Not Your Typical Ransomware Infection

An analysis of an infected PC revealed that an attacker used several NSA tools just four days after the Shadow Brokers' dump then it burned the PC with ransomware when they were done with it. This blog post by Secdo may be related to this one but I can't be sure.

I was asked to assist with an infected PC that had already been turned off. The ransomware encrypted the usual file extensions as well as .exe, .dll, .sqlite, .log, .xml, .dat, etc making it extremely difficult to piece together the activity that had taken place earlier.

On 4/18/17, a remote user logged into the computer via RDP and proceeded to execute a program called "key.exe" which dropped files in "C:\ProgramData\MicrosoftHostDLL\" including synchosted.exe (which is turned out to be NSSM - The non-sucking service manager). A new remote admin account called "backup1" was created and the password written to the info.ini file (and c:\info.txt).

The attacker downloaded several tools to the downloads folder and disabled anti-virus and added an exclusion for c:\users\backup1 in Windows Defender.

Other tools were installed as well such as UniversalTermsrvPatch-x64 and Advanced IP Scanner.

Based on the evidence, the following NSA tools were used by the attacker:

FuzzBunch (exploit framework)
Architouch (SMB recon)
EternalBlue (SMB exploit)
DoublePulsar (backdoor)
DanderSpritz (event log deleter, password stealer, screengrabber, keylogger)
PeddleCheap (shellcode/DLL injector)

When FuzzBunch is run, log files are created which provide a history of the operator's activities. However, the ransomware program encrypted these files.

There were some files left untouched for some reason and I was able to collect details that show whether an attempt was successful or not.

One successful compromise prompted the attacker to download and install OWASP-ZSC to compile shellcode and use PeddleCheap to push that onto the machine. Each attempt caused the PC to crash. Digging into the crash dumps yielded the shellcode source.

When this failed, other attempts were made to install malware.

I tried to get the payload from the above site but it was no longer available. I found something in Google's cache that seemed to match the file names.

The attacker then downloaded executables onto the desktop and tried to push them onto the other PC which failed. Having given up, the attacker trashed the PC by executing ransomware known as "Global Imposter".

It appears that this attacker was figuring out how to use the NSA tools and eventually with enough practice s/he is going to get good at it. Others will too so we will probably start seeing a higher level of attacks -- attacks using military-grade implants that don't leave a whole lot of traces behind. Good luck to all of us.

Observables

Filename: key.exe
MD5: EECD77E9D522F3BA9022AC55487D98F1
Size: 1.19MB

Filename: synchosted.exe
MD5: E1D51EAE61D112CB00F8F9CED4D7294C
Size: 331KB

Filename: genpwd.exe
MD5: 0569047CAD5FFE8C40290960FFDCFDA1
Size: 808KB

Filename: local.exe
MD5: B1BA95F7F943E424D562AA5BB255ADC5
Size: 530KB

Filename: 1.exe
MD5: 227837783DFC1C2B3575746478CC133E
Size: 7KB
URL: 23[.]111[.]188[.]254:31337

Filename: 2.exe
MD5: 1AB7415C4A38F45085857FB9E6BD2069
Size: 72KB
URL: 23[.]111[.]188[.]254:4013

Filename: 3.exe
MD5: 6D1029FABF4D314065E3B33AC02ACEA6
Size: 1.14MB
URL: 23[.]111[.]188[.]254:22572

Filename: 4.exe
MD5: 9B79D2C612E4EAFB9034FD652F5A20EA
Size: 1.14MB
URL: 23[.]111[.]188[.]254:15892

Filename: Aifc0CC.exe
MD5: E967102AA181290B3A2BB68AD36E285A
Size: 72KB
URL: 45[.]114[.]116[.]192:13187

Filename: GFDXaoPXi.exe
MD5: 81B9EA03264EA0A2B65B36EACB05B465
Size: 72KB
URL: 23[.]111[.]188[.]254:7605

IPs/Domains

78[.]37[.]191[.]149 - pppoe.avangarddsl.ru
178[.]70[.]232[.]38 - avangarddsl.ru
178[.]70[.]225[.]165 - avangarddsl.ru
178[.]70[.]149[.]30 - avangarddsl.ru
23[.]111[.]188[.]254 - hvvc.us
45[.]114[.]116[.]192 - brilliantangle.com