Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

WannaCry: We Want to Cry

Contributors: Phil Hay, Rodel Mendrez, Gerald Carsula, Nicholas Ramos, Homer Pacag

For the last few days the WannaCry ransomware event created mayhem, where organizations worldwide were hit with ransomware that spread quickly primarily via a self-propagating worm mechanism. It exploited vulnerable versions of Windows, even though patches were made available two months ago. Most organizations should have been able to avoid this situation by using a supported version of Windows and patching quickly enough. Here we are going to recap where things stand with this threat and share a few details from our analysis.

The initial infection vector that kicked everything off is still murky. There has been some indication of low-volume email seeding campaigns containing URL links leading to the initial malware being downloaded. We have not been able to independently confirm this, but it remains a possibility. One thing is clear, we have not seen any large-scale email campaigns distributing the malware to date, although that could change at any time.

Recap: Spreading the badness

Regardless of initial infection, the malware quickly spreads via networks:

  • The dropped malware binary contains the worm component, and the WannaCry ransomware component is contained within the resources section of this binary.
  • Once the dropped malware is executed, it extracts and runs the WannaCry ransomware and then attempts to spread via the 'Eternal Blue' vulnerability in Microsoft Windows SMB Server (MS17-010)
  • To spread, the worm enumerates the IP addresses on the local network and these hosts are scanned over port 445 for the vulnerability. In addition, random IP addresses are also generated for scanning the Internet, and if a successful 'hit' occurs, further scanning of that subnet occurs. This is how the malware can spread so quickly.

9633_6448d61a-4924-4ef8-ac73-f2efb4ec66d9

 

Detailed Analysis

Main Launcher: The Killswitch effect

The main launcher has a curious feature, where, before it does anything else, it checks connectivity to a certain domain. If that domain resolves, the binary exits and does nothing further. This has been dubbed the killswitch. The killswitch domains below that have been found so far have been registered by Security Researchers, see here and here. This has had the effect of hampering the spread of the malware. Hint: don't block these domains.

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Extracting the Ransomware

If there is no reply from the killswitch domain, it then checks for command line argument, if it is less than two, create a new service with Display name: "Microsoft Security Center (2.0) Service" and service name: "mssecsvc2.0"

 

BSL_12268_e2768591-eeea-45da-ab04-f77e46f138ce

 

Next, the WannaCry ransomware is extracted from resource section, then dropped to C:\Windows and a new process is spawned C:\WINDOWS\tasksche.exe.

 

BSL_9343_54c33778-c957-416b-96bc-a207228fcb1c

 

If command line argument is two or more then it proceeds to open malware service named "mssecsvc2.0", change the service configuration to "SERVICE_CONFIG_FAILURE_ACTIONS", then start the service running the propagation function using the SMB exploit.

 

8522_2dd77791-a725-4f50-bd57-f718a8540c25

 

Scan the networks

Next, one thread is run for scanning local IPs, and 128 threads for scanning public IPs:

 

10359_8524fd37-7f86-4f17-aca2-ebae14efd5dc

 

For scanning local IPs, It gathers IP addresses using GetAdaptersInfo() API, and then scans the target IP for MS17-010 and transfers the payload if the IP is vulnerable:

 

7603_002fafbc-268d-46c4-a92e-49fdf9c7d7d1

 

For scanning public IP addresses, the malware generates target IP addresses using the CryptGenRandom() API by default, otherwise it uses the rand() function. The randomly generated first octet of the IP address cannot be equal 127 or >= 224. The second, third and fourth octets are also randomly generated. It then checks if port 445 of the target IP is open.

 

10996_a37f7827-28ad-4f7d-94ba-79cdc73fc720

 

If it deemed that port 445 is open, it starts to scan the entire /24 IP range, and then creates a thread for each target IP and attempts to exploit it.

 

BSL_11326_b3462213-2503-46c4-b359-f813c0866d55

 

Unpacking the PE file from the launcher

We unpacked the PE file manually, which showed several layers. Any tool that dumps the resource (.rsrc) section of a PE file can be used. In this case, we used an internal tool.

 

BSL_9925_729cc3fc-2fe3-46fd-9d52-24999be8168c

 

The file "R-1381" is the embedded PE file in the launcher.

 

11675_c519460f-c409-4942-8302-d7fac3f79510

 

Running "R-1381" against the .rsrc dumper, we can see that it has the following files:

 

10879_9e0f9d98-b221-45b5-a8be-d4a76de7e939

 

"XIA-2058" is actually a password-protected zip file. PW: 'WNcry@2ol7'. When extracted, it contains the following:

 

BSL_9897_71340861-945b-4fc8-9200-848cb9e84860

 

The R-1831 file drops an encrypted DLL file called "t.wnry". Once the DLL is decrypted, the WannaCry ransomware itself is run.

 

BSL_10847_9c8ec826-2000-4d53-a24f-21b417208a45

 

The "b.wnry" is the a BMP file used for the ransom note desktop wallpaper.

 

BSL_11873_cd7bcb3e-8bf5-4075-ae57-2810117016f2

 

The "c.wnry" holds a list of TOR sites (*.onion)

 

11366_b57250bf-784b-45b5-8aa7-4ecb4dea3c03

 

The "r.wnry" contains a simple text "readme ransom note"

 

BSL_12760_f7b1519e-e226-4522-8754-1316bf896f37

 

The msg folder holds ransom notes messages in different languages.

The file "s.wnry" is another ZIP file that contains Tor-related binaries which will be later used for C2 beaconing:

 

BSL_12019_d51d4abc-e6e7-496c-a751-72c8da651a48

 

Ransomware itself typical

The actual ransomware component itself is not all that remarkable, it does what ransomware does, encrypts a wide range of files and demands ransom, to be paid in bitcoins in a most insistent way. Here is a list of some of the files it encrypts.

 

BSL_12140_dbcb72f4-b276-4433-8c6c-2ad100329796

 

Expect more of the same to come

What we have seen to date is likely only the beginning. Expect new variants of this threat to quickly emerge. These are likely to have different killswitch domains or no killswitch domains at all. Note, even though you might have patched your systems, it may still be possible to get impacted by the WannaCry Ransomware itself if it is spread via email or the web in the future. However, if you are up to date with patches and have taken some of the mitigation steps below the impact and spread should be well contained.

Mitigation Tips

  • If you haven't done so already, patch the vulnerability (see MS17-010) on all systems!
  • Doublecheck AV is up to date with latest signatures
  • Don't block the known killswitch domains at your gateway
  • Consider disabling SMBv1 traffic in your LAN
  • Block port 445 SMB traffic at your border firewall

Trustwave customers will find active protection against this campaign in many of our security offerings including:

  • Trustwave Secure Email Gateway (SEG)
  • Trustwave Secure Web Gateway (SWG) - (by default SWG will block any Tor based communications that the malware attempts to use)
  • Trustwave Managed Detection & Response (MDR) for Endpoints
  • Trustwave AV (which can detect the ransomware itself)
  • Trustwave UTM (which will block MS17-010 exploitation attempts)
  • Trustwave Vulnerability Scanner (which will detect if a system is missing the MS17-010 patch)

Finally, if you find yourself or your organization infected, our Trustwave Incident Response team is happy to help you. You can visit https://www.trustwave.com/en-us/company/about-us/spiderlabs/ for more information or call our 24hr Incident Response Hotline: +1 (866) 659-9097 and select "Option 5".

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More