Monthly Archives: May 2017

Wcry WannaCry WCry Ransomware Malware ETERNALBLUE/MS17-010 Worm is dead or is it? – active new IOCs Domain Names/IPs

Ransomware is nothing new, since 2012 it has been wreaking havoc on the world. The TTPs for delivering and infecting victims has changed over the years but the end goal remains the same, give me your money or you’ll never see your files again. Some of the first ransomware campaigns used mechanisms such as exploit kits, blackhole was the popular choice along time. Blackhole was created by the now incarcerated “Paunch” a Russian crimeware coder pictured below:

 

Blackhole web based exploit kit would deliver malware by exploiting vulnerabilities such as flash, java, silverlight and IE. After exploiting your system it would issue a command to download whatever malware the person renting the botnet or owner of it chooses.

After the arrest and seven year sentence of Paunch exploit kits have simmered down, however ransomware infections and variations of them have remained on the steady rise. New methods for infecting victims focused on malspam e-mail campaigns which used attachments and malicious links to trick victims into clicking. Once e-mail spam filters caught on to the obvious .zip/.exe files they switched to macro documents and PDF files which still to this day seems to be the preferred method of infection. Once a user opens a .docm file that loads malware a macro will run which downloads the ransomware in this case. If macros are disabled (obviously a best practice) you will see a blank page that reads “if you want to see this content please enable macros” with a nice click here button that many individuals don’t think twice about clicking because they are looking at a blank page.

WannaCry botnet C2 servers using a generated domain name algorithm has been sinkholed which for now will prevent an infected user from reaching the malicious command and control servers. Here is one such domain name that was being used in the campaigns:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

which now redirects you to the sinkhole

Domain name: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Registry Domain ID: 2123519849_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-05-15T21:57:30.00Z
Creation Date: 2017-05-12T15:08:04.00Z
Registrar Registration Expiration Date: 2018-05-12T15:08:04.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: 
Registrant Name: Botnet Sinkhole
Registrant Organization: 
Registrant Street: Botnet Sinkhole 
Registrant City: Los Angeles
Registrant State/Province: CA
Registrant Postal Code: 00000
Registrant Country: US
Registrant Phone: +0.00000000000
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: BotnetSinkhole@gmail.com

 

As I write this e-mail new infection sites are still popping up that would be called within a malicious attachment or after clicking on a click to one of the domain names now sinkholed to infect you. Below are some live examples (VISIT AT YOUR OWN RISK – MOST ARE ACTIVE) of WannaCry ransomware loading links. The files are not executable and the macro uses a powershell script to issue commands on your machine to use these files.

Date URL MD5 IP Tools
05-15 [D] tutmacli[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 93.89.224.41 PED UQ
05-15 [D] rooana[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 81.177.135.222 PED UQ
05-15 [D] ppapmoozamiz[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 166.62.27.56 PED UQ
05-15 [D] hrlpk[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 203.124.43.229 PED UQ
05-15 [D] hncdc[.]org/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 61.191.55.24 PED UQ
05-15 [D] dovahosting[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 193.70.44.106 PED UQ
05-15 [D] boolas[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 185.24.219.110 PED UQ
05-15 [D] bianshop[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 112.78.6.183 PED UQ
05-15 [D] byydei74fg43ff4f[.]net/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 185.109.146.224 PED UQ
05-15 [D] 5hdnnd74fffrottd[.]com/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 185.109.146.224 PED UQ
05-15 [D] sjffonrvcik45bd[.]info/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 185.109.146.224 PED UQ
05-15 [D] fotografikum[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 185.2.31.189 PED UQ
05-15 [D] dcfarbicka[.]sk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 5.10.105.54 PED UQ
05-15 [D] bizcleaning.co[.]uk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 160.153.162.140 PED UQ
05-15 [D] dsintergrated[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 116.0.121.220 PED UQ
05-15 [D] vbplan[.]de/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 81.169.145.156 PED UQ
05-15 [D] diasgroup[.]sk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 85.248.29.38 PED UQ
05-15 [D] ecbuyjp[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 47.91.145.254 PED UQ
05-15 [D] urachart[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 203.170.192.184 PED UQ
05-15 [D] ecuamiaflowers[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 107.180.14.32 PED UQ
05-15 [D] energybalancecenter[.]nl/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 78.46.162.14 PED UQ

 

The reason WannaCry is creating so much noise and attention is that not only does it infect your computer but once on your system it will install a module that will scan your network for machines that have ports 139 and 445 open. Once machines have been identified the malware will attempt to exploit a known SMB exploit dubbed ETERNALBLUE/MS17-010 and spread throughout the network as a worm. Hence the panic and news related to this ransomware, entire organizations running SMBv1 can become owned rapidly.

Why are so many hosts vulnerable to this SMB exploit? Many organizations have not patched the vulnerability because SMB is almost always firewalled off from the outside world which means someone would have to be inside the network in order to use the exploit. The creators of this ransomware have taken advantage of this laziness to patch and created a very dangerous ransomware worm.

Sample infection pop-up:

 

File names the first variant were associated with:

File names @WanaDecryptor@.exe
LODCTR.EXE
mare.txt
wnry1.exe
suspicious
@WanaDecryptor@.exe
localfile~
WanaDecryptor.exe
@WanaDecryptor@.exe
dxdiag.exe
@WanaDecrypto r@.exe
170513-2.Ransom.WannaCryptor.exe
@WanaDecryptor@.exe
b9c5.bin
u.wnry
WanaDecryptor.ex_
@WanaDecryptor@XXX.exe
Win32 WannaCrypt.exe
WanaDecrypt0r.exe
wannacry__ransomware (8)
_WanaDecryptor_.exe
@WanaDecryptor@.exe1
WannaCryDecryptor.exe
ToolAntiWannaCRY.exe
@WanaDecryptor@.exe

Anti-Virus vendors detection of the first variant:

Comodo TrojWare.Win32.Ransom.WannaCryptor.B 20170515
Cyren W32/Trojan.AHAZ-1193 20170515
DrWeb Trojan.Encoder.11432 20170515
Emsisoft Trojan-Ransom.WanaCrypt0r (A) 20170515
Endgame malicious (high confidence) 20170503
ESET-NOD32 Win32/Exploit.CVE-2017-0147.A 20170515
F-Prot W32/WannaCrypt.D 20170515
F-Secure Trojan.GenericKD.5054801 20170515
Fortinet W32/WannaCryptor.D!tr 20170515
GData Win32.Trojan-Ransom.WannaCry.D 20170515
Ikarus Trojan-Ransom.WanaCrypt 20170515
Invincea virtool.win32.injector.eg 20170413
Jiangmin Trojan.WanaCry.i 20170515
K7AntiVirus Exploit ( 0050d7a31 ) 20170515
K7GW Exploit ( 0050d7a31 ) 20170515
Kaspersky Trojan-Ransom.Win32.Wanna.m 20170515
Malwarebytes Ransom.WanaCrypt0r 20170515
McAfee Ransom-O 20170515
McAfee-GW-Edition Ransom-O 20170515
Microsoft Ransom:Win32/WannaCrypt 20170515
Share Button