Internet storm center fibrous histiocytoma pathology – internet security dshield

WMI (“windows management instrumentation”)[ 1] is, like microsoft says, the infrastructure for management data and operations on windows-based operating systems. Personally, I like to make a (very) rough comparison between WMI and SNMP: you can query information about a system (read) but also alter it (write). WMI is present on windows systems since the version windows angiomatoid fibrous histiocytoma pathology 2000. As you can imagine, when a tool is available by default on all systems, it’s a good opportunity for attackers to (ab)use of its features. Think about tools like bitsadmin.Exe or certutil.Exe that are used by many malicious scripts. Today, WMI seems to be more and more used in many angiomatoid fibrous histiocytoma pathology scenarios. Here are two examples:

The second example is more interesting. In a recent article on the ESET blog[ 2], researchers explained how WMI was used to implement persistence after angiomatoid fibrous histiocytoma pathology a system has been infected by turla. The malware uses a WMI feature called an event consumer angiomatoid fibrous histiocytoma pathology which is used to trigger a script when an event angiomatoid fibrous histiocytoma pathology occurred[ 3]. WMI can monitor a system and extract a lot of angiomatoid fibrous histiocytoma pathology information like the system uptime. The created event consumer launches a script when the update angiomatoid fibrous histiocytoma pathology is between 300 and 400 seconds. See the ESET article for more details.

This is not very relevant because WMI usage can be angiomatoid fibrous histiocytoma pathology huge and will generate some noise but it will not angiomatoid fibrous histiocytoma pathology return the creation of a new consumer, except if the operation failed. If you want more details about the WMI activity on angiomatoid fibrous histiocytoma pathology a system, you can use ETW or “event tracing for windows”[ 4]. This feature of the windows API generates specific logs called angiomatoid fibrous histiocytoma pathology event trace logs (ETL) which contain binary data. To read them, you need a specific tool like windows event viewer, tracefmt or netmon.

RDP, the remote desktop protocol, made the news recently after microsoft patched a critical remote angiomatoid fibrous histiocytoma pathology code execution vulnerability (CVE-2019-0708). While the reporting around this bluekeep vulnerability focused on patching angiomatoid fibrous histiocytoma pathology vulnerable servers, exposing RDP to the internet has never been a good angiomatoid fibrous histiocytoma pathology idea. Botnets have been scanning for these servers and are using angiomatoid fibrous histiocytoma pathology weak and reused passwords to gain access to them. The latest example of such a botnet is an ongoing angiomatoid fibrous histiocytoma pathology malicious campaign we are refering to as goldbrute. This botnet is currently brute forcing a list of about angiomatoid fibrous histiocytoma pathology 1.5 million RDP servers exposed to the internet. Shdoan lists about 2.4 million exposed servers [1]. GoldBrute uses its own list and is extending it as angiomatoid fibrous histiocytoma pathology it continues to scan and grow.

Initially, the bot will start scanning random IP addresses to find angiomatoid fibrous histiocytoma pathology more hosts with exposed RDP servers. These ips are reported back to the CC server. After the bot reported 80 new victims, the CC server will assign a set of targets to angiomatoid fibrous histiocytoma pathology brute force to the bot. Each bot will only try one particular username and password angiomatoid fibrous histiocytoma pathology per target. This is possibly a strategy to fly under the radar angiomatoid fibrous histiocytoma pathology of security tools as each authentication attempt comes from different angiomatoid fibrous histiocytoma pathology addresses.

Once the attacker successfully brute-force an RDP target (1), it downloads a big zip archive containing the goldbrute java angiomatoid fibrous histiocytoma pathology code and the java runtime itself. After uncompressing, it then runs a jar file called “bitcoin.Dll”. The “dll” extension is possible to disguise unsuspecting users, but I suspect the “bitcoin” part call more attention than a “.Jar” extension would.

RELATED_POSTS