Cb Connect 2018 | Power of You | Register Now

Cb ThreatSight Investigation Reveals RETADUP Worm Leverages AutoIt to Launch Monero Cryptomining Campaign

Cb_ThreatSight_Monero
Josh_Pate1
June 27, 2018 / Joshua Pate

While monitoring a customer’s environment, the Carbon Black ThreatSight team discovered a series of unusual alerts. Further investigation of the suspect processes revealed these alerts were related to an attacker leveraging the open-source Monero framework to launch a crypto-mining campaign.

After a thorough investigation, the analysis provided to the customer an interesting series of events. This documentation provided visibility allowing the customer to remediate the event, as well as Indicators of Compromise (IOCs) and and relevant content to other Carbon Black customers.  

After working with the customer, this information is also being released publicly to assist any other organizations investigating similar incidents.

The first process from the malware to be executed was a renamed version of AutoHotKey. Two weeks later, the same customer had another endpoint that fell victim to a RETADUP attack that instead utilized AutoIt. This attack successfully executed notepad.exe in order to mine Monero coin

The malware and a group using it was initially disclosed by TrendMicro who also provided a technical analysis of the latest variant. Once aware of these attacks, the customer configured Cb Defense to block this technique. The customer also deleted the malicious files from the compromised endpoints using Cb Defense.

Although this company was not a new customer, Cb Defense was not installed on the endpoints that were infected by the RETADUP worm. Once Cb Defense was installed on the compromised endpoints, alerts were immediately triggered, which were caught by the Cb ThreatSight team and escalated to the customer. Within hours, ThreatSight sent two alerts to the customer about this attack and the customer took action to remediate the malware that same day.

Initial triage and investigation

Once the customer installed Cb Defense on the infected endpoint, an alert was generated, which indicated notepad.exe had been communicating over the network, which by itself is suspicious in most environments. This alert was quickly triaged by a ThreatSight analyst to determine the severity of the events. It was quickly uncovered that numerous suspicious behaviors were tied to this instance of notepad.exe.


Figure 1. Cpuchecker.exe (AutoIt) invokes notepad and shvtsussuvjqatadmkwdq.exe (AutoHotKey) attempts to run.

  • The application C:\streamerdata\redacted\cpuchecker.exe invoked notepad.exe
  • The application C:\WINDOWS\notepad.exe made a network connection
  • The application C:\windows\system32\svchost.exe has invoked an executable file which was named a series of pseudo-random lowercase ASCII characters
  • The application C:\windows\system32\svchost.exe has been prevented from accessing C:\itadmywgbhzhjmqfwtqgv\shvtsussuvjqatadmkwdq.exe
  • The application C:\itadmywgbhzhjmqfwtqgv\shvtsussuvjqatadmkwdq.exe has been terminated

Generally, notepad.exe would be invoked by explorer.exe, which is common behavior when a user runs Notepad from the Start Menu, the taskbar, or a shortcut. The name cpuchecker.exe, at first appearance, would not be expected to invoke notepad.exe. Notepad.exe making a network connection is uncommon behavior and a note should be made to find the details about the connection being made. Executable files with long arbitrary filenames are suspicious and warrant further investigation. Typically, executable file names will be indicative of the functionality they provide (for example: winword.exe is Microsoft Word). The application svchost.exe being denied and blocked from accessing and running shvtsussuvjqatadmkwdq.exe shows that a Policy has been applied, which may or may not indicate malicious activity. The termination of shvtsussuvjqatadmkwdq.exe also shows that a Policy has been applied.

Checking the hash values for cpuchecker.exe and shvtsussuvjqatadmkwdq.exe reveal that cpuchecker.exe is a renamed version of the application AutoIt and that shvtsussuvjqatadmkwdq.exe is a renamed version of the application AutoHotKey.

Viewing the events associated with this alert shows more suspicious behavior that warrants a deeper dive into our investigation. The suspicious behavior exhibited by the alert events:


Figure 2. Shvtsussuvjqatadmkwdq.exe is terminated and prevented from running.

  • The application C:\itadmywgbhzhjmqfwtqgv\shvtsussuvjqatadmkwdq.exe was detected running and was terminated
  • The application notepad.exe established a TCP/9091 connection to superuser[.]newminersage[.]com (IP: 176.9.47.165, rDNS: static.165.47.9.176.clients.your-server.de, located in Germany)
  • The application svchost.exe was prevented from accessing and blocked from invoking C:\itadmywgbhzhjmqfwtqgv\shvtsussuvjqatadmkwdq.exe

It is not necessarily unusual for notepad.exe to make local network connections, but for notepad.exe to make a network connection to a domain with the name superuser[.]newminersage[.]com is highly suspicious. Expanding the notepad.exe event confirms the suspicion that something malicious has happened:

Figure 3. The command-line options passed to notepad.exe are consistent with XMRig.

We see several command-line options that would not be expected to accompany notepad.exe, including a domain and e-mail address. Choosing the unique and likely search term to return successful results, a Google search for newminersage[.]com proves fruitful. The results include an article with details about an attack matching the techniques seen with this alert. From this information we learn that the observed attack is the RETADUP worm.

Details emerge that the attacker is injecting into notepad.exe to replace the process instructions with the instructions of the crypto-mining software XMRig. A search for XMRig’s command-line options confirm that XMRig is indeed being used, masking as notepad.exe, as seen in the image above. The command line options for XMRig are as follows:

-o — URL of the mining server

-u — username for the mining server

-p — password for the mining server

-v — algorithm variation, 0 to auto select

-t — number of miner threads

Now that sufficient information has been gathered to confirm that this alert has been caused by malicious activity and that Cb Defense configuration modifications may be needed, the alert is escalated to the customer and also escalated to a Tier 2 threat analyst.

The ThreatSight customer was notified within our SLO of 2 hours of initial triage, notifying that ThreatSight had found suspicious activity and included details about the processes, files, and suspicious activity involved. After contacting the customer, the customer promptly configured Cb Defense to block this attack. This allowed Cb Defense to block further actions being taken by the attacker’s malware and also prevented the infection of additional endpoints. We have observed multiple subsequent attempts to download this malware by users. The attempts to access these downloaded files were successfully blocked by Cb Defense.

Full investigation

There are three primary goals when a ThreatSight analyst performs a full investigation.

1) Performing a full investigation will uncover as much information as possible to provide to the customer which helps to aid in their remediation efforts. This information can be communicated to the customer immediately and/or included in their monthly report, which may also include Cb Defense configuration recommendations, new attacks, and top targeted endpoints.

2) A full investigation may uncover information that can be useful in improving several products and services, including Cb Defense, Cb Defense for VMware, Cb Protection, Cb Response, Cb Predictive Security Cloud, Cb ThreatSight, and others.

3) Information regarding this attack can be sent to the Carbon Black Threat Analysis Unit (TAU) in order to research and document the details of this attack. This documentation is available to all Carbon Black customers, which helps to better educate and protect our customers from emerging threats.

So far, these questions are begging to be answered:

  • How was the attack started on this endpoint (root cause)?
  • What is the sequence of events once the attack started?
  • What files and processes are being used by the attacker?
  • Are there any other affected endpoints?
  • What network connections are being made and why?

Digging deeper into this attack uncovers the answers to these questions and even more interesting information. We’ll start from the beginning.

The analyst finds that this endpoint was infected prior to the Cb Defense sensor being installed, so it is not possible to determine root cause. A search in Cb Defense reveals that other endpoints in this organization are victims of the RETADUP worm. In total, five endpoints have been infected and show IOCs. This gives a better chance to find the full stream of events starting from infection in one of these cases. Unfortunately, none of the infected endpoints have data to reveal the infection method, so it is likely the infections predated the Cb Defense sensor install.

The earliest indicator of infection points to a compressed RAR file with several PDF documents and the attacker’s application named streamer.exe (AutoIt) compressed inside. The RAR file was written to the endpoint prior to the Cb Defense sensor installation so we do not know how this file was transferred to the endpoint. The user extracted the RAR file and Cb Defense blocked the execution of streamer.exe. Because of the communication received from ThreatSight and the added visibility into the customer’s network, from the time the RAR file was extracted to the time the customer removed the potential threat was 11 minutes.

Because of the nature of the attack and Cb Defense blocking most of the malicious activity, it is very difficult to create a fluid timeline for the attack. We’ll skip creating a sequence of overall events for the attack and instead research and gather as much information as possible from the information that is available.

Using the filenames and associated SHA256 hashes of the attacker’s files from the original alert that was received, we can investigate to gather information about any additional files that may be involved and also determine all IOCs. We find that the following IOCs are associated with this attack.

IOC

Type

Description

C:\streamerdata

Path/Folder

AutoIt binary location for AutoIt variant of this malware

77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e

SHA256

streamer.exe, cpuchecker.exe (renamed AutoIt executable)

1b5e7860c517ad4c70eb750e0f0eecd43a1cf90df3adc4b5195242ef8944e9e1

SHA256

shvtsussuvjqatadmkwdq.exe, dbupznmgrvjxmpgejpmxu.exe, reuvfcmokiljjeoouxsms.exe, hscrlhxgrotweotyxyqqh.exe (randomly generated names, renamed AutoHotKey executable)

superuser[.]newminersage[.]com

Domain

Mining pool domain

176.9.47.165

IP Address

C2 for downloading miner

 

It’s now possible to search the customer’s environment to build a final picture to complete the investigation using all previous information found.

Additional searching finds no other files or processes associated with this attack and that no other endpoints are infected.

Investigating for the file hscrlhxgrotweotyxyqqh.exe (AutoHotKey) uncovers a method for how the attacker gains persistence on a compromised endpoint. The related event reveals that hscrlhxgrotweotyxyqqh.exe invokes the command “schtasks /create /sc minute /mo 1 /tn hscrlhxgrotweotyxyqqh /tr ‘C:\gxnwwlhuglvgoafqpolau\hscrlhxgrotweotyxyqqh.exe C:\GXNWWL~1\HSCRLH~1.TXT’”. This command creates a scheduled task in Windows which will be run every minute and will execute the command “C:\gxnwwlhuglvgoafqpolau\hscrlhxgrotweotyxyqqh.exe C:\GXNWWL~1\HSCRLH~1.TXT”. We now know how the attacker intends to execute the malware in the event of a system reboot or if the process has been terminated.


Figure 4. The schtasts.exe tool is used by the malware to gain persistence on the endpoint.

Once executed, hscrlhxgrotweotyxyqqh.exe (AutoHotKey) invokes notepad.exe, then injects into and replaces notepad.exe’s instructions with the instructions for the crypto-mining software XMRig. The compromised notepad.exe process then mines for the Monero cryptocurrency on behalf of the attacker.

From previous searches, we know that the malware has made network connections. Investigating network activity shows that notepad.exe is the sole process to make network connections during the attack, which were made to the previously discovered domain superuser[.]newminersage[.]com on TCP port 9091.

Due to the responsiveness of the customer to black list the attacker’s files and update policies, we do not have more details about the attack, including additional tactics, techniques, and procedures (TTPs) which may be employed by the attacker.

Conclusion

Cb ThreatSight quickly triaged, investigated, escalated, and successfully executed internal processes during this attack – all critical elements to curbing the attacker and making the customer’s security postures more resilient. In this specific case, the customer was alerted about the attack by ThreatSight and was able to prevent the infection of additional endpoints.

The “community” aspect of cybersecurity should not be understated here. Cb ThreatSight’s deeper analysis allowed for the Cb TAU team to research and document new or previously unknown attacks, which helped further protect additional customers.

TAGS: Carbon Black / Cb ThreatSight / cryptocurrency