoedcl.exe
  • %Windows%\lkbcceulc\UnattendGC\specials\schoedcl.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\spoolsrv.exe
  • %Windows%\lkbcceulc\UnattendGC\specials\spoolsrv.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\ssleay32.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\svschost.exe
  • %Windows%\lkbcceulc\UnattendGC\specials\svschost.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\tibe-2.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\trch-1.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\trfo-2.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\tucl-1.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\ucl.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\vimpcsvc.exe
  • %Windows%\lkbcceulc\UnattendGC\specials\vimpcsvc.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\xdvl-0.dll
  • %Windows%\lkbcceulc\UnattendGC\specials\zlib1.dll
  • %Windows%\lkbcceulc\UnattendGC\Logs\{IP Address}.txt
• Copies of configuration (XML) files:
  • %Windows%\lggescur\svschost.xml
  • %Windows%\lggescur\spoolsrv.xml
  • %Windows%\lggescur\vimpcsvc.xml
  • %Windows%\lggescur\docmicfg.xml
  • %Windows%\lggescur\schoedcl.xml
• Coinminer:
  • %Windows%\Temp\lfctrclhh\rucuce.exe
  • %Windows%\Temp\lfctrclhh\config.json

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://wiu.{BLOCKED}xk.me/download.exe

It saves the files it downloads using the following names:

• %Temp%\xohudmc.exe - updated copy of Trojan.Win32.BLUEROH.RPE

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• http://{BLOCKED}9.{BLOCKED}8.com
• https://{BLOCKED}ig.me
• http://v4.{BLOCKED}est.com/api/myip.php

It connects to the following website to send and receive information:

• http://wiu.{BLOCKED}xk.me:16666 - for reporting
• http://uio.{BLOCKED}b.se:63145/cfg.ini - config containing updated Download URL, Mining pool address and report URL.
• http://qie.{BLOCKED}xk.me:63145/cfg.ini - config containing updated Download URL, Mining pool address and report URL.

It does the following:

• It denies access to hosts file by executing the ff. commands:
  • cacls %System%\drivers\etc\hosts /T /D users
  • cacls %System%\drivers\etc\hosts /T /D administrators
  • cacls %System%\drivers\etc\hosts /T /D SYSTEM
• It disables executing the following applications by adding the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application Name}
  • Debugger = %System%\svchost.exe
  Where {Application Name} are as follows:
  • at.exe
  • bitsadmin.exe
  • cacls.exe
  • certutil.exe
  • cscript.exe
  • icacls.exe
  • magnify.exe
  • mshta.exe
  • netsh.exe
  • perfmon.exe
  • powershell.exe
  • reg.exe
  • regini.exe
  • Regsvr32.exe
  • rundll32.exe
  • schtasks.exe
  • sethc.exe
  • takeown.exe
  • taskkill.exe
  • WinSAT.exe
  • WmiPrvSE.exe
  • wscript.exe
• It executes the following network shell commands:
  • netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  • netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  • netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  • netsh ipsec static add filteraction name=BastardsList action=block
  • netsh ipsec static add policy name=Bastards description=FuckingBastards
  • netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  • netsh ipsec static set policy name=Bastards assign=y
  • netsh firewall set opmode mode=disable
  • netsh Advfirewall set allprofiles state off
• It executes its EternalBlue/DoublePulsar components using the ff. parameters:
  • %Windows%\lkbcceulc\UnattendGC\specials\vimpcsvc.exe --TargetIp {Target IP Address} --TargetPort 445 --NetworkTimeout 60 --Protocol SMB --OutConfig %Windows%\lkbcceulc\UnattendGC\Logs\{Target IP Address}.xml
  • %Windows%\lkbcceulc\UnattendGC\specials\svschost.exe --NetworkTimeout 60 --TargetIp 1.1.1.1 --TargetPort 445 --OutputFile %Windows%\lkbcceulc\UnattendGC\Shellcode.ini --Protocol SMB --Architecture x64 --Funciton OutputInstall
• It executes its Mimikatz component using the ff. parameters:
  • %Windows%\lkbcceulc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %Windows%\lkbcceulc\Corporate\log.txt
• It executes its Port scanner components using the ff. parameters:
  • %Windows%\lkbcceulc\lufctctlt\heufwumyi.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ %Windows%\lkbcceulc\lufctctlt\Scant.txt
  • %Windows%\lkbcceulc\lufctctlt\heufwumyi.exe -iL %Windows%\lkbcceulc\lufctctlt\ip.txt -oJ %Windows%\lkbcceulc\lufctctlt\Result.txt --open --rate 4096 -p 445
  • %Windows%\lkbcceulc\lufctctlt\heufwumyi.exe -iL %Windows%\lkbcceulc\lufctctlt\ip.txt -oJ %Windows%\lkbcceulc\lufctctlt\Result.txt --open --rate 4096 -p 7001
• It terminates and disables services by executing the ff. commands:
  • net stop SharedAccess
  • net stop MpsSvc
  • net stop WinDefend
  • net stop wuauserv
  • sc config MpsSvc start= disabled
  • sc config SharedAccess start= disabled
  • sc config WinDefend start= disabled
  • sc config wuauserv start= disabled

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It takes advantage of the following vulnerabilities:

• Microsoft Security Bulletin MS17-010
• Struts2 RCE (CVE-2017-9805)
• WebLogic Vulnerability (CVE-2017-10271)
• Tomcat PUT arbitrary file upload vulnerability (CVE-2017-12615)
• ThinkPHP vulnerability

It adds the following scheduled tasks:

• Task Name: pztwfzuil
  Trigger: Repeat every 1 minute indefinetely.
  Task to be Run: %Windows%\IME\{malware name}.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)