{"id":2142,"date":"2018-02-23T21:33:56","date_gmt":"2018-02-24T05:33:56","guid":{"rendered":"https:\/\/new.acalvio.com\/?p=2142"},"modified":"2018-02-23T21:33:56","modified_gmt":"2018-02-24T05:33:56","slug":"wannmine-lateral-movement-techniques","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/02\/23\/wannmine-lateral-movement-techniques\/","title":{"rendered":"WannMine &#8211; Lateral Movement Techniques"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text _builder_version=&#8221;4.7.0&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;]<strong>Acalvio Threat Research Labs<\/strong><br \/>\n<strong>Introduction:<\/strong><br \/>\nCryptominer is quickly becoming one of the greatest threats that is facing our industry. Similar to ransomware, it provides an easy avenue for a threat actor to monetize his\/her skills. In one of the earlier blogs, we discussed lateral movement techniques employed by the Zealot campaign. This campaign was aimed at mining cryptocurrency. &nbsp;In this blog, we detail lateral movement techniques used by WannMine campaign. This campaign was recently disclosed by Panda Labs[1].&nbsp; Essentially, WannMine harvests credentials from memory and also uses eternal blue exploit for lateral movement, details of which are outlined below:<br \/>\n<strong>Lateral Movement:<\/strong><br \/>\nInfo6.ps1 discussed on the blog [1] from Panda Labs was involved in lateral movement. The code checks if there are any existing established connections to ports 3333 or 5555. If any of these connections are found, then the process is terminated. SoftEther VPN uses the port 5555.<br \/>\n<img loading=\"lazy\" class=\"aligncenter size-full wp-image-1814\" src=\"https:\/\/new.acalvio.com\/wp-content\/uploads\/2018\/03\/image1.png\" alt=\"\" width=\"640\" height=\"132\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image1.png 640w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image1-300x62.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 1.0 Showing the Killing of the process<\/p>\n<p>To select the machines for lateral movement, &nbsp;PowerShell script first makes a call to the b\u0000\u001c$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration b\u0000\u001c &nbsp;to get the list of all the IP address in the network adapter configurations. For each of the IP address in the network configurations, the script then<\/p>\n<ul>\n<li>&nbsp;Computes the IP address of the machines in the same subnet<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-1815\" src=\"https:\/\/new.acalvio.com\/wp-content\/uploads\/2018\/03\/image2.png\" alt=\"\" width=\"320\" height=\"69\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image2.png 320w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image2-300x65.png 300w\" sizes=\"(max-width: 320px) 100vw, 320px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 2.0. Computing the IP address of the computers in same subnet<\/p>\n<ul>\n<li>Makes calls to the command b\u0000\u001cnetstat -anop TCPb\u0000\u001d. The targets for lateral movement is selected by checking the state of the connection. If the foreign connection has an b\u0000\u001cESTABLISHEDb\u0000\u001d connection state and is not a local loopback connection, it becomes a target for lateral movement.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-1816\" src=\"https:\/\/new.acalvio.com\/wp-content\/uploads\/2018\/03\/image3.png\" alt=\"\" width=\"658\" height=\"465\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image3.png 658w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/image3-300x212.png 300w\" sizes=\"(max-width: 658px) 100vw, 658px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 3.0 showing the target selection for lateral movement.<\/p>\n<p>Once the IP address have been extracted, the next step involves extracting the credentials from the memory. As shown in figure 4.0, &nbsp;the credentials are extracted from memory and the output is then parsed for user name, domain and passwords.<br \/>\n<img loading=\"lazy\" class=\"alignnone size-large wp-image-2301\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/ntlm-1024x196-1.png\" alt=\"\" width=\"1024\" height=\"196\"><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">Figure 4.0 Local credential harvesting function<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Each of this extracted credential is then used to connect to the target &nbsp;IP addresses which have been extracted. Once, it can connect successfully to the target list of IP address, WMI class &nbsp;b\u0000\u001cwin32_process -name createb\u0000\u001d is used to execute the command shown in the figure 5.0 by using the compromised credentials.<\/span><br \/>\n<img loading=\"lazy\" class=\"alignnone size-large wp-image-2302\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/image-1024x243-1.png\" alt=\"\" width=\"1024\" height=\"243\"><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">Figure 5.0 Command Executed on Compromised Machine. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">If the script is unsuccessful using the compromised password, the code &nbsp;uses ping castle scanner to connect to the target list of IP address. Ping castle scanner as shown in figure 6.0 checks if the target IP address is vulnerable to eternal blue exploit. If the target is vulnerable to external blue exploit, remote code execution is performed on the compromised computer by a custom implementation of the widely used eternal blue exploit in powershell.<\/span><br \/>\n<img loading=\"lazy\" class=\"alignnone size-large wp-image-2303\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/pingcatle-1024x845-1.png\" alt=\"\" width=\"1024\" height=\"845\"><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">Figure 6.0 Embedded PingCastle powershell smb exploit scanner<\/span><\/p>\n<p><strong>Detection by Distributed Deception.<\/strong><br \/>\n<a href=\"https:\/\/www.acalvio.com\/product\">Distributed deception<\/a>&nbsp;involves deploying a range of deceptions (decoys, lures, baits) on the subnet. It will also involve projecting honey established TCP connections from the end hosts to the deceptions. During the target selection phase, deceptions which are on the same subnet will get selected, and the worm will connect to it by using SMB exploit or by using the compromised password. An attempt at using the SMB exploit or using the compromised password will trigger the condition for isolation of the infected machine from the network. Separation of the infected computer from the network will prevent the spreading of the worm.<br \/>\n<strong>Conclusion:<\/strong><br \/>\nThe majority of todayb\u0000\u0019s breaches are comprised of sophisticated multi-stage attacks. &nbsp;The stages of such attacks can best be described by a b\u0000\u001cCyber Kill Chainb\u0000\u001d, which breaks down cyber intrusions into the following steps: &nbsp;Recon &nbsp;b\u0006\u0012 Weaponize b\u0006\u0012 Deliver b\u0006\u0012 Exploit b\u0006\u0012 Install b\u0006\u0012 Command &amp; Control b\u0006\u0012 Action. In the Kill Chain, &nbsp;the Distributed Deception solution is capable of detecting threat actor or worm after it has breached an organization, well before exploition can be completed. Consequently, the algorithm or the techniques leveraging deception becomes independent of the intent of the worm or the threat actor. Threat actor can be installing crypto miner, ransomware, spyware, MBR Wiper etc. for exploitation, the&nbsp;Distributed Deception&nbsp;will detect the breach independent of the exploitation technique if the consecutive stages trigger deception. This capability of detecting lateral movement independent of the exploitation stage makes it &nbsp;a recommended architecture to prevent sophisticated breaches.<br \/>\n<strong>Reference<\/strong><br \/>\n[1]&nbsp;Fileless Monero WannaMine, a new attack discovered by PandaLab,&nbsp;https:\/\/www.pandasecurity.com\/mediacenter\/mobile-news\/wannamine-cryptomining-malware\/<br \/>\nIoC:<\/p>\n<ul>\n<li>3AAD3FABF29F9DF65DCBD0F308FF0FA8 (info6.ps1)<\/li>\n<\/ul>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text _builder_version=&#8221;4.7.0&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;]Acalvio Threat Research Labs Introduction: Cryptominer is quickly becoming one of the greatest threats that is facing our industry. Similar to ransomware, it provides an easy avenue for a threat actor to monetize his\/her skills. In one [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[92,133,147],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2142"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2142"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2142\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/4530"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}