Warning message... Link to action
Supply chain attacks explained Watch video
Aliases: No associated aliases
- Patch EternalBlue (CVE-2017-0144) to prevent the malware from spreading.
- Check task scheduler for all automated tasks
- Disable VBScript to disable persistence. The program uses WScript.Shell com objects to maintain persistence.
- Go through the Microsoft forum to learn more about this malware. For more details about EternalBlue, see the Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers.
- Run a full scan. A full scan might find hidden malware.
Use the following free Microsoft software to detect and remove this threat:
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender Antivirus for Windows 10.
Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection and make sure that your Cloud-based Protection settings is turned On.
Get more help
This threat is a form of fileless malware that uses the EternalBlue exploit (CVE-2017-0144). For more details about EternalBlue, see the Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers.
After the system is exploited, this threat uses its elevated permissions to persist in Windows Management Instrumentation (WMI) and execute from the Task Scheduler.
In the case of this malware, persistence is created to run bitcoin miners.
The WMI instance contains variables "funs" (base64 expression).
This threat also fetches the already infected WmiClass "root\default:Office_Updater" (it could also have other names other than Office_Updater).
It immediately executes the "funs" element of the WmiClass. The "funs" element is base64 encoded and this is the malicious payload. It could be anything from bitcoin miners to ad clickers.
Then, it removes all other WMI Objects not called "SCM Event Logs" in the root\subscription folder. It checks if the malware is running by checking port connections on 80 or 14444.
If it finds that the malware isn't running, it will fetch the malware from the WmiClass and run it again. That is how the malware persists.
The tool also uses Mimikatz, another malware, to get NTLM credentials. With these credentials, it checks for other network adapters/connections to connect with. If it finds new addresses, it will check for vulnerabilities. If it finds a possible vulnerability, the malware spreads to the new machine.
WMI Object values:
- funs - payload. Base64 encoded.
- mimi - Mimikatz
- ipsu - Previously infected IPs.
- i17 - PingCastle port scanner
- sc - Unknown.
Connects to a remote hostWe have seen this threat connect to a remote host, including the following ports:
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Downloading and uploading files
- Enumerating running processes
- Executing arbitrary commands
- Gathering system information such as IP address and computer name
- Changing some of your device settings
This analysis was published using the following file SHA256: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952