Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.

FireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted cyber-attacks against the aerospace and defense industry.

We observed lab machines vulnerable to SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine.

Figure 1 shows an EternalBlue exploitation attempt.

Figure 1. Network traffic showing EternalBlue attack attempt

The initial exploit technique used at the SMB level is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.

We have observed the same EternalBlue and VBScript combination used to distribute  Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.

Figure 2. VBScript instructions in ‘1.vbs’

The full VBScript instructions can be seen in Figure 2. The attacker echoes instructions into a new ‘1.vbs’ file to be executed later.  These instructions fetch the  payload ‘taskmgr.exe’ from another server in a synchronous call (as indicated by the second parameter ‘0’).  This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream. Mode ‘3’ is used for read/write permissions while type ‘1’ indicates stream as binary data. Thereafter, it saves the binary stream to a location at “c:/” with option ‘2’ in order to overwrite any binary with the same name at that location.

Later, we see that ‘1.vbs’ executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.

Figure 3 shows Backdoor.Nitol being downloaded and infecting the machine.

Figure 3. Network traffic showing Backdoor.Nitol download

The command and control (C2) for the Backdoor.Nitol sample is hackqz.f3322[.]org (120.209.40.157).  See Figure 4.

Figure 4. Backdoor.Nitol C2 communication

The other malware that we’ve observed being deployed in this manner is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from beiyeye.401hk[.]com (Figure 5).

Figure 5. Gh0st RAT C2 communication

The first five bytes in the header of the Gh0st RAT traffic is an indication of the Gh0st variant used. Historically we have seen wide-spread usage of variants employing the ‘cb1st’ magic header against the Education, Energy/Utilities, Manufacturing, Services/Consulting, and Telecom industries. For more information on this and other widely used variants of Gh0st RAT, please review GH0ST in the Machine: GH0ST RAT Remains Active in Financial Services Sector available on our subscription MySight portal.

The Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from 北京研创达科技有限公司 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.

Conclusion

The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windowsusers patch their machines and update to the latest software versions as soon as possible.

Acknowledgements

FireEye Labs authors would like to thank Shahzad Ahmad and Kean Siong Tan for their contributions in this discovery.

IOCs

SHA sum
cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946
4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309

Downloader

121.201.9.204:45988 / taskmgr.exe  (Nitol)
beiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)

C2

hackqz.f3322.org  (Nitol)
120.209.40.157:8880 (Nitol)
bj6po.a1free9bird[.]com (Gh0st)

Code-Signing Certificate