In this series of articles, I going to explain how the different malware families implement EternalBlue and how they take advantage of it.
EternalBlue (CVE-2017-0143)
Is an exploit developed by the NSA, leaked by the Shadow Brokers hacker group on April 14, 2017.
Was widely known when was used as part of the wordwide Wannacry ransomware attack on May 12,2017.
This exploit takes advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol (CVE-2017-0143), sending crafted packets using SMBv1 allows arbitrary code execution into the target system.
Operative systems affected:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8.1
- Windows 10
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
Trickbot (Banker)
In this post, I going to analyze Trickbot's wormDll32 module, this module allows Trickbot to spreads using EternalBlue.
Worm module
This module tries to infect all the devices into the same domain of the infected machine using EternalBlue.
As it is usual in the Trickbot modules, the DLL has 4 exports:
- Control
- FreeBuffer
- Release
- Start
The export that starts the malicious operations is Control.
When the new thread is created, the module enumerates all the servers from the same domain using NetServerEnum.
Then, it obtains the IP of the hosts using gethostbyname and inet_ntoa functions.
With this info, OpenSocket_ThenEternalBlue function is called.
This function performs socket operations in order to establish communication with the targeted machine.
If everything works as expected, the EternalBlue infection starts:
First, the module checks the OS version. If the version contains one of these strings, it will try to infect the device:
- Windows 7
- 2008
- Vista
- 2003
- Windows 5
Then, the function creates the required structures to perform the EternalBlue attack and takes advantage of the vulnerability.
The final stage of this process is to inject a shellcode into the targeted system. This module contains two shellcodes, one for 32 bits systems (left) and the other for 64 bits systems (right)
Both shellcodes contain a malicious URL from which the malicious code will be downloaded.
Shellcode
The examples given here come from x86 shellcode.
The shellcode is composed of two parts. The first one is the Ring 0 part that gets ready in order to perform a Ring 3 APC injection into the targeted process to execute the malicious Ring 3 code (if the injection is performed in lsass.exe or services.exe it will be executed with System priviledges)
This is the first part of the trickbot shellcode.
Doing a little research, it have found that the initial part of the shellcode corresponds to this code:
The EternalBlue POC can be found in this GitHub:
Comparing both the trickbot's shellcode and the original shellcode from GitHub, it have been noticed that the original one doesn't perform an APC injection into lsass.exe process as the original shellcode does.
_find_target_process_loop function of the original shellcode from GitHub:
LSASS_EXE_HASH EQU 0xc1fa6a5a
[...]
_find_target_process_loop:
lea esi, [edi+ecx]
call calc_hash
cmp eax, LSASS_EXE_HASH ; "lsass.exe"
jz found_target_process
%ifndef COMPACT
find_target_process_loop function of Trickbot's x86 shellcode:
0xc1fa6a5a (LSSAS) != 0x388CC1E7 (Unknow process)
If the injection is performed into lsass.exe the lsass.exe hash (0xc1fa6a5a) should be find, but instead 0x388CC1E7 have been found.
And the calc_hash functions found in both shellcodes are the same:
;========================================================================
; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
;
; Argument: esi = string to hash
; Clobber: esi
; Return: eax = hash
;========================================================================
calc_hash:
push edx
xor eax, eax
cdq
_calc_hash_loop:
lodsb ; Read in the next byte of the ASCII string
ror edx, 13 ; Rotate right our hash value
add edx, eax ; Add the next byte of the string
test eax, eax ; Stop when found NULL
jne _calc_hash_loop
xchg edx, eax
pop edx
ret
At this point, the original calc_hash function from the shellcode have been found in order to create a python script with the same functionality. The objective is to obtain the name of the process associated with the unknown hash 0x388CC1E7 that appears in the trickbot's shellcode.
Using the script it has found that the name of the process associated with the hash 0x388CC1E7 is services.exe, meaning that Trickbot's shellcode will inject its malicious code into services.exe process instead of lsass.exe.
$python trickbot_shellcode_hashcalc.py
0xc1fa6a5a : lsass.exe
0x388cc1e7 : services.exe
0x3ee083d8 : spoolsv.exe
0xb7e02438 : svchost.exe
0x3eb272e6 : explorer.exe
0x7ab2a3f2 : taskmgr.exe
0x3ee083d8 : spoolsv.exe
0xbebc72a3 : winlogon.exe
0xc1fa247a : csrss.exe
0xc1f70bda : smss.exe
Trickbot payload Ring 3 injected into services.exe:
This is the part that Trickbot's developers have created, since the other is a copy from GitHub.
The shellcode will unxor the encoded data to obtain the name of the functions that the shellcode needs to work.
When the process is completed, it can be noticed that the buffer contains the name of the functions and the name of the payload that will be downloaded into the system setup.exe and GET string that is used as a parameter in one of the functions to download the malicious "png".
Then it loads the IAT:
It obtains the malicious URL from the end of the shellcode.
After that, it cut the malicious URL into:
IP:
185.158.131.55
Malicious exe with PNG extension:
worming.png
In addition, the shellcode downloads the malicious payload into the system:
Finally the shellcode copies the payload (trickbot) from 185.158.131.55/worming.png into setup.exe and then executes it using CreateProcessA, infecting the EternalBlue vulnerable system with Trickbot.
Author: @51ddh4r7h4
