We updated this article on August 27, 2019 at 7:37 PM PST to include a co-author and amend the solution.
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another. We found a new malware family that targets web servers, network drives, and removable drives using multiple web server exploits and dictionary attacks. This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons. It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation. And it uses some of the most notorious exploits today: EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions. In addition, cybercriminals may be testing the viability of the techniques used in this malware’s routine for further development. The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload. But BlackSquid may be used with other payloads in the future. Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May.
Evasion, routine, and exploits
BlackSquid can infect a system from three initial entry points: via an infected webpage visited because of infected known servers, via exploits as main initial entry point for infecting web servers, or via removable or network drives. It cancels the infection routine to immediately avoid detection and blocking if at least one of the following conditions is met:
The victim’s username is equal to one of the following common sandbox usernames:
- Avira
- COMPUTERNAME
- CWSX
- Kappa
- NMSDBOX
- VBOX
- WILBERT-SC
- XPAMASTC
- XXXX-OS
- cuckoo
- cwsx-
- nmsdbox
- qemu
- sandbox
- virtual
- wilbert-sc
- xpamast-sc
- xxxx-ox
The disk drive model is equal to one of the following:
- Avira
- Kappa
- VBOX
- Qemu
- Sandbox
- test
- virtual
- vitual
- vmware
- vware
The device driver, process, and/or dynamic link library is one of the following:
- Anubis.exe
- api_log.dll
- Cuckoo.exe
- dir_watch.dll
- ImmunityDebugger.exe
- OllyDBG.EXE
- OllyICE.exe
- Sandboxie.exe
- sandboxiedcomlaunch.exe
- sandboxierpcss.exe
- sbieDLL.dll
- SbieDrv.sys
- SbieSvc.exe
- SXIn.dll
- vboxdrv.sys
- VBoxGuestAdditions.sys
- vboxnetadp.sys
- VBoxRes.dll
- Vboxusb.sys
- Vboxusbmon.sys
- windbg.exe
- x64_dbg.exe
The malware also checks the breakpoint registers for hardware breakpoints, specifically for the flags. Hard-coded in, it skips the routine if that flag is at 0, while it seems to proceed with infection if the flag is at 1. As of this writing, the code is set at 0, implying that this aspect of the malware routine is still in development.
Figure 1. Hardware breakpoint flags hard-coded at 0
The malware routine continues with infection once the conditions of the system do not meet any of the three conditions above. Like a number of malicious cryptocurrency-mining malware routines in recent incidents, BlackSquid also uses EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the network.
Figure 2. Command line of EternalBlue-DoublePulsar exploit (Click to enlarge)
Figure 3. Server Message Block (SMB) exploit attack on ports 445 and 139
It drops a copy of itself in network and removable drives, using the critical vulnerability CVE-2017-8464 to execute itself. This remote code execution (RCE) flaw can be used to gain the same user rights as the local system user.
Figure 4. Malware executed via CVE-2017-8464
Aside from network propagation, BlackSquid infects web servers via web application exploits. Using the GetTickCount API as its seed, it randomly selects the IP addresses to target and checks if the addresses are live. Having confirmed the live status of the addresses, it begins connecting to and attacking the targets through exploits and dictionary attacks.
Figure 5. Randomly generating and checking for live IP addresses to target
Among the vulnerabilities abused are three ThinkPHP exploits to support multiple versions of the said framework, using mshta.exe to download and execute the main component of the payload. However, we noticed that one of the exploits had been wrongly coded: The letter “l” was used where the number “1” was needed, thereby rendering the code useless.
Figure 6. ThinkPHP exploits used by BlackSquid
Figure 7. The cybercriminals might have made a mistake coding one of the ThinkPHP exploits, making the command useless.
By sending an HTTP request, it also targets IP addresses using CVE-2014-6287 to run mshta.exe via a %00 sequence in a search action. Once abused, this allows attackers to execute arbitrary programs remotely.
Figure 8. Specially crafted request to exploit CVE-2014-6287
BlackSquid also exploits CVE-2017-12615, an Apache Tomcat vulnerability with a snippet that puts an HTTP request. The exploit enables any code to be executed by the server by uploading a JavaServer Pages (JSP) file via a specially crafted HTTP PUT request.
Figure 9. Snippet of HTTP request method and URI
Figure 10. Snippet of HTTP message body
BlackSquid can also upload a JavaServer page in the targeted web server and uses the page to execute mshta.exe, in turn downloading and executing the malware’s main component.
Figure 11. Executing the main component of the payload via a JavaServer page
BlackSquid can also infect HTML files in the following known web server path by prepending a malicious iframe to the target.
C:\inetpub\\ |
C:\xampp\ |
C:\wamp\ |
C:\phpStudy\PHPTutorial\WWW\ |
Table 1. Web server stacks and scripts reference for iframe insertion
Figure 12. Iframe tag used in HTML file infection
Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components. Both components are 64-bit Monero (XMR) miners, one in its resource and another downloaded into the system. The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.
Figure 13. XMRig miner
Conclusion
Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another). But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages; they may be studying how they can best profit from the attacks by having two components for mining regardless of the systems’ installed GPU resources. Further, they may still be trying to determine specific targets without putting up much capital. For one thing, the majority of the exploits and techniques they have chosen have been openly shared in the underground. And using random IP address scanning rather than a faster but possibly more expensive option such as a Shodan scan (which requires a subscription) presents advantages in lessening limitations for targets, as well as blocking and evading traffic to and from Shodan. All of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected. We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.
Trend Micro solutions The Trend Micro Deep Discovery Inspector solution protects customers from threats that may lead to C&C connection and data exfiltration via these DDI rules:
- 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)
- 2390: EQUATED - SMB (Response)
- 2498: CVE-2017-12615 - APACHE TOMCAT Remote Code Execution via JSP Upload - HTTP (Request)
- 2722: CVE-2017-0146 - Remote Code Execution - SMB (Request)
- 2786: ThinkPHP 5x Remote Code Execution - HTTP (Request)
- 2922: CVE-2014-6287 Rejetto HttpFileServer RCE Exploit - HTTP (Request)
- 2923: BLASQUI Webshell - HTTP (Request)
- 3227: CVE-2014-6287 Rejetto HttpFileServer RCE Exploit - HTTP (Request)
- 3228: BLASQUI Webshell - HTTP (Request)
- 3229: ThinkPHP 5x Remote Code Execution - HTTP (Request)
Indicators of Compromise (IoCs)
Trend Micro products with XGen™ security detect and block the following:
SHA256 | Detection |
---|---|
14f8dc79113b6a2d3f378d2046dbc4a9a7c605ce24cfa5ef9f4e8f5406cfd84d | Worm.Win32.BLASQUI.A |
3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c | TROJ_EQUATED.J |
4bc1a84ddbbb360e3026e8ec1d0e1eff02a100cf01888e7e2a2ac6a105c71450 | Trojan.Win64.DLOADR.AUSUPP |
aa259b168ec448349e91a9d560569bdb6fabd811d78888c6080065a549f60cb0 | Trojan.Win32.DLOADR.AUSUPY |
4abb241a957061d150d757955aa0e7159253b17a1248eaac13490a811cdabf90 | Coinminer.Win32.MALXMR.TIAOODCI |
515caf6b7ff41322099f4c3e3d4846a65768b7f4b3166274afc47cb301eeda98 | Coinminer.Win64.TOOLXMR.AS |
8dbd331784e620bb0ca33b8515ca9df9a7a049057b39a2da5242323943d730b4 | |
8974da4d200f3ca11aa0bc800f23d7a2be9a3e4e6311221888740c812d489116 | Trojan.Win32.CVE20178464.A |
URLs
hxxp://m9f[.]oss-cn-beijing[.]aliyuncs[.]com/A[.]exe
hxxp[:]//m9f[.]oss-cn-beijing[.]aliyuncs[.]com/Black[.]hta