In a recent emergency response activity, NSFOCUS Threat Intelligence center (NTI) discovered a security event that featured NuggetPhantom, a modularized malware toolkit. According to our observation, the organization behind this event made its debut at the end of 2016 in the blue screen of death (BSOD) event that targeted Tianyi Campus clients, and was again involved in another security event that leveraged Tianyi Campus clients to mine cryptocurrency at the end of 2017.
Having captured and analyzed malware carriers frequently used by this organization, we believe that its malware toolkit has been highly modularized and so delivers high flexibility. This toolkit not only features anti-antivirus techniques but also employs many concealment approaches, as demonstrated in its capability of defeating security devices that work based on behavior detection and traffic analysis.
As for target selection, this organization, as a disciple of the principle of “man is the measure of security”, took its first step by identifying less professional users according to the security of their devices. Then it attempted to attack these users by exploiting an N-day vulnerability with EternalBlue. Besides, to better hide itself and evade detection, the organization tried to lower the impact of malware on users at the expense of financial gains.
After finding that the operating system on a user’s computer contains the EternalBlue vulnerability, the attacker exploits this vulnerability to send Eternal_Blue_Payload to the victim computer. Next, this payload drops all modules, which subsequently access the download server to obtain their respective encrypted files and then dynamically decrypt them in memory before executing related malicious functions. Following is a flowchart of the entire attack process.
Obviously, this attack procedure is fully consistent with the classic kill chain:
- Reconnaissance: Through scanning and open-source data, the attacker finds a large number of computers on the Internet that still contain the EternalBlue vulnerability.
- Weaponization: The attacker crafts payloads specific to these vulnerable computers.
- Delivery: The attacker loads the malware with all its modules to his/her own server.
- Exploitation: The attacker exploits the EternalBlue vulnerability to attack targets one by one by executing the downloader exploit payload.
- Installation: The downloader exploit payload downloads malware and instructs it to deploy its own modules.
- Command and Control: The malware communicates with the attacker’s command and control (C&C) server to obtain instructions and cryptomining configurations.
- Actions on Objective: The malware mines cryptocurrency and conducts distributed denial-of-service (DDoS) attacks.
From the preceding analysis, we can draw the following conclusions:
- Vulnerability: The EternalBlue vulnerability, as a critical one disclosed in early 2017, has been exploited by very efficient toolkits and has attracted a wide range of scanning sources. Up to now, hackers’ zeal for it has not abated as there are still a large number of unpatched Windows devices worldwide.
- Tools: Programs and tools used for malicious purposes are undergoing a major change in their structure. Traditionally, all necessary functions are built into a package and used as a whole. Now, they have functions modularized for higher flexibility. For one campaign, an attacker needs only to plant a controlled loader program that seldom carries out malicious activities but requests necessary modules in real time. Functional modules can be loaded or uninstalled depending on the information collection progress, the purpose of the task, and the trend of the hacking industry. Security devices analyze attacks only after they actually happen. Such a reactive process makes it difficult to get a whole picture of events no matter how extensive and intensive the analysis is.
- Industry: Cryptomining is usually considered a hacking industry that has a low entry barrier and does not require a high skill set. Therefore, antagonistic techniques seem to be lacking in related malware. However, the case in question reveals that hacking organizations lured by the lucrative business are generous with their spending on all sorts of technical means against security products. This partly explains why the cryptomining detection rate is dropping currently. A lower detection rate does not mean that fewer such events have happened, but they are increasingly difficult to detect and perceive.
- Organization: Full-fledged hacking organizations active in China focus more on concealment and persistence of their malicious behavior. Their purpose has turned from trying to control users’ total resources to parasitizing users’ computers without users’ knowledge. For the purpose of persistence, they are even willing to sacrifice some gains.
1.1 Executive Summary
1.2 Kill Chain
1.3 Scope of Impact
1.4 Development of the Hacking Organization
2 Sample Analysis
2.1 High Level of Modularization
2.2 Careful Deployment to Evade Detection
2.3 Flexible Configuration to Hide True Identity
2.4 Sacrifice of Present Gains to Remain Unnoticed
2.5 All Covet, All Lose
3 Attacker Location
A IoC Output