Swedish Windows Security User Group

The steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we’re referring to as cryware.

Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.

Cryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end itself. Before cryware, the role of cryptocurrencies in an attack or the attack stage where they figured varied depending on the attacker’s overall intent. For example, some ransomware campaigns prefer cryptocurrency as a ransom payment. However, that requires the target user to manually do the transfer. Meanwhile, cryptojackers—one of the prevalent cryptocurrency-related malware—do try to mine cryptocurrencies on their own, but such a technique is heavily dependent on the target device’s resources and capabilities.

With cryware, attackers who gain access to hot wallet data can use it to quickly transfer the target’s cryptocurrencies to their own wallets. Unfortunately for the users, such theft is irreversible: blockchain transactions are final even if they were made without a user’s consent or knowledge. In addition, unlike credit cards and other financial transactions, there are currently no available mechanisms that could help reverse fraudulent cryptocurrency transactions or protect users from such.

To find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular expressions (regexes), given how these typically follow a pattern of words or characters. These patterns are then implemented in cryware, thus automating the process. The attack types and techniques that attempt to steal these wallet data include clipping and switching, memory dumping, phishing, and scams.

As cryptocurrency investing continues to trickle to wider audiences, users should be aware of the different ways attackers attempt to compromise hot wallets. They also need to protect these wallets and their devices using security solutions like Microsoft Defender Antivirus, which detects and blocks cryware and other malicious files, and Microsoft Defender SmartScreen, which blocks access to cryware-related websites. For organizations, data and signals from these solutions also feed into Microsoft 365 Defender, which provides comprehensive and coordinated defense against threats—including those that could be introduced into their networks through user-owned devices or non-work-related applications.

In this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice recommendations that help secure cryptocurrency transactions.

From cryptojackers to cryware: The growth and evolution of cryptocurrency-related malware

The emergence and boom of cryptocurrency allowed existing threats to evolve their techniques to target or abuse cryptocurrency tokens. The threats that currently leverage cryptocurrency include:

• Cryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s gain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.
• Ransomware. Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.
• Password and info stealers. Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.
• ClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.

The increasing popularity of cryptocurrency has also led to the emergence of cryware like Mars Stealer and RedLine Stealer. These threats aim to steal cryptocurrencies through wallet data theft, clipboard manipulation, phishing and scams, or even misleading smart contracts. For example, RedLine has even been used as a component in larger threat campaigns. The graph below illustrates the increasing trend in unique cryware file encounters Microsoft Defender for Endpoint has detected in the last year alone.

Cryware could cause severe financial impact because transactions can’t be changed once they’re added to the blockchain. As mentioned earlier, there also are currently no support systems that could help recover stolen cryptocurrency funds.

For example, in 2021, a user posted about how they lost USD78,000 worth of Ethereum because they stored their wallet seed phrase in an insecure location. An attacker likely gained access to the target’s device and installed cryware that discovered the sensitive data. Once this data was compromised, the attacker would’ve been able to empty the targeted wallet.

With the growing popularity of cryptocurrency, the impact of cryware threats have become more significant. We’ve already observed campaigns that previously deployed ransomware now using cryware to steal cryptocurrency funds directly from a targeted device. While not all devices have hot wallets installed on them—especially in enterprise networks—we expect this to change as more companies transition or move part of their assets to the cryptocurrency space. Users and organizations must therefore learn how to protect their hot wallets to ensure their cryptocurrencies don’t end up in someone else’s pockets.

Hot wallet attack surfaces

To better protect their hot wallets, users must first understand the different attack surfaces that cryware and related threats commonly take advantage of.

Hot wallet data

During the creation of a new hot wallet, the user is given the following wallet data:

• Private key. The key that’s required to access the hot wallet, sign or authorize transactions, and send cryptocurrencies to other wallet addresses.
• Seed phrase. A mnemonic phrase is a human-readable representation of the private key. It’s another form of a private key that’s easier to remember. Bitcoin Improvement Proposal: 39 (BIP39) is currently the most common standard used to generate seed phrases consisting of 12-14 words (from a predefined list of 2,048).
• Public key. The public address of the wallet that users must enter as the destination address when sending funds to other wallets.
• Wallet password (optional). A standard user account password that some wallet applications offer as an additional protection layer.

Attackers try to identify and exfiltrate sensitive wallet data from a target device because once they have located the private key or seed phrase, they could create a new transaction and send the funds from inside the target’s wallet to an address they own. This transaction is then published to the blockchain of the cryptocurrency of the funds contained in the wallet. Once this action is completed, the target won’t be able to retrieve their funds as blockchains are immutable (unchangeable) by definition.

To locate and identify sensitive wallet data, attackers could use regexes, which are strings of characters and symbols that can be written to match certain text patterns. The following table demonstrates how regexes can be used to match wallet string patterns:

Wallet target	String description	String example	Regular expression
Private key	Identify a string of characters that comprise an example private key. This key would consist of exactly 256 bits (32 characters) in an unspaced, capitalized, hexadecimal string located on one line.	A6FDF18E86000542388064492B58CBF	^[A-F0-9]{32}$
Seed phrase	Identify a string of characters that comprise a seed phrase consisting of 12 words separated by a single space located on one line.	this is a long string of text consisting of twelve random words	^(\w+\s){11}\w+$
Wallet address	Identify a string of characters that comprise an example public wallet address. This address would consist of exactly 24 characters in an unspaced, hexadecimal string preceded by the literal letters “LB”.	LB32b787573F5186C696b8ed61	^LB[a-fA-F0-9]{24}$

Cryware attack scenarios and examples

Once sensitive wallet data has been identified, attackers could use various techniques to obtain them or use them to their advantage. Below are some examples of the different cryware attack scenarios we’ve observed.

Clipping and switching

In clipping and switching, a cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipboard with the attacker’s address.

Figure 4, which is a code based on an actual clipper malware we’ve seen in the wild, demonstrates the simplest form of this attack. This code uses regexes to monitor for copied wallet addresses and then swaps the value to be pasted.

While this technique is not new and has been used in the past by info stealers, we’ve observed its increasing prevalence. The technique’s stealthy nature, combined with the length and complexity of wallet addresses, makes it highly possible for users to overlook that the address they pasted does not match the one they originally copied.

Memory dumping

Another technique is memory dumping, which takes advantage of the fact that some user interactions with their hot wallet could display the private keys in plaintext. This critical information might remain in the memory of a browser process performing these actions, thus compromising the wallet’s integrity. Such a scenario also allows an attacker to dump the browser process and obtain the private key.

The screenshot below illustrates such an example. When a private key was exported through a web wallet application, the private key remained available in plaintext inside the process memory while the browser remained running.

Wallet file theft

While more sophisticated cryware threats use regular expressions, clipboard tampering, and process dumping, a simple but effective way to steal hot wallet data is to target the wallet application’s storage files. In this scenario, an attacker traverses the target user’s filesystem, determines which wallet apps are installed, and then exfiltrates a predefined list of wallet files.

Target files and information include the following:

• Web wallet files. Some hot wallets are installed as browser extensions with a unique namespace identifier to name the extension storage folder. A web wallet’s local vault contains the encrypted private key of a user’s wallet and can be found inside this browser app storage folder. Attackers target this vault as it can be brute-forced by many popular tools, such as Hashcat.
  • Example targeted MetaMask vault folder in some web browsers: “Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn”
• Desktop wallet files. Other hot wallets are installed on a user’s desktop device. The private keys are encrypted and stored locally in application storage files specific to each wallet. Attackers could determine which desktop wallet is installed on a target device when stealing information from it. As with the web wallet vaults, wallet storage files containing encrypted private keys provide an excellent opportunity for brute-force attacks.
  • Example targeted Exodus storage files: “Exodus\passphrase.json”, “Exodus\seed.seco”
• Wallet passwords. Some wallet applications require passwords as an additional authentication factor when signing into a wallet. Some users store these passwords and seed phrases or private keys inside password manager applications or even as autofill data in browsers. Attackers could traverse an affected device to discover any password managers installed locally or exfiltrate any browser data that could potentially contain stored passwords.
  • Example targeted browser data: “\Cookies\”, “\Autofill\”

Mars Stealer is a notable cryware that steals data from web wallets, desktop wallets, password managers, and browser files. The snippet below was taken from a section of Mars Stealer code aimed to locate wallets installed on a system and steal their sensitive files:

Mars Stealer is available for sale on hacking forums, as seen in an example post below. The post describes the cryware’s capabilities of stealing sensitive data from multiple wallets and app storage files from an affected device. Mars Stealer then bundles the stolen data and exfiltrates it to an attacker-controlled command-and-control (C2) server via HTTP POST.

Keylogging

Keylogging is another popular technique used by cryware. Like other information-stealing malware that use this technique, keylogging cryware typically runs in the background of an affected device and logs keystrokes entered by the user. It then sends the data it collects to an attacker controlled C2 server.

For attackers, keyloggers have the following advantages:

• No need for brute forcing. Private keys, seed phrases, and other sensitive typed data can be stolen in plaintext.
• Difficult to detect. Keyloggers can run undetected in the background of an affected device, as they generally leave few indicators apart from their processes.
• Stolen data can live in memory. Attackers don’t have to write stolen user data to disk. Instead, they can store the data in process memory before uploading it to the server.

Even users who store their private keys on pieces of paper are vulnerable to keyloggers. Copying and pasting sensitive data also don’t solve this problem, as some keyloggers also include screen capturing capabilities.

Phishing sites and fake applications

To fool users into entering their private keys, attackers create malicious applications that spoof legitimate hot wallets. Unfortunately, determining which app is malicious or legitimate can be challenging because importing an existing wallet does require the input of a private key.

Since a user needs to go to a hot wallet website to download the wallet app installer, attackers could use one of the two kinds of methods to trick users into downloading malicious apps or giving up their private keys:

• Typosquatting: Attackers purchase domains that contain commonly mistyped characters.
• Soundsquatting: Attackers purchase domains with names that sound like legitimate websites.

The screenshot below shows a spoofed MetaMask website. While the domain contains the word “MetaMask,” it has an additional one (“suspend”) at the beginning that users might not notice. This could easily trick a user into entering their private keys to supposedly import their existing wallet, leading to the theft of their funds instead.

Phishing websites may even land at the top of search engine results as sponsored ads. In February 2022, we observed such ads for spoofed websites of the cryptocurrency platform StrongBlock. The topmost fake website’s domain appeared as “strongsblock” (with an additional “s”) and had been related to phishing scams attempting to steal private keys. Note that these ads no longer appear in the search results as of this writing. It’s common practice for internet search engines (such as Google and Edge) to regularly review and remove ad results that are found to be possible phishing attempts.

Some spoofed wallet websites also host fake wallet apps that trick users into installing them. Figure 10 shows an example of a fake wallet app that even mimics the icon of the legitimate one. Like phishing websites, the fake apps’ goal is to trick users into providing sensitive wallet data.

Apart from credential-based phishing tactics in websites and apps, Microsoft security researchers also noted a technique called “ice phishing,” which doesn’t involve stealing keys. Rather, it attempts to trick users into signing a transaction that delegates approval of the target user’s tokens to an attacker. More information about ice phishing can be found in this blog.

Scams and other social engineering tactics

Cryptocurrency-related scams typically attempt to lure victims into sending funds of their own volition. One such scam we’ve seen uses prominent social media personalities who seemingly endorse a particular platform. The scammers promise to “donate” funds to participants who send coins to a listed wallet address. Unfortunately, these promises are never fulfilled.

Social media content creators are also becoming the targets of scam emails. The email messages attempt to trick targets into downloading and executing cryware on their devices by purporting promotional offers and partnership contracts.

In such cases, the downloaded or attached cryware masquerades as a document or a video file using a double extension (for example, .txt.exe) and a spoofed icon. Thus, target users who might be distracted by the message content might also forget to check if the downloaded file is malicious or not.

Defending against cryware

Cryptocurrency crime has been reported to have reached an all-time high in 2021, with over USD10 billion worth of cryptocurrencies stored in wallets associated with ransomware and cryptocurrency theft. This shows that just as large cryptocurrency-related entities get attacked, individual consumers and investors are not spared.  

Cryptocurrency trading can be an exciting and beneficial practice, but given the various attack surfaces cryware threats leverage, users and organizations must note the multiple ways they can protect themselves and their wallets. They should have a security solution that provides multiple layers of dynamic protection technologies—including machine learning-based protection.

Microsoft Defender Antivirus offers such protection. Its endpoint protection capabilities detect and block many cryware, cryptojackers, and other cryptocurrency-related threats. Meanwhile, Microsoft Defender SmartScreen in Microsoft Edge and other web browsers that support it blocks phishing sites and prevents downloading of fake apps and other malware. Signals from these solutions, along with threat data from other domains, feed into Microsoft 365 Defender, which provides organizations with comprehensive and coordinated threat defense and is backed by a global network of security experts who monitor the continuously evolving threat landscape for new and emerging attacker tools and techniques.

Users and organizations can also take the following steps to defend against cryware and other hot wallet attacks:

• Lock hot wallets when not actively trading. This feature in most wallet applications can prevent attackers from creating transactions without the user’s knowledge.
• Disconnect sites connected to the wallet. When a user isn’t actively doing a transaction on a decentralized finance (DeFi) platform, a hot wallet’s disconnect feature ensures that the website or app won’t interact with the user’s wallet without their knowledge.

• Refrain from storing private keys in plaintext. Never store seed phrases on the device or cloud storage services. Instead, write them down on paper (or something equivalent) and properly secure them.
• Be attentive when copying and pasting information. When copying a wallet address for a transaction, double-check if the value of the address is indeed the one indicated on the wallet.
• Ensure that browser sessions are terminated after every transaction. To minimize the risk of cryware process dumpers, properly close or restart the browser’s processesafterimporting keys. This ensures that the private key doesn’t remain in the browser process’s memory.
• Consider using wallets that implement multifactor authentication (MFA). This prevents attackers from logging into wallet applications without another layer of authentication.
• Be wary of links to wallet websites and applications. Phishing websites often make substantial efforts to appear legitimate, so users must be careful when clicking links in emails and messaging apps. Consider manually typing or searching for the website instead and ensure that their domains are typed correctly to avoid phishing sites that leverage typosquatting and soundsquatting.
• Double-check hot wallet transactions and approvals. Ensure that the contract that needs approval is indeed the one initiated.
• Never share private keys or seed phrases. Under no circumstances will a third party or even the wallet app developers need these types of sensitive information.
• Use a hardware wallet unless it needs to be actively connected to a device. Hardware wallets store private keys offline.
• Reveal file extensions of downloaded and saved files. On Windows,turn on File Name Extensions under View on file explorer to see the actual extensions of the files on a device.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

Berman Enconado and Laurie Kirk
Microsoft 365 Defender Research Team

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus

• Trojan:Win32/Azorult.RMA!MTB
• PWS:MSIL/RedLine.GG!MTB
• Trojan:Win32/ArkeiStealer.DB!MTB
• Trojan:Win32/Raccoon.AD!MTB
• Trojan:AndroidOS/FakeWallet.A!MTB

The post In hot pursuit of ‘cryware’: Defending hot wallets from attacks appeared first on Microsoft Security Blog.

Phorpiex, an enduring botnet known for extortion campaigns and for using old-fashioned worms that spread via removable USB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads. Today, the Phorphiex botnet continues to maintain a large network of bots and generates wide-ranging malicious activities.

These activities, which traditionally included extortion and spamming activities, have expanded to include cryptocurrency mining. From 2018, we also observed an increase in data exfiltration activities and ransomware delivery, with the bot installer observed to be distributing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony ransomware, among other malware.

The botnet’s geographic targeting for bot distribution and installation expanded, too. Previous campaigns focused on targets in Japan, but more recent activity showed a shift to a more global distribution.

Figure 1. Global distribution of Phorpiex botnet activity

The Phorpiex botnet has a reputation for being simplistic and lacking robustness, and it has been hijacked by security researchers in the past. Its tactics, techniques, and procedures (TTPs) have remained largely static, with common commands, filenames, and execution patterns nearly unchanged from early 2020 to 2021. To support its expansion, however, Phorpiex has shifted some of its previous command-and-control (C2) architecture away from its traditional hosting, favoring domain generation algorithm (DGA) domains over branded and static domains.

This evolution characterizes the role of botnets in the threat landscape and the motivation of attackers to persist and remain effective. The threat ecosystem relies on older botnets with large and diverse network of compromised machines to deliver payloads at low costs. And while many of the older botnet architectures have been primarily classified as spam delivery mechanisms, these infrastructures are critical for newer, modular delivery mechanisms.

Phorpiex also demonstrates that bots, which are some of oldest types of threats, continue to affect consumer users but notably brings increasingly more serious threats to enterprise networks. Despite being traditionally associated with lower-risk activity like extortion and spamming, Phorpiex operators’ decision to move to more impactful malware and actions is entirely at the whim of the attackers.

Understanding botnets and associated infrastructure, botnet malware, their activities and payloads, and how they evolve provides insight into attacker motivation and helps ensure durable protection against some of the most prevalent threats today. At Microsoft, we continue to conduct in-depth research into these threats. These expert investigations add to the massive threat intelligence that inform Microsoft 365 Defender services and the protections they provide. Microsoft 365 Defender delivers coordinated cross-domain defense against the various malware, emails, network connections, and malicious activity associated with Phorpiex and other botnets.

Distribution, expansion, and operation

Phorpiex’s sprawling botnet operation can be divided into three main portions:

1. Distribution of the bot loader: The bot loader has been propagated through a variety of means over the years, including being loaded by other malware, freeware, and unwanted programs, or delivered by phishing emails from already-infected bots. Phorpiex has also spread via productivity platforms, as well as via instant messaging and USB drives.
2. Mailing botnet: In addition to spreading the bot loader via email, the botnet is used to generate currency. It does so via extortion and spam campaigns as well as through a variety of other types of financially motivated malware.
3. Malware delivery botnet: In recent years, the botnet has been observed installing ransomware, cryptocurrency miner, and other malware types, indicating the expansion of the botnet’s activities by the Phorpiex operators or as part of malware-as-a-service scheme.

From December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries, with Mexico, Kazakhstan, and Uzbekistan registering the most encounters.

Figure 2. Countries with the most encounters of the Phorpiex bot loader

In December 2020 and January 2021, we observed non-weaponized staging of Knot ransomware on Phorpiex servers. In February, we also detected commodity malware such as Mondfoxia (also known as DiamondFox) in these servers. These recent developments indicate new loader and monetization strategies under active development.

The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code.

The wide range of infection vectors used by Phorpiex requires a unified security approach that ensures protection is delivered on the endpoint, network, email, and applications. Microsoft 365 Defender’s advanced threat protection technologies detect malicious activity in each of these domains. Moreover, the correlation of these cross-domain threat data surfaces additional malicious activity, allowing Microsoft 365 Defender to provide coordinated and comprehensive protection against Phorpiex.

Bot distribution and installation

Phorpiex maintains and expands its network of bot-infected computers by distributing the Phorpiex bot loader. In 2020 and 2021 we observed the bot loader being spread through Phorpiex bot-delivered emails with .zip or other archive file attachments, downloaded from fake download sites for software (such as photo editing software, screensaver, or media players), or downloaded by other malware also delivered through email. These multiple entry points demonstrate the modular nature of the malware economy.

Regardless of distribution mechanism, however, the bot loader operates in a fairly uniform fashion. It uses three distinct types of C2 to fulfil different goals during and after installation:

• Downloading the Phorpiex malware implant
• Downloading updates to the Phorpiex implant and new exploit modules
• Checking in with C2 infrastructure to deliver cryptocurrency or return data

The malware implant is initially downloaded from sites such as trik[.]ws (historically) or, more recently, a malware hosting repository, worm[.]ws. We are also noticing a shift to using more dedicated IP-based C2 and delivery sites, such as 185[.]215[.]113[.]10 and 185[.]215[.]113[.]8. A notable Phorpiex behavior is the downloading of numbered modules, typically numbered 1-10, with URL paths such as <domain>.com/1, <domain>.com/2, <domain>.com/3, continuing this pattern for as many additional components as needed. As these downloads do not happen through standard web traffic, network-level protection is necessary to prevent malicious downloads. In a very recent development, we observed that most Phorpiex bot loader malware have  abandoned branded C2 domains and have completely moved to using IPs or DGA domains. However, as in the past, the operators neglected to register all the potential sites that the DGA domains resolve to.

When downloaded and run, the implant attempts to connect to legitimate external sites like WIPMANIA.com to get IP information. It does this repeatedly during subsequent check-ins, and then begins connecting to hardcoded C2 servers. During these check-ins, the implant checks the device’s regional settings and exits if it’s operating in a non-desired region, such as Ukraine. Favored regions include countries in East Asia as well as English-speaking countries.

The loader modules and updates are pulled from a variety of attacker-owned domains. These domain-names typically begin with a second-level domain (2LD) of TLDR, TSRV, or THAUS and end with an assortment of unorthodox TLD such as .WS, .TOP, .RU, .CO, .TO, .SU., .CC, and .IO. As has been pointed out by other researchers, the TSRV and TLDR are likely references to “Trik Server” or “Trik Loader”, as many of the internals of the malware use Trik as proprietary name.

Regular connections to these attacker-owned domains continue during infection, such that devices that have been infected for months receive new loader versions and capabilities. Modules downloaded from C2 can include additional malware, ransomware, cryptocurrency mining functionality, worming functionality, and the Phorpiex mailing botnet functionality. It is most common for a bot to be participating in mailing and crypto mining, as these seem to be driving revenue generation for the operators during non-ransomware initiatives.

The bot also establishes persistence and attempts to disable security controls. This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists. A sample of the keys changed is below, with minor changes from version to version of the loader:

• \FirewallPolicy\StandardProfile\AuthorizedApplications\List
• \Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services
• \Microsoft\Security Center\AntiVirusOverride
• \Microsoft\Security Center\AntiVirusDisableNotify
• \Microsoft\Security Center\FirewallOverride
• \Microsoft\Security Center\FirewallDisableNotify
• \Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
• \Microsoft\Security Center\UpdatesOverride
• \Microsoft\Security Center\UpdatesDisableNotify
• \Microsoft\Windows NT\CurrentVersion\SystemRestore
• \Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
• \Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
• \Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Enabling tamper protection in Microsoft Defender for Endpoint prevents the bot from making modifications related to Microsoft Defender services. Microsoft Defender for Endpoint automatically cleans up changes made by the bot (if any) during threat cleanup and remediation. Security operations teams can use advanced hunting capabilities to locate these and similar modifications. Administrators can also disable “Local Policy Merge” to prevent local firewall policies from getting in effect over group policies.

As the bot loader updates, the key values change to reflect new files, randomized file paths, and masqueraded system files. The example below illustrates a change from SVCHOST to LSASS:

KEY NAME: HKEY_CURRENT_USER\[ID]\Software\Microsoft\Windows\CurrentVersion\Run
OLD VALUE: C:\1446621146296\svchost.exe
NEW VALUE: C:\19197205241657\lsass.exe

At varying intervals, the bot implant collects lists of files and exfiltrates that data to external IP addresses leased by the attacker, many of which also serve as C2. When additional malware is installed, the pull is initiated from the implant itself. The malware is staged on the Phorpiex operators’ servers prior to new campaigns or on the shared sites such as worm[.]ws.

The bot checks in routinely, often weekly and sometimes even daily. It does this to upload any outcomes from the various modules that the bot installs, such as coin mining deposits or spam activity.

In addition to detecting and blocking the bot malware through its endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint’s network protection defends against botnet activities like connecting to attacker-controlled servers, mimicking system files, and downloading implants and additional payloads.

Self-spreading via remote drives

One of the more unique and easily identifiable Phorpiex behavior when it spread primarily via USB involves a check that occurs routinely for all connected remote drives. The bot then creates a series of hidden folders on those drives with underscores (e.g., “__”) and then changes the registry attributes to make these appear invisible to the user. The bot then copies all its file configurations and include a malicious DriveMgr.exeI, a copy of the loader, as well as  a .lnk file that runs the malware when opened. This activity has been largely consistent since 2019. This functionality offers a self-spreading mechanism that offers a backup way to expand the bot implant base. Commands consistent with this Phorpiex worming activity are:

• ShEllExECutE=__\\DriveMgr.exe
• “cmd.exe” /c start __ & __\DriveMgr.exe & exit

Microsoft Defender for Endpoint offers multiple layers of protection against USB threats. This includes real-time scanning of removable drives and attack surface reduction rule to block untrusted and unsigned processes that run from USB. Microsoft Defender for Endpoint also enables organizations to monitor and control removable drives, for example allow or block USB based on granular configurations, and monitor USB activities.

Phorpiex as a mailing botnet

For several years, Phorpiex used infected machines to deliver extortion, malware, phishing, and other content through large-scale email campaigns. These emails span a large set of lures, subject lines, languages, and recipients, but there are key sets of characteristics that can identify emails sent from the Phorpiex botnet:

• Spoofed sender domain, sender username, and sender display name
• Sender domain of 4 random digits
• Sender username using a generic name with a variety of numbers
• Subjects or lures referencing singular names, heights and weights, surveillance
• Body of the message often referencing dating services or extortion material for ransom
• Presence of Bitcoin, DASH, Etherium, or other cryptocurrency wallets
• ZIP files or other file types purporting to be images such as JPG files or photo types

These patterns include language more commonly used in consumer extortion emails, which reference having illicit photos or videos of the recipient. These are also the same lures that are used to distribute the bot installer as well as ransomware or other malware. The messages often include old passwords of individuals gathered from publicly available lists, a method that attackers use to add credibility whether the mail is received in a corporate environment or at home.

Microsoft Defender for Office 365 detects malicious emails sent by the Phorpiex botnet. These include the extortion and phishing emails, as well as messages carrying malware, whether the Phorpiex loader itself or other malware. Microsoft Defender for Office 365 users AI and machine learning to detect user and domain impersonation, informed by its comprehensive visibility into email threats as well as through in-depth research like this.

Spam and extortion campaigns

Phorpiex is well known for illicit image or video-based extortion phish and spam campaigns, also known as “sextortion”. These campaigns target a large variety of regions and languages, which is a different set of targets from bot distribution activities. These generally do not deliver malware directly. They are meant to collect revenue for the operator by asserting that they have already compromised a device and have access to damaging material regarding the recipient.

Sextortion campaigns have been quite popular in recent years and generally require payment from the victim in cryptocurrency. We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject “Payment from your account”.

There are several public monitors of extortion wallets operated by Phorpiex, which have seen the operators of the botnet running numerous wallets during any given week. We observed the below example in which an operator requested $950 from users and accumulated over $13,000 in 10 days.

Figure 3. Cryptocurrency profit volume from a single wallet used in spam extortion campaign in late February 2021. Data from BitInfoCharts.

In late 2020 and early 2021 we also observed this extortion scheme exploiting fears about security vulnerabilities in teleconferencing applications such as Zoom. The messages claimed that a vulnerability is what allowed the operators to capture their extortion material.

Figure 4. Example of an extortion email lure from late 2020

Figure 5. Example of a Korean language extortion email lure from early 2021

In addition to the examples above, Phorpiex is often distributed via business email compromise and contain no links or URLs. This hampers many automatic detection capabilities an organization might have in place.

Phishing, malware, and ransomware campaigns

Phorpiex-powered phishing campaigns as well as bot implant installations deliver secondary malware as well as standard extortion and spam. The tactics involving the spread of emails are the same, with the only differences being in the attachments or links. Malware involving malicious Office documents is interspersed with deliveries of the bot implant or direct ransomware deliveries, which are often contained within .ZIP attachments.

Since 2019, many of the malware-carrying emails from Phorpiex use the same lures, subject lines, and attachment file names. The emails use a randomly generated feminine name in the subject or reference an embarrassing or improperly obtained photo, and either contain extortion or deliver ransomware. As part of the social engineering lure, he malware attachments masquerade as .jpg files or other file types, while appearing as .zip or .js files.

Figure 6. Example of an email lure including malicious ZIP attachment masquerading as an image of an actress

In Summer and Fall 2020 many new Phorpiex infections began to spread using archive files to deliver BitRansomware and Avaddon. Avaddon only began spreading in mid to late 2020 and its distribution seems to have been tightly coupled with Phorpiex since its inception.

In the month of August 2020, there was also an increase in the number of bot implants installed on devices, corresponding with the ransomware increase. At this time, most instances of ransomware perpetrated by Phorpiex were carried through the bot implant itself.

Phorpiex as malware delivery botnet

In addition to operating as a mailing botnet, Phorpiex has evolved to deliver other malware as well, most notably cryptocurrency mining malware and ransomware.

Cryptocurrency mining malware

In 2019 Phorpiex started utilizing an XMRIG miner to monetize the hosts with Monero. This module is included in almost all bot installations at the time of infection and communicates primarily over port 5555. This behavior might be coupled with other malware, but in this instance, it is associated with the masqueraded system process used by the rest of the Phorpiex implant (i.e., SVCHOST.exe or LSASS.exe).

The miner is downloaded as a module masquerading as WINSYSDRV.exe It stores its configuration locally and checks it periodically. The miner does this from additional masqueraded system processes injected into legitimate processes to read its configuration and to mine.

The WINSYSDRV.exe file routinely kicks off a series of heavily nested processes preceded by a PING with a long wait, which is intended to avoid sandboxes. This command is shown below:

cmd.exe /C ping [INTERNAL IP] -n 8 -w 3000 > Nul & Del /f /q “C:\ProgramData\PnQssBdbSh\winsysdrv.exe” & “C:\Users\[USER]\AppData\Local\Temp\winsysdrv.exe”

In prior versions, this command utilized the legitimate but hijacked WUAPP.exe process. Recently we have seen NOTEPAD.exe used to read the path, which is a variant of C:\ProgramData\[RandomString]cfg:

• “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\ADwXcSSGvY\cfgi” (2019-2020)
• “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020)
• “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020-2021)
• “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfg” (2020-2021)

In addition to mining Monero, versions of the bot loader also upload to Bitcoin wallets. We were able to scrape those addresses via downstream executables dropped by the Phorpiex loader masquerading as SVCHOST.exe or LSASS.exe. Below is an example of the balance in one such wallet address that was active from September to November 2020, embedded in a specific sample.

Figure 7. Cryptocurrency profit from a single wallet used in a miner dropped on an infected machine from September to November 2020. Data from BitInfoCharts.

In February of 2021, infected implants also downloaded additional Etherium miners. These miners create scheduled tasks are labeled “WindowsUpdate” but run the miner every minute. The miners search for graphics cards as well as other resources to use for mining with an ethermine.org mining pool. Here’s an example task creation:

schtasks /create /sc minute /mo 1 /tn WindowsUpdate /tr %TEMP%\System.exe

Microsoft has also observed Phorpiex variants with cryptocurrency-clipping functionality accompanying the installation of the loader. In these instances, the malware checks clipboard values for a valid cryptocurrency wallet ID. If it finds one, it sets its own hardcoded value. This method allows attackers to profit from existing mining installations or prior malware without having to bring in new software or remove old instances.

Microsoft Defender for Endpoint detects and blocks cryptocurrency mining malware and coin mining activity in general. To continue enhancing this detection capability, Microsoft recently integrated Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, allowing our endpoint detection and response capabilities to use silicon-based threat detection to better protect against coin mining malware.

Ransomware

Phorpiex has been associated with multiple ransomware families through the years. Phorpiex either delivers ransomware on behalf of other groups using those operators’ infrastructure or host the ransomware themselves. The latter is more common in the case of commodity kits like Avaddon and Knot that the Phorpiex operators may develop themselves.

As recently as February 2021, Avaddon was under active development. Like the Phorpiex loader itself, Avaddon performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted.

The initial Avaddon executable is located in the TEMP folder, and it generally uses a series of random characters as file extension for encrypted files. Before deleting backups and encrypting the drive, it validates that UAC is disabled by checking if certain registry keys are set to “0”, modifying the value if not:

• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = “0”
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = “0”
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = “1”

After achieving the privilege level needed, encryption usually occurs on the individual machine without lateral movement, though that is subject to change based on the operator’s monetization strategy. The procedure for deleting backups, like most ransomware, is performed with the following commands:

• cmd /c wmic.exe SHADOWCOPY /nointeractive
• cmd /c wbadmin DELETE SYSTEMSTATEBACKUP
• cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
• cmd /c bcdedit.exe /set {default} recoveryenabled No
• cmd /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• cmd /c vssadmin.exe Delete Shadows /All /Quiet

Microsoft Defender for Endpoint detects and blocks the ransomware. It also detects and raises the following alerts for the encryption and backup deletion behaviors, enabling security operations teams to be notified and immediately respond to ransomware activity on their environment:

• Ransomware behavior detected in the file system
• File backups were deleted

We have observed that the external commands and behaviors of the Avaddon ransomware have largely remained the same since its introduction in June-July 2020. This includes the tendency to masquerade as the system file Taskhost.exe. Avaddon, which demands a ransom in Bitcoin equivalent to $700, is still active today and being actively distributed by Phorpiex using new bot loaders that are not substantially different in behavior. Microsoft Defender for Endpoint continues to provide durable protection against these new campaigns.

Other ransomware is slightly less common lately, but in December 2020, a non-weaponized version of Knot ransomware was staged on Phorpiex-operated servers. It did not seem to have had any infections yet as this may have been a test version. This ransomware shares a high degree of similarity to the Phorpiex loader itself and improved versions have not yet been seen. Like Avaddon, Knot typically demands relatively smaller sums of money in Bitcoin, equivalent to $350. The ransom notes generally require Bitcoin payment to a wallet, though no payments seem to have been made that month.

Figure 8. Cryptocurrency profit volume from a single wallet attached to a Knot ransomware sample in early 2021, showing no payments of the asking price. Data from BitInfoCharts.

Defending against botnets and associated activity

Botnets drive a huge portion of the malware economy, and as the resilience of Phorpiex shows, they evolve to adapt to the ever-changing threat environment. Our many years of experience analyzing, monitoring, and even working with law enforcement and other partners to take down botnets tell us that alternative infrastructures rise as attackers try to fill in the void left by disrupted botnets. Typically, new infrastructures are born as a result of these movements, but in the case of Phorpiex, an established botnet adapts and takes over.

The wide range of malicious activities associated with botnets, as we detailed in this in-depth research into Phorpiex, represent the spectrum of threats that organizations face today: various attack vectors,  multiple spreading mechanisms, and a diverse set of payloads that attackers can change at will. To combat these threats, organizations need security solutions that deliver cross-domain visibility and coordinated defense.

Microsoft 365 Defender leverages the capabilities and signals from the Microsoft 365 security portfolio to correlate threat data from endpoints, email and data, identities, and cloud apps to provide comprehensive protection against threats. Microsoft Defender for Endpoint detects and blocks malware, other malicious artifacts, and malicious behavior associated with botnet activity, as well as the deployment of secondary payloads like cryptocurrency miners and ransomware. Features like attack surface reduction, tamper protection, and security controls for removable media further help prevent these attacks and harden networks against threats in general. Microsoft Defender for Office 365 detects the malicious attachments and URLs in emails generated by the mailing operations of the Phorpiex botnet.

Our industry-leading visibility informs AI and machine learning technologies that power the automatic prevention, detection, and remediation of threats, as well as the rich set of investigation tools available to defenders for hunting, analyzing, and resolving attacks. The recently generally available unified Microsoft 365 Defender security center integrates capabilities so defenders can manage all endpoint, email, and cross-product investigations, configuration, and remediation with a single portal.

Our understanding of how botnets operate and evolve, through in-depth research like this, further enriches our ability to continue delivering defenses against the threats of today and the future. Learn how Microsoft 365 Defender stops attacks with automated, cross-domain security and built-in AI.

 

Microsoft 365 Defender Threat Intelligence Team

 

The post Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment appeared first on Microsoft Security.

Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence.

BISMUTH, which shares similarities with OceanLotus or APT32, has been running increasingly complex cyberespionage attacks as early as 2012, using both custom and open-source tooling to target large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations. But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.

Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks. In this blog, we’ll provide in-depth technical details about the BISMUTH attacks in July and August 2020 and mitigation recommendations for building organizational resilience.

While this actor’s operational goals remained the same—establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks. Considering some of the group’s traditional targets are human and civil rights organizations, BISMUTH attacks demonstrate how attackers give little regard to services they impact.

The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain.

The other way that BISMUTH attempted to blend in and hide in plain sight was the heavy use of DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that the latter is loaded when the associated application is run. In their recent attacks, BISMUTH utilized copies of various legitimate software to load malicious DLL files and perform tasks in the context of these legitimate applications. To perform DLL sideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender Antivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft Word 2007.

Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions. At this point in the attack, the group relied heavily on evasive PowerShell scripts, making their activities even more covert.

The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re “commodity” malware. If we learned anything from “commodity” banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively.

Initial access

BISMUTH attempted to gain initial access by sending specially crafted malicious emails from a Gmail account that appears to have been made specifically for this campaign. It’s likely the group conducted reconnaissance using publicly available sources and chose individual targets based on their job function. Each email was sent to only one recipient at each target organization and used tailored subject lines and lure themes, for example:

• Dự thảo hợp đồng (translates from Vietnamese to “Draft Contract”)
• Ứng tuyển – Trưởng ban nghiên cứu thị trường (translates from Vietnamese to “Application form – Head of Market Research”)

Of note, the group sent several replies to one of these emails, which indicated that they corresponded with some targets before convincing them to open the malicious document attachment and inadvertently launch the payload. When opened, the malicious .doc file dropped several files in the hidden ProgramData folder: (1) MpSvc.dll, a malicious DLL with the same name as a legitimate Microsoft Defender Antivirus DLL, and (2) a copy of MsMpEng.exe the legitimate Microsoft Defender Antivirus executable.

The malicious document then added a scheduled task that launched the MsMpEng.exe copy and sideloaded the malicious MpSvc.dll. Because the latest versions of Microsoft Defender Antivirus are no longer susceptible to DLL sideloading, BISMUTH used an older copy to load the malicious DLL and establish a persistent command-and-control (C2) channel to the compromised device and consequently the network.

Using the newly established channel, the group dropped several files for the next stages of the attack, including a .7z archive, a copy of Word 2007, and another DLL, wwlib.dll. While it used the same name as a legitimate Microsoft Word DLL, wwlib.dll was a copy of KerrDown, a family of custom malware exclusive to BISMUTH. This file was subsequently sideloaded by the dropped copy of Word 2007—a technique used by BISMUTH extensively to load malicious code from a DLL file in the context of a legitimate process like winword.exe.

BISMUTH established another persistence method by dropping another copy of Word 2007 in a subfolder in ProgramData. The group then created a scheduled task that launched that copy in the same malicious manner every 60 minutes – further increasing their chances of going undetected and maintaining their presence.

Discovery

Once established as a scheduled task, the co-opted Word 2007 process dropped and loaded a scanning tool popular among attackers, NbtScan.exe. BISMUTH then immediately used the scanning tool to scan an IP address range within the organization. Following this network scan, the Word 2007 process launched a malicious script using a living-off-the-land-binary, rundll32.exe, resulting in a scan on a myriad of common ports, including 21, 22, 389, 139, and 1433. BISMUTH listed devices with open ports in a .csv file.

While network scanning was underway, the group performed other reconnaissance activities. They gathered information about domain and local administrators, checked whether users had local administrative privileges, and collected device information—aggregating results in a .csv for exfiltration. In addition, the group once again used MsMpEng.exe with the malicious sideloaded DLL to connect to another device that appears to have been designated by BISMUTH at some point during the attack as an internal C2 foothold and exfiltration staging device.

Continued lateral movement, discovery, and intel gathering

After a month of continual discovery on compromised devices, the group moved laterally to a server and copied over a malicious DLL that masqueraded as the system file mpr.dll and a copy of the Sysinternals DebugView tool. They dropped the tool onto different devices using SMB remote file copy, using file names related to popular Japanese video game characters and a seemingly random word. The actors then registered and launched malicious services multiple times, launching DebugView tool to connect to multiple Yahoo websites and confirm Internet connectivity, followed by a connection to their C2 infrastructure.

At this point, BISMUTH switched to running their attacks using PowerShell, quickly launching multiple script cmdlets. First, they dumped credentials from the Security Account Manager (SAM) database using the Empire PowerDump command and then quickly deleted PowerShell event logs to erase records generated by Script Block Logging. They then continued their discovery efforts using a PowerShell script that gathered user and group information and sent the gathered data to .csv files.

The script collected the following information about each user:

description, distinguishedname, lastlogontimestamp, logoncount, mail, name, primarygroupid, pwdlastset, samaccountname, userprincipalname, whenchanged, whencreated

And the following information about each domain group:

adspath, description, distinguishedname, groupType, instancetype, mail, member, memberof, name, objectsid, samaccountname,whenchanged, whencreated

Next, the group exported directory forest and domain organizational unit (OU) information. They then started connecting to dozens of devices using WMI. Following that, they collected credentials by dumping security logs under Event ID 680, possibly targeting logs related to NTLM fallbacks. Lastly, the group used the system tool Nltest.exe to gather domain trust info and pinged multiple servers they have identified by name during reconnaissance. Some of these servers appear to be database and file servers that could have contained high-value information for espionage objectives typically pursued by BISMUTH.

BISMUTH then installed a Cobalt Strike beacon. The group dropped a .rar file and extracted its contents—McOds.exe, which is a copy of the McAfee on-demand scanner, and a malicious DLL—into the SysWOW64 folder. The group then created a scheduled task that launched the copy of the McAfee on-demand scanner with SYSTEM privileges and sideloaded the malicious DLL. This persistence mechanism established a connection to their Cobalt Strike server infrastructure. To clean up evidence, they deleted the dropped McAfee binary.

In terms of targets for this campaign, there were some commonalities among targets located in Vietnam that Microsoft has assessed to be tied to their previous designation as state-owned enterprises (SOEs). The observed BISMUTH activity in Vietnam targeted organizations that included former SOEs previously operated by the government of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct transactions with a Vietnamese government agency. Although the group’s specific objectives for these recent attacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of broader espionage goals.

Coin miner deployment and credential theft

As mentioned, BISMUTH deployed coin miners during these attacks. To do this, they first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. They then used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service named after a common Virtual Machine process. Each coin miner they deployed had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.

After deploying coin miners as their distraction technique, BISMUTH then focused much of its efforts on credential theft. They registered multiple malicious services that used %comspec%—a relative reference to cmd.exe commonly used by attackers—to run the renamed DebugView tool while loading a malicious DLL. The group used DebugView and the malicious DLL in a fairly unexpected fashion to launch Base64-encoded Mimikatz commands using one of several Windows processes: makecab.exe, systray.exe, w32tm.exe, bootcfg.exe, diskperf.exe, esentutl.exe, and typeperf.exe.

They ran the following Mimikatz commands that require SYSTEM or Debug privileges:

• sekurlsa::logonpasswords full–lists all account and user password hashes, typically user and computer credentials for recently logged on users
• lsadump::lsa /inject—injects LSASS to retrieve credentials and request the LSA Server to grab credentials from the Security Account Manager (SAM) database and Active Directory (AD)

After running these commands, the co-opted DebugView tool connected to multiple attacker-controlled domains, likely to exfiltrate stolen credentials.

As the affected organizations worked to evict BISMUTH from their networks, Microsoft security researchers saw continued activity involving lateral movement to other devices, credential dumping, and planting of multiple persistence methods. This highlights the complexity of responding to a full-blown intrusion and the significance of taking quick action to resolve alerts that flag initial stages of an attack.

Building organizational resilience against attacks that blend in

BISMUTH attacks put strong emphasis on hiding in plain sight by blending in with normal network activity or common threats that attackers anticipate will get low-priority attention. The combination of social engineering and use of legitimate applications to sideload malicious DLLs entail multiple layers of protection focused on stopping threats at the earliest possible stage and mitigating the progression of attacks if they manage to slip through. Here are mitigation recommendations that organizations can implement to limit exposure:

Limit the attack surface that attackers can leverage for initial access:

• Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
• Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
• Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
• Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
• Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control activity.

Build credential hygiene to reduce risk during discovery stage:

• Enforce strong, randomized local administrator passwords. Use tools like LAPS.
• Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts.
• Require multi-factor authentication through Windows Hello.

Stop attack sprawl and contain attacker movement:

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Monitor for clearing of event logs. Windows generates security event ID 1102 when this occurs.
• Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.
• Utilize the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

To better defend organizations against attacks that do everything to blend in once they gain access to a network, organizations can build defenses for preventing and blocking attacks at the initial access stage. Microsoft Defender for Office 365 provides defense capabilities that protect organizations from threats like credential phishing, business email compromise, and cyberattacks that begin with spear-phishing emails. Safe attachments and Safe links provide real-time protection using a combination of detonation, automated analysis, and machine learning, which are especially useful for highly targeted, specially crafted emails. Campaign views show the complete picture of email campaigns, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, URLs.

The broader Microsoft 365 Defender presents cross-domain threat intelligence and actionable information in consolidated incidents view, empowering security operations teams to comprehensively respond to attacks. For critical threats like BISMUTH campaigns, Microsoft researchers publish threat analytics reports that contain technical details, detection info, and mitigation status. Investigation tools like advanced hunting allow security teams to perform additional inspection of the environment for related or similar threats. Threat and vulnerability management data show mitigation recommendations, including enabling relevant attack surface reduction rules, that organizations can take to reduce risks.

These industry-leading capabilities in Microsoft 365 Defender are backed by Microsoft’s network of researchers and security experts who monitor the threat landscape and track threat actors like BISMUTH. Through Microsoft 365 Defender, we transform threat intelligence into protections and rich investigation tools that organizations can use to build organizational resilience. Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

Justin Carroll and Emily Hacker, Microsoft 365 Defender Threat Intelligence Team

with Microsoft Threat Intelligence Center (MSTIC)

 

MITRE ATT&CK techniques observed

Initial access

• 001 Phishing: Spearphishing Attachment| Emails containing malicious Word documents with specific lure themes and subject lines for each target

Execution

• 002 System Services: Service Execution| Use of Service Control Manager (services.exe) to launch Sysinternals dbgview.exe
• 001 Command and Scripting Interpreter: PowerShell| Use of PowerShell to run cmdlets used for data exfiltration and lateral movement

Persistence

• T1053 Scheduled Task/Job| Scheduled task to execute payload every 60 minutes

Privilege escalation

• 002/003 Valid Accounts: Local and Domains Accounts| Credentials stolen for privilege escalation using Mimikatz

Defense evasion

• T1070 Indicator Removal on Host| Stopping of malicious tasks after data exfiltration or payload retrieval, deleting dropped malware from the disk, and clearing of PowerShell event logs
• 002 Hijack Execution Flow: DLL Sideloading| Using winword.exe, dbgview.exe, msmpeng.exe to load malicious DLLs

Credential access

• T1003Credential Dumping | Use of Mimikatz to dump credentials

Discovery

• T1033 System Owner/User Discovery, T1049 System Network Connections Discovery| Use of whoami, netstat, ipconfig
• T1016System Network Configuration Discovery | Use of modified nbtscan
• 002 Permission Groups Discovery: Domain Groups| Discovering domain groups with net users /domain

Collection

• 001 Data Staging: Local Data Staging| Storing harvested credentials and user/group information in a local CSV file

Data exfiltration

• T1041 Exfiltration Over C2 Channel| Data exfiltration to a C2 server established in the compromised network

The post Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them appeared first on Microsoft Security.

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

• What created xbox-service.exe and pagefile.sys files on the host?
• Why is xbox-service.exe being launched as a service with high privileges?
• What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

• Maintain a highly secure build and update infrastructure.

  • Immediately apply security patches for OS and software.
  • Implement mandatory integrity controls to ensure only trusted tools run.
  • Require multi-factor authentication for admins.

• Build secure software updaters as part of the software development lifecycle.

  • Require SSL for update channels and implement certificate pinning.
  • Sign everything, including configuration files, scripts, XML files, and packages.
  • Check for digital signatures, and dont let the software updater accept generic input and commands.

• Develop an incident response process for supply chain attacks.

  • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

• Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
• Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
• Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.

In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard can help during investigation.

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.

Figure 1. Dofoil multi-stage shellcode and payload execution flow

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.

STAGES	DESCRIPTION
1. Obfuscated wrapper code	Anti-heuristics Anti-emulation
2. Bootstrap module	Performs self-process hollowing to load the next module
3. Anti-debugging module	Performs anti-debugging operation
4. Trojan downloader module	Performs system environment checks Performs anti-VM operation Injects itself to explorer.exe through process hollowing
5. Trojan downloader module in explorer.exe	Contacts C&C server to download trojan and run it using process hollowing technique
6. Payload downloader module in explorer.exe	Contacts C&C server to download the main payload
7. Trojan module	Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel
8. CoinMiner.D	Mines digital currencies

Table 1. Dofoil’s multi-stage modules

Initial stages

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.

ANTI-ANALYSIS TECHNIQUES	DESCRIPTION
Benign code insertion	Inserts a huge benign code block to confuse heuristics and manual inspection
Anti-emulation	Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with an expected value (DispHTMLCurrentStyle) to check if the malware runs inside an emulator
Self-process hollowing	Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping
Debugger checks	Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, PEB.BeingDebugged is set to 1 and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the process.

Table 2. Anti-analysis techniques

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing technique.

Figure 2. Self-modification based on PEB.BeingDebugged value

Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques.

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques

Trojan downloader module

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.

ANTI-ANALYSIS TECHNIQUES	DESCRIPTION
Check module name	Checks if the main executable name contains the string “sample”
Check volume serial	Checks if current volume serial number is 0xCD1A40 or 0x70144646
Check modules	Checks the presence of DLLs related to debuggers
Check disk-related registry keys	Checks the value of the registry key HKLM\System\CurrentControlSet\Services\Disk\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware, xen, ffffcce24)
Process check	Checks running processes and kills those with processes names associated with analysis tools (procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg.exe)
Windows class name check	Checks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass)

Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:

Figure 4. Shift and XOR custom checksum algorithm

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.

STRING	CHECKSUM
Autoruns	0x0E5C1C5D
PROCEXPL	0x1D421B41
PROCMON_WINDOW_CLASS	0x4B0C105A
TCPViewClass	0x1D4F5C43
ProcessHacker	0x571A415E
OllyDbg	0x4108161D
WinDbgFrameClass	0x054E1905
procexp.exe	0x19195C02
procexp64.exe	0x1C0E041D
procmon.exe	0x06185D0B
procmon64.exe	0x1D07120A
tcpview.exe	0x060B5118
wireshark.exe	0x550E1E0D
processhacker.exe	0x51565C47
ollydbg.exe	0x04114C14
x32dbg.exe	0x5F4E5C04
idaq.exe	0x14585A12

Table 4. String checksum table used for process names and Windows class names

Process hollowing

Dofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but can still achieve code injection.

Figure 5. Modification of explorer.exe entry point code

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing

The process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.

Figure 8. Export Address Filter (EAF) event exposed in Event viewer

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event

Adding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.

Command-and-control (C&C) and NameCoin domains

Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.

Figure 10. Access to known servers to confirm Internet connectivity

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.

Figure 11. Malicious hostname DNS entry changes over time (https://namecha.in/name/d/vrubl)

Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution

The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers.

Figure 13. Advanced hunting for other threats using the same NameCoin servers

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.

Conclusion

Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.

In addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application Guard. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.

Windows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

 

 

Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research

 

 

Indicators of compromise (IoCs)

TrojanDownloader:Win32/Dofoil.AB:

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d

eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212

cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a

Trojan:Win32/Dofoil.AB:

070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c

5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C

28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692

5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f

Trojan:Win32/CoinMiner.D

2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12

C&C URLs:

hxxp://levashov.bit/15022018/

hxxp://vrubl.bit/15022018/

C&C server:

vinik.bit

Related .bit domains (updated in same block as C&C server):

henkel.bit

makron.bit

makronwin.bit

NameCoin servers used by Dofoil:

139.59.208.246

130.255.73.90

31.3.135.232

52.174.55.168

185.121.177.177

185.121.177.53

62.113.203.55

144.76.133.38

169.239.202.202

5.135.183.146

142.0.68.13

103.253.12.18

62.112.8.85

69.164.196.21

107.150.40.234

162.211.64.20

217.12.210.54

89.18.27.34

193.183.98.154

51.255.167.0

91.121.155.13

87.98.175.85

185.97.7.7

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

The surge in Bitcoin prices has driven widescale interest in cryptocurrencies. While the future of digital currencies is uncertain, they are shaking up the cybersecurity landscape as they continue to influence the intent and nature of attacks.

Cybercriminals gave cryptocurrencies a bad name when ransomware started instructing victims to pay ransom in the form of digital currencies, most notably Bitcoin, the first and most popular of these currencies. It was not an unexpected move digital currencies provide the anonymity that cybercriminals desire. The sharp increase in the value of digital currencies is a windfall for cybercriminals who have successfully extorted Bitcoins from ransomware victims.

These dynamics are driving cybercriminal activity related to cryptocurrencies and have led to an explosion of cryptocurrency miners (also called cryptominers or coin miners) in various forms. Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process rewards coins but requires significant computing resources.

Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others are looking for alternative sources of computing power; as a result, some coin miners find their way into corporate networks. While not malicious, these coin miners are not wanted in enterprise environments because they eat up precious computing resources.

As expected, cybercriminals see an opportunity to make money and they customize coin miners for malicious intents. Crooks then run malware campaigns that distribute, install, and run the trojanized miners at the expense of other peoples computing resources. On March 6, Windows Defender Advanced Threat Protection (Windows Defender ATP) blocked a massive coin mining campaign from the operators of Dofoil (also known as Smoke Loader).

In enterprise environments, Windows Defender ATP provides the next-gen security features, behavioral analysis, and cloud-powered machine learning to help protect against the increasing threats of coin miners: Trojanized miners, mining scripts hosted in websites, and even legitimate but unauthorized coin mining applications.

Coin mining malware

Cybercriminals repackage or modify existing miners and then use social engineering, dropper malware, or exploits to distribute and install the trojanized cryptocurrency miners on target computers. Every month from September 2017 to January 2018, an average of 644,000 unique computers encountered coin mining malware.

Figure 1. Volume of unique computers that encountered trojanized coin miners

Interestingly, the proliferation of malicious cryptocurrency miners coincide with a decrease in the volume of ransomware. Are these two trends related? Are cybercriminals shifting their focus to cryptocurrency miners as primary source of income? Its not likely that cybercriminals will completely abandon ransomware operations any time soon, but the increase in trojanized cryptocurrency miners indicates that attackers are definitely exploring the possibilities of this newer method of illicitly earning money.

We have seen a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware. We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants. These developments indicate widespread cybercriminal interest in coin mining, with various attackers and cybercriminal groups launching attacks.

Infection vectors

The downward trend in ransomware encounters may be due to an observed shift in the payload of one of its primary infection vectors: exploit kits. Even though there has been a continuous decrease in the volume of exploit kit activity since 2016, these kits, which are available as a service in cybercriminal underground markets, are now also being used to distribute coin miners. Before ransomware, exploit kits were known to deploy banking trojans.

DDE exploits, which have also been known to distribute ransomware, are now delivering miners. For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.

Other miners use reliable social engineering tactics to infect machines. Cybercriminals have been distributing a file called flashupdate, masquerading the file as the Flash Player. The download link itselfseen in spam campaigns and malicious websitesalso uses the string flashplayer. Detected as Trojan:Win32/Coinminer, this trojanized coin miner (SHA-256 abbf959ac30d23cf2882ec223966b0b8c30ae85415ccfc41a5924b29cd6bd4db) likewise uses a modified version of the XMRig miner.

Persistence mechanisms

For cryptocurrency miners, persistence is a key element. The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources. While more traditional persistence mechanisms like scheduled tasks and autostart registry entries are common, cybercriminals can also use more advanced methods like code injection and other fileless techniques, which can allow them to evade detection.

One example of coin mining malware that uses code injection is a miner detected as Trojan:Win32/CoinMiner.BW!bit (SHA-256: f9c67313230bfc45ba8ffe5e6abeb8b7dc2eddc99c9cebc111fcd7c50d11dc80), which spawns an instance of notepad.exe and then injects its code. Once in memory, it uses some binaries related to legitimate cryptocurrency miners but runs them using specific parameters so that coins are sent to the attackers wallet.

We also came across a malicious PowerShell script, detected as TrojanDownloader:PowerShell/CoinMiner (SHA-256: 5d7e0fcf45004a7a4e27dd42c131bcebfea04f14540bd0f17635505b42a96d6e), that downloads mining code that it executes using its own parameters. It adds a scheduled task so that it runs every time the computer starts.

Spreading capabilities and other behaviors

Some coin miners have other capabilities. For example, a miner detected as Worm:Win32/NeksMiner.A (SHA-256: 80f098ac43f17dbd0f7bb6bad719cc204ef76015cbcdae7b28227c4471d99238) drops a copy in the root folder of all available drives, including mapped network drives and removable drives, allowing it to spread as these drives are accessed using other computers. It then runs legitimate cryptocurrency miners but using its own parameters.

As trojanized cryptocurrency miners continue evolving to become the monetization tool of choice for cybercriminals, we can expect the miners to incorporate more behaviors from established threat types.

Browser-based coin miners (cryptojacking)

Coin mining scripts hosted on websites introduced a new class of browser-based threats a few years ago. The increased interest in cryptocurrencies has intensified this trend. When the said websites are accessed, the malicious scripts mine coins using the visiting devices computing power. While some websites claim legitimacy by prompting the visitor to allow the coin mining script to run, others are more dubious.

Some of these websites, usually video streaming sites, appear to have been set up by cybercriminals specifically for coin mining purposes. Others have been compromised and injected with the offending scripts. One such coin miner is hidden in multiple layers of iframes.

Figure 2. A sample coin mining script hidden in multiple layers of iframes in compromised websites

We have also seen have seen tech support scam websites that double as coin miners. Tech support scam websites employ techniques that can make it difficult to close the browser. Meanwhile, a coin mining script runs in the background and uses computer resources.

Figure 3. A sample tech support scam website with a coin mining script

Unauthorized use of legitimate coin miners

On top of malware and malicious websites, enterprises face the threat of another form of cryptocurrency miners: legitimate but unauthorized miners that employees and other parties sneak in to take advantage of sizable processing power in enterprise environments.

While the presence of these miners in corporate networks dont necessarily indicate a bigger attack, they are becoming a corporate issue because they consume precious computing resources that are meant for critical business processes. Miners in corporate networks also result in additional energy consumption, leading to unnecessary costs. Unlike their trojanized counterparts, which arrive through known infection methods, non-malicious but unauthorized cryptocurrency miners might be trickier to detect and block.

In January 2018, Windows enterprise customers who have enabled the potentially unwanted application (PUA) protection feature encountered coin miners in more than 1,800 enterprise machines, a huge jump from the months prior. We expect this number to grow exponentially as we heighten our crackdown on these unwanted applications.

Figure 4. Volume of unique computers in enterprise environments with PUA protection enabled that encountered unauthorized coin miners

While non-malicious, miners classified as potentially unwanted applications (PUA) are typically unauthorized for use in enterprise environments because they can adversely affect computer performance and responsiveness. In contrast, trojanized miners are classified as malware; as such, they are automatically detected and blocked by Microsoft security products. Potentially unwanted applications are further differentiated from unwanted software, which are also considered malicious because they alter your Windows experience without your consent or control.

Apart from coin mining programs, potentially unwanted applications include:

• Programs that install other unrelated programs during installation, especially if those other programs are also potentially unwanted applications
• Programs that hijack web browsing experience by injecting ads to pages
• Driver and registry optimizers that detect issues, request payment to fix the errors, and remain on the computer
• Programs that run in the background and are used for market research

PUA protection is enabled by default in System Center Configuration Manager. Security administrators can also enable and configure the PUA protection feature using PowerShell cmdlets or Microsoft Intune.

Windows Defender AV blocks potentially unwanted applications when a user attempts to download or install the application and if the program file meets one of several conditions. Potentially unwanted applications that are blocked appear in the quarantine list in the Windows Defender Security Center app.

In September 2017, around 2% of potentially unwanted applications blocked by Windows Defender AV are coin miners. This figure has increased to around 6% in January 2018, another indication of the increase of these unwanted applications in corporate networks.

Figure 5. Breakdown of potentially unwanted applications

Protecting corporate networks from cryptocurrency miners

Windows 10 Enterprise customers benefit from Windows Defender Advanced Threat Protection, a wide and robust set of security features and capabilities that help prevent coin minters and other malware.

Windows Defender AV uses multiple layers of protection to detect new and emerging threats. Non-malicious but unauthorized miners can be blocked using the PUA protection feature in Windows Defender AV. Enterprises can also use Windows Defender Application Control to set code integrity policies that prevent employees from installing malicious and unauthorized applications.

Trojanized cryptocurrency miners are blocked by the same machine learning technologies, behavior-based detection algorithms, generics, and heuristics that allow Window Defender AV to detect most malware at first sight and even stop malware outbreaks, such as the massive Dofoil coin miner campaign. By leveraging Antimalware Scan Interface (AMSI), which provides the capability to inspect script malware even with multiple layers of obfuscation, Windows Defender AV can also detect script-based coin miners.

Coin mining malware with more sophisticated behaviors or arrival methods like DDE exploit and malicious scripts launched from email or Office apps can be mitigated using Windows Defender Exploit Guard, particularly its Attack surface reduction and Exploit protection features.

Malicious websites that host coin miners, such as tech support scam pages with mining scripts, can be blocked by Microsoft Edge using Windows Defender SmartScreen and Windows Defender AV.

Corporate networks face the threat of both non-malicious and trojanized cryptocurrency miners. Windows 10 S, a special configuration of Windows 10, can help prevent threats like coin miners and other malware by working exclusively with apps from the Microsoft Store and by using Microsoft Edge as the default browser, providing Microsoft-verified security.

Security operations personnel can use the advanced behavioral and machine learning detection libraries in Windows Defender Endpoint Detection and Response (Windows Defender EDR) to detect coin mining activity and other anomalies in the network.

Figure 6. Windows Defender EDR detection for coin mining malware

Windows Defender EDR integrates detections from Windows Defender AV, Windows Defender Exploit Guard, and other Microsoft security products, providing seamless security management that can allow security operations personnel to centrally detect and respond to cryptocurrency miners and other threats in the network.

 

Alden Pornasdoro, Michael Johnson, and Eric Avena
Windows Defender Research

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.