More than a year after the world first saw the Eternal Blue exploit in action during the May 2017 WannaCry outbreak , we are still seeing unpatched machines in Asia being infected by malware that uses the exploit to spread. Starting in mid-November 2018, our telemetry reports indicate that the newest version of the NRSMiner cryptominer, which uses the Eternal Blue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia. Most of the infected systems seen are in Vietnam.
November-December 2018 telemetry statistics for NRSMiner, by country
In addition to downloading a cryptocurrency miner onto an infected machine, NRSMiner can download updated modules and delete the files and services installed by its own previous versions.
This post provides an analysis of how the latest version of NRSMiner infects a system and finds new vulnerable targets to infect. Recommendations for mitigation measures, IOCs and SHA1s are listed at the end of the post.
How NRSMiner spreadsThere are 2 methods by which a system can be infected by the newest version of NRSMiner:
By downloading the updater module onto a system that is already infected with a previous version of NRSMiner, or: If the system is unpatched (MS17-010) and another system within the intranet has been infected by NRSMiner. Method 1: Infection via the Updater module First, a system that has been infected with an older version of NRSMiner (and has the wmassrv service running) will connect to tecate[.]traduires[.]com to download an updater module to the %systemroot% \temp folder as tmp[xx].exe , where [xx] is the return value of the GetTickCount() API.When this updater module is executed, it downloads another file to the same folder from one of a series of hard-coded IP addresses:
List of IP addresses found in different updater module files
The downloaded file, /x86 or /x64, is saved in the %systemroot% \temp folder as WUDHostUpgrade[xx].exe ; again, [xx] is the return value of the GetTickCount() API. WUDHostUpgrade[xx].exe The WUDHostUpgrade[xx].exe first checks the mutex {502CBAF5-55E5-F190-16321A4} to determine if the system has already been infected with the latest NRSMiner version. If the system is infected, the WUDHostUpgrade[xx].exe deletes itself. Otherwise, it will delete the files MarsTraceDiagnostics.xml , snmpstorsrv.dll , MgmtFilterShim.ini .Next, the module extracts the following files from its resource section (BIN directory) to the %systemroot% \system32 or %systemroot% \sysWOW64 folder: MarsTraceDiagnostics.xml, snmpstorsrv.dll .
It then copies the values for the CreationTime, LastAccessTime and LastWritetime properties from svchost.exe and updates the same properties for the MarsTraceDiagnostics.xml and snmpstorsrv.dll files with the copied values.
Finally, the WUDHostUpgrade[xx].exe installs a service named snmpstorsrv , with snmpstorsrv.dll registered as servicedll . It then deletes itself.
Pseudo-code for WUDHostUpgradexx.exe’s actions
Snmpstorsrv serviceThe newly-created Snmpstorsrv service starts under “svchost.exe -k netsvcs” and loads the snmpstorsrv.dll file, which creates multiple threads to perform several malicious activities.
Snmpstorsrv service’s activities
The service first creates a file named MgmtFilterShim.ini in the %systemroot% \system32 folder, writes ‘+’ in it and modifies its CreationTime, LastAccessTime and LastWritetime properties to have the same values as svchost.exe.
Next, the Snmpstorsrv service extracts malicious URLs and the cryptocurrency miner’s configuration file from MarsTraceDiagnostics.xml.
Malicious URLs and miner configuration details in the MarsTraceDiagnostics.xml file
On a system that is already infected with an older version of NRSMiner, the malware will delete all components of its older version before infecting it with the newer one. To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file; to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file.
List of services, tasks, files and folders to be deleted
After all the artifacts of the old versions are deleted, the Snmpstorsrv service checks for any updates to the miner module by connecting to:
reader[.]pamphler[.]com/resource handle[.]pamphler[.]com/modules.datIf an updated miner module is available, it is downloaded and written into the MarsTraceDiagnostics.xml file. Once the new module is downloaded, the old miner file in %systemroot% \system32\TrustedHostex.exe is deleted. The new miner is decompressed in memory and the newly extracted miner configuration data is written into it.
This newly updated miner file is then injected into the svchost.exe to start crypto-mining. If the injection fails, the service instead writes the miner to %systemroot% \system32\TrustedHostex.exe and executes it.
The miner decompressed in memory
Next, the Snmpstorsrv service decompresses the wininit.exe file and injects it into svchost.exe. If the injection fails, it writes wininit.exe to %systemroot% \AppDiagnostics\wininit.exe and executes it. The service also opens port 60153 and starts listening.
In two other threads, the service sends out details about the infected system to the following sites:
pluck[.]moisture[.]tk MAC address, IP Address, System Name, Operating System information jump[.]taucepan[.]com processor and memory specific informationThis slideshow requires javascript.
System information forwarded to remote sites
Based on the information sent, a new updater file will be downloaded and executed, which will perform the same activities as described in “Updater Module” section above. This updater module can be used to infect systems with any new upcoming version of NRSMiner.
Method 2: Infection via Wininit.exe and ExploitIn the latest NRSMiner version, wininit.exe is responsible for handling its exploitation and propagation activities. Wininit.exe decompresses the zipped data in %systemroot% \AppDiagnostics\blue.xml and unzips files to the AppDiagnostics folder. Among the unzipped files is one named svchost.exe , which is the Eternalblue 2.2.0 exploit executable. It then deletes the blue.xml file and writes 2 new files named x86.dll and x64.dll in the AppDiagnostics folder.
Wininit.exe scans the local network on TCP port 445 to search for other accessible systems. After the scan, it executes the Eternalblue executable file to exploit any vulnerable systems found. Exploit information is logged in the process1.txt file.
