An analysis of an infected PC revealed that an attacker used several NSA tools just four days after the Shadow Brokers’ dump then it burned the PC with ransomware when they were done with it. This blog post by Secdo may be related to this one but I can’t be sure.
I was asked to assist with an infected PC that had already been turned off. The ransomware encrypted the usual file extensions as well as .exe, .dll, .sqlite, .log, .xml, .dat, etc making it extremely difficult to piece together the activity that had taken place earlier.
On 4/18/17, a remote user logged into the computer via RDP and proceeded to execute a program called “key.exe” which dropped files in “C:\ProgramData\MicrosoftHostDLL\” including synchosted.exe (which is turned out to be NSSM – The non-sucking service manager). A new remote admin account called “backup1” was created and the password written to the info.ini file (and c:\info.txt).
The attacker downloaded several tools to the downloads folder and disabled anti-virus and added an exclusion for c:\users\backup1 in Windows Defender.
Other tools were installed as well such as UniversalTermsrvPatch-x64 and Advanced IP Scanner.
Based on the evidence, the following NSA tools were used by the attacker:
+ FuzzBunch (exploit framework)
+ Architouch (SMB recon)
+ EternalBlue (SMB exploit)
+ DoublePulsar (backdoor)
+ DanderSpritz (event log deleter, password stealer, screengrabber, keylogger)
+ PeddleCheap (shellcode/DLL injector)
When FuzzBunch is run, log files are created which provide a history of the operator’s activities. However, the ransomware program encrypted these files.
There were some files left untouched for some reason and I was able to collect details that show whether an attempt was successful or not.
One successful compromise prompted the attacker to download and install OWASP-ZSC to compile shellcode and use PeddleCheap to push that onto the machine. Each attempt caused the PC to crash. Digging into the crash dumps yielded the shellcode source.
When this failed, other attempts were made to install malware.
I tried to get the payload from the above site but it was no longer available. I found something in Google’s cache that seemed to match the file names.
The attacker then downloaded executables onto the desktop and tried to push them onto the other PC which failed. Having given up, the attacker trashed the PC by executing ransomware known as “Global Imposter”.
It appears that this attacker was figuring out how to use the NSA tools and eventually with enough practice s/he is going to get good at it. Others will too so we will probably start seeing a higher level of attacks — attacks using military-grade implants that don’t leave a whole lot of traces behind. Good luck to all of us.
220.127.116.11 – pppoe.avangarddsl.ru
18.104.22.168 – avangarddsl.ru
22.214.171.124 – avangarddsl.ru
126.96.36.199 – avangarddsl.ru
188.8.131.52 – hvvc.us
184.108.40.206 – brilliantangle.com