----- ## ASEC REPORT ##### VOL.94 [Q1 2019] ###### ASEC (AhnLab Security Emergency Response Center) is a global security response group consisting of malware analysts and security experts. This report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www.ahnlab.com). ###### SECURITY TREND OF Q1 2019 ###### Table of Contents ----- ----- ###### Security Issue #### Discovery of the Ammyy RAT and CLOP Ransomware ###### A recent rise in attacks using malicious macros in attachments has been spotted in South Korea. In February 2019, a remote control hacking tool called Flawed Ammyy RAT began to be distributed through email attachments. This hacking tool has been active since 2016 and has been distributed worldwide via email. It was mainly mentioned in the media in 2018. Also, a variant of the Cryptomix ransomware, CLOP, was discovered at a similar time. CLOP is a new variant that had recently received global attention for its attempt to attack networks worldwide. AhnLab analyzed the two malware, the Ammyy RAT and CLOP ransomware and found that they shared further similarities, including the same signatures and same attack targets. This report details the result of the analysis conducted by the AhnLab Security Emergency Response Center (ASEC) on the distribution method, attack method, and the comparison of the two malware. 1. Overview of the Flawed Ammyy RAT Attack Flawed Ammyy is a Remote Access Trojan (RAT). The attacker used the spam emails to distribute the malware. Usually, spam emails without malicious attachments tend to encourage users to download and run malicious files. While this is not the case for Flawed Ammyy, it does trick users into believing ----- ###### that the attachment is important by giving a name that seems to be work related. This method does not raise much suspicion, which increases the likelihood of users opening the attachment. Once the user downloads and opens the malicious attachment in the form of an Excel file, a macro-enabling button appears. This is a social-engineering method used by the threat actors that lures users into clicking the "Enable Contents" button at the top of the screen on Microsoft Office programs that have the macro setting disabled. Distributing malware through this method is a widely chosen attack method because general users do not know that a backdoor can be installed just by clicking this button. But unlike most general Office files that use Visual Basic for Application (VBA), the attachment of Flawed Ammyy use XML macros. XML is the macro used in the Excel version prior to 4.0. VBA that is frequently used in the general malicious documents was introduced from Excel 5.0. Most malicious Office files use VBA to create macros that download, drop, and execute malware. And while there has been a rise in the attack methods that use PowerShell. This attack is special for using the macro creation method used in the early version of Excel programs to avoid detection by the security programs. The malicious attachment of Flawed Ammyy contains hidden sheets. When unhidden, it shows commands as shown in Figure 1-1. This command is how the malware downloads the MSI file from the malicious server using the msiexec.exe process. The malicious MSI file downloaded from the server contains an executable (EXE) file, which ----- ###### also downloads another executable file which is the actual malicious backdoor. Before running the executable file, the malware inspects the running processes and if any anti-virus program is running, as shown in Figure 1-2, it ends the anti-virus program. Figure 1-2 | Routine of Inspecting the Vaccine Processes ###### Then, the encoded file is downloaded from a set URL, and when the decoding process is finally performed, an exe-type malware is generated. The downloader is deleted once the malware is installed. This executable malware is the actual "Flawed Ammyy RAT," the hacking tool conducting malicious acts. ----- ###### Figure 1-3 shows a series of processes from downloading Flawed Ammyy RAT. The threat actor effectively bypasses detection of antivirus programs by using XLM-based attacks, exploiting the fact that many anti-virus programs are designed to target the VBA macros in Office documents. Also, the threat actor does not download and run the malicious file directly but used the indirect method through the downloader by using the feature of the legitimate msiexec, which installs an external MSI file. A similar method is applied to malware that acts as a backdoor, such as Flawed Ammyy RAT, which is downloaded in an encoded form and decoded before installation. Flawed Ammyy RAT checks the list of running processes and terminates itself without conducting any actions if any of the anti-virus programs are running. It also disguises itself like a legitimate program by signing each binary with a valid certificate, unlike malware that is signed with invalid certificates or with no certificates at all. ----- ###### Flawed Ammyy RAT is a malware that has been designed based on a leaked source code of Ammyy Admin, a remote desktop program. The Ammyy Admin program contains control functions for remote computers, such as file transfer and screen capture. It is believed that the threat actor created RAT malware by adding and modifying the code to perform malicious actions based on the source code. Analysis of the initial routine of Flawed Ammyy showed that it checks the currently running processes similar to the downloader and shuts the anti-virus program down if it is running. In addition, it has been confirmed that the basic information, such as OS information, authority, and username, is sent to the server so that the server can access the computer. 2. Relationship between Flawed Ammyy RAT and CLOP Ransomware As mentioned earlier, Flawed Ammyy RAT contains not only the main malware but also a valid signature of the downloader. Unlike other malware that contains invalid certificates, the advantage of Flawed Ammyy RAT is that its binary is signed and distributed via many valid certificates. And such similarity was found in the CLOP ransomware that recently targeted South Korean companies. ASEC saw a similarity in the two and found that there was a case where these two malware were signed with the same certificate. Figure 1-4 and Figure 1-5 show the properties of the CLOP ransomware and Flawed Ammyy RAT, which were signed using the same certificates "MAN TURBO (UK) LIMITED" and "DELUX LTD," respectively. ----- ###### Another common feature of Flawed Ammyy RAT and CLOP ransomware is that they are distributed to enterprise users, not general users. Unlike most ransomware, which target at a large number of general users, CLOP targets companies. The distribution and the infection method is yet to be confirmed. The only known fact is that the attack infects the central management server and inserts the malware in the system connected to the management server. Recently, a change has been found on the downloader of Flawed Ammyy. A routine for detecting the enterprise user environment has been added after the process of inspecting the running antivirus programs. As shown in Figure 1-6, it runs the "net user /domain" command and checks that the WORKGROUP text string is output. The WORKGROUP string ----- ###### will be output for general users because there are no special settings, but for enterprise users, group name set for each environment can be output. If WORKGROUP is output, it was terminated without conducting any malicious acts such as downloading and installing the Flawed Ammyy RAT malware. Figure 1-6 | Routine of Inspecting the WORKGROUP Text String ###### 3. Operation Method of CLOP Ransomware The CLOP ransomware is registered and executed as a system service, as shown in Figure 1-7. If it does not run as a service, it does not operate properly. Figure 1-7 | Execution Method of CLOP Ransomware ----- ###### Also CLOP terminates certain processes before proceeding with file encryption. It is presumed that this is to encrypt more objects in the process of encryption. The targeted processes are shown in Figure 1-8. The characteristic feature of the CLOP ransomware is that it excludes some paths and files from encryption. Figure 1-9 shows the encryption exclusion paths. If the path contains the relevant string, it is excluded Figure 1-8 | List of Force-terminated Processes from the encryption. ###### Figure 1-10 shows the encryption exclusion file list. Like the exclusion path, any file name with the string is excluded from the Figure 1-9 | Encryption Exclusion Path ###### encryption target. ----- ###### As shown in Figure 1-11, the public key of the threat actor is included in the file, and the public key is used to encrypt the files. Figure 1-11 | Public Key of the Ransomware Threat Actor ###### Also, CLOP uses the AES algorithm for file encryption. On the symmetric key generated by the user PC, it inserts the “Clop ^_-” sign of CLOP, as shown in Figure 1-12, and encrypts the symmetric key used as the public key of the threat actor and adds it to the end of the signature. Figure 1-12 | Signature of Encrypted File ###### The Figure 1-13 shows the comparison of the file structure before and after the encryption. Figure 1-13 | File Comparison Before and After Encryption ----- ###### In the end, the file name is changed to [Original file name].Clop, as shown in Figure 1-14. Through the findings and similarities between the two malware, we can deduce that Flawed Ammyy RAT is used as one of the infection vectors of the CLOP ransomware, Figure 1-14 | Encrypted File ###### even though its distribution method and infection method are not yet confirmed. This is because Flawed Ammyy RAT can execute commands to steal information and install malware via remote control. The Figure 1-15 summarizes the distribution method of threat actor using two malicious codes of Flawed Ammyy RAT and CLOP ransomware. Figure 1-15 | Presumed Distribution Method ###### 4. Conclusion The analysis conduct by ASEC found many similarities between the Flawed Ammyy RAT and CLOP ransomware, such as an overlap in the activity period, direct targeting of Korean users, routines to bypass the antivirus program, and signing and distribution of various malware including variants using a valid certificate. In addition, they share the same signature and ----- ###### they both target enterprise users, which makes it highly likely that they are produced by the same threat actor. It is important to keep Windows security patches and anti-virus programs up-to-date in order to minimize the risk of malware, such as Flawed Ammyy RAT, CLOP ransomware, and so on. Also, it is necessary to pay extra attention to the execution of attachments, such as emails, from untrusted sources in the company and to refrain from visiting unauthorized web pages. AhnLab’s V3 products detect Flawed Ammyy RAT and CLOP ransomware under the following alias: - XLS/Downloader - MSI/Downloader - BinImage/Encoded - Trojan/Win32.Agent - Trojan/Win32.Downloader - Backdoor/Win32.Agent - Trojan/Win32.ClopRansom ----- ----- ###### ANALYSIS-IN-DEPTH ### Shadow of WannaCry, 2019 SMB Exploitation ###### WannaCry (or WannaCryptor), which infected more than 300,000 systems in May 2017 and gripped the whole world in fear, spread rapidly by exploiting a Windows SMB security vulnerability (MS17-010). Precaution is required since the recently discovered malware is a CoinMiner, a type of malware that mines cryptocurrency. This report details the analysis by AhnLab on the attack cases that exploited the SMB vulnerability (MS17-010) from 2018 to the first quarter of 2019. 1. NRSMiner Malware Attack (2018) In March 2018, a company was found infected with NRSMiner malware. By exploiting the SMB vulnerability (MS17-010) like WannaCryptor, this malware scans the internal network of the company and installs the malware that mines the cryptocurrency Monero if the system is vulnerable. NRSMiner consists of a package file in the ZIP compressed file format, and has a different filename for the package "MsraReportDataCache32.tlb" for each variant. Figure 2-1 shows the structure of the NRSMiner package. Once the system is infected, one of the file names, Srv or Srv64, is changed to "tpmagentservice.dll" according to the installed OS ----- ###### environment and is registered as a service. This then later creates and executes the attack modules and the mining tool later. Spoolsv and Spoolsv64 executables load the package file, installs necessary modules depending on the environment, and scans the MS17 010 vulnerability in the system. Hash and Hash64 are XMRig, a public tool known to Figure 2-1 | Structure of the NRSMiner Package ###### mine Monero. Crypt is a compressed folder containing publicly available MS17-010 vulnerability-related tools and files. Figure 2-2 | Flow of the Spoolsv.exe Execution ###### Figure 2-2 shows how the Spoolsv.exe file runs an attack module. This file performs the function of unpacking the "MsraReportDataCache32.tlb" package and loading the internal modules. As shown in Figure 2-1, the TLB file consists of: XMRig (Public Monero mining tool) ----- ###### called hash and hash64, attack modules called spoolsv and spoolsv64, main modules called srv and srv64, and a compressed file in the name of Crypt that includes tools and files related to the EternalBlue SMB vulnerability (MS17-010). When the Spoolsv.exe file is executed, it runs six threads and performs the following series of steps. First, it creates a folder in the system as shown in Table 2-1, loads the malicious package file, and decompresses the loaded file. - %Windows%\SecureBootThemes\ - %Windows%\SecureBootThemes\Microsoft\ - %Windows%\System32\MsraReportDataCache32.tlb //*Decompresses the TLB (.tlb.zip) file - %Windows%\SecureBootThemes\Microsoft\crypt //Delete file once decompressed Table 2-1 | Folder Generated by the Spoolsv.exe File ###### To propagate the SMB vulnerability exploit, it runs the svchost.exe (Eternalblue-2.2.0.exe) and the spoolsv.exe (Doublepulsar-1.3.1.exe) file in the Crypt compression folder inside the MsraReportDataCache32.tlb file. Depending on the Windows environment, the x64.dll or x86. dll file is loaded and the file names are hard-coded in spoolsv64.exe. Finally, a vulnerability scan is conducted within the thread of the spoolsv64.exe process. If successful, it copies the TLB file from the x64.dll and x86.dll module to the target system and conducts decompressions. Then the filename is changed to "tpmagentservice.dll," the srv service is registered, and the spoolsv64.exe file is executed again. The internal network propagation using the vulnerability proceeds as shown in Figure 2-3. The example is based on the x64 window. ----- ###### When the EternalBlue tool is executed, two log files stage1.txt and stage2.txt are created as shown in Table 2-2. cmd.exe /c C:\WINDOWS\SecureBootThemes\Microsoft\\svchost.exe > stage1.txt // Eternalblue cmd.exe /c C:\WINDOWS\SecureBootThemes\Microsoft\\spoolsv.exe > stage2.txt // Doublepulsar Table 2-2 | Generated Log File ###### The stage1.txt file is the execution log file of the EternalBlue tool, and details are shown in Figure 2-4. ----- ###### The vulnerability packet is also sent to the target system as shown in Figure 2-5. Figure 2-5 | Vulnerability Packet Transmission ###### Then the lsass.exe file creates a malicious package file, MsraReportDataCache32.tlb, in the remote system it has infiltrated the system. The content of this package file is shown in Figure 2-6. The package file records information in 102,400 bytes each time to the file and directly sends the plain binary without the additional step of encryption. Figure 2-6 | TLB Package File Generated by lsass.exe After a Successful Vulnerability Attack ###### The TCP port for packet transmission uses the dynamically allocated 492xx and 572xx bands. For testing, src: 49287 and dest: 57219 ports were used. If the vulnerability attack is successful, the "MsraReportDataCache32.tlb" file is transferred ----- ###### and the transferred file is decompressed. The decompressed folder is saved in the same path, Windows\SecureBootThemes\Microsoft. The name of the srv64 file is changed to "system32\ tpagentservice.dll", copied to the system and registered as a service for operation. This is the main control module which runs the spoolsv64.exe file within the TLB package and finds another vulnerable system to distribute the package file. Finally, the XMRig tool, in the name of hash or hash64, for mining Monero is executed. The mining pool address is shown in Table 2-3. -o p3.qsd2xjpzfky.site:45560 -u wvsymvtjeg -o p1.mdfr6avyyle.online:45560 -u lqbpyceupn -o p1.qsd2xjpzfky.site:45560 -u odiqldkee2 -o p5.mdfr6avyyle.online:45560 -u jodkrofar -o p5.qsd2xjpzfky.site:45560 -u dkw1kaxlep ###### The main control module decompresses the malware package file "MsraReportDataCache32. tlb" and creates and executes the attack module and "TrustedHostServices.exe", the Table 2-3 | Mining Pool Address ###### Monero coin mining program. The code for the main actions of the control module is shown in Figure 2-7. ----- ###### Also as shown in Table 2-4, the control module deletes all files that are presumed to be the previous version, stop services, and deletes scheduled jobs. dnsclientprovider_userdata.mof NrsDataCache.tlb SecUpdateHost.exe ServicesHost.exe settings7283.dat SysprepCache.ini vmichapagentsrv.dll ("schtasks.exe", " /Delete /TN \"\\Microsoft\\Windows\\UPnP\\Services\" /F"); ("sc.exe", " stop vmichapagentsrv"); ("sc.exe", " delete vmichapagentsrv"); ("schtasks.exe"," /End /TN \"\\Microsoft\\Windows\\Tcpip\\TcpipReportingServices\""); ("schtasks.exe"," /Delete /TN \"\\Microsoft\\Windows\\Tcpip\\TcpipReportingServices\" /F"); Table 2-4 | Action of Performing File Deletion, Service Stop, and Scheduled Jobs Deletion ###### Also, the main control module has its own Mongoose-based web server feature with the role of transmitting the MsraReportDataCache32.tlb package file to other infected system using the port 26397. Also, if an external internet connection is available, the malicious package file is downloaded from the remote server as shown in Figure 2-8. ----- ###### The TLB package is updated through this web server using the download address shown in Table 2-5. 2. Analysis of the POS Attack Case (2018) rer.njaavfxcgk3.club/f79e53 (port: 4431) ccc.njaavfxcgk3.club/a4c80e (port: 4433) ccc.njaavfxcgk3.club/5b8c1d (port: 4433) ccc.njaavfxcgk3.club/d0a01e (port: 4433) Table 2-5 | Download Address of the TLB Package Update ###### In July 2018, 100,000 POS terminals were hacked in South Korea. The hacking caused most POS terminals to disconnect from the ###### internet and prevented normal operation of the payment service. One of the companies which was the victim of this hacking incident posted about their service failures that occurred due to the exploit of the Windows security vulnerability and also the recommendations for security patches Most of the infected terminals were running the Windows XP operating system that has the SMB vulnerabilities and did not have the security updates applied. The threat actor exploited this vulnerability, like the WannaCryptor ransomware, to install Gh0st RAT, which is a backdoor malware and CoinMiner. The Figure 2-9 shows the operation process of the malware. Figure 2-9 | Operation Process of the POS Malware (2018.07) ----- ###### The AhnLab Smart Defense (ASD) engine was used to find the iiiiiiii.exe file, the third file in Figure 2-9 which was created by "lsass.exe", Windows system file. From this, we can deduce that this is an attack exploiting the SMB vulnerability which was propagated by an infected system. The malware for the remote control Gh0st RAT is "3b.txt", the second file in Figure 2-9. The first file, "3a.txt", downloads CoinMiner, a tool for mining cryptocurrency. Figure 2-10 | Detection of SMB Vulnerability Behaviors (2018.06 - 2018.07) ###### AhnLab's V3 products provide the behavior detection function against such SMB vulnerability attacks. The report count in Figure 2-10 shows that there was a sudden rise in the attack attempts between June 24th and July 7, 2018 which is the same period as the POS hacking incident in Korea. 3. Analysis of the POS Attack Case 2 (2019) In February 2019, another case of an infection that uses the CoinMiner malware to exploit the SMB vulnerability was found targeting the South Korean POS terminals. The overall operation process of this malware is shown in Figure 2-11 below. ----- ###### The sample.exe file is a malware which contains two different types of 32-bit and 64-bit files to apply depending on the operating environment. The "svchost.exe" file copied in the drive folder in the system path (%system%drivers) performs the actual role of initiating the SMB vulnerability attack. The last file that is downloaded and installed is the CoinMiner malware and Mimikatz, a hacking tool for stealing the Windows account information. Unlike the POS attack of July 2018, the interesting characteristics of the CoinMiner malware is that it is a script rather than an executable. The detection report in Figure 2-12 shows a sudden rise in the SMB vulnerability related behaviors from a specific period of January to February of 2019. Figure 2-12 | Detection of SMB Vulnerability Behaviors (2019.01 - 2019.02) ----- ###### 4. Conclusion In 2008, a worm called Conficker started to infect many systems and continued to do so, targeting the SMB vulnerability (MS08-067) to propagate the infection. Companies using the SMB service are susceptible to the types of attacks, especially when they are not applied with the recent security updates. To prevent such damage, the following security patches related to the Microsoft Windows operating system's EternalBlue SMB vulnerability (MS17-010) must be applied. In view of the March 2010 NRSMiner malware attacks and the POS attacks which took place in February and July 2018, it seems that the SMB vulnerability (MS17-010) attacks will continue in an increasingly sophisticated way. Therefore, security inspections and updates are important especially for the POS terminals in a vulnerable environment. [SMB Vulnerability Patch] [- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010](http://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010) ----- -----