In an unsettling turn of events, a recent cyberattack has been carried out by malicious actors who exploited the EternalBlue vulnerability to gain initial access to an observatory farm. The attackers utilized various techniques to infiltrate the system and establish control over the compromised network.
The initial access was gained by creating a hidden administrative share on the system and executing a malicious batch file named p.bat. This batch file was designed to perform a series of nefarious actions, including creating and executing malicious executables, opening firewall ports, setting up port forwarding, and scheduling tasks for persistence. The attackers also incorporated anti-detection mechanisms to evade analysis, further complicating efforts to identify and mitigate the threat.
One of the malicious executables disguised itself as svchost.exe and was specifically crafted to disable Windows Defender and create exclusions to avoid detection. The attackers strategically deleted the administrative share to cover their tracks and ensure exclusive control over the compromised system.
The attackers then proceeded to brute-force the Server Message Block (SMB) protocol to gain access as a local administrator, creating a hidden administrative share on the C: drive for persistence. A malicious batch script (p.bat) was deployed to configure firewall rules, potentially for cryptomining activities. Outbound traffic was cleverly disguised as DNS traffic, proxying to a remote server at IP address 1.1.1.1.
In a bid to maintain persistence, scheduled tasks were created to execute the batch script and potentially download malware (installed.exe) at regular intervals. The script also checked for the presence of PowerShell and downloaded and executed a second script from a malicious URL associated with the LemonDuck malware if PowerShell was detected.
If PowerShell was not present, the script manipulated the Windows Scheduler to run malicious scripts at various intervals. The attackers attempted to start a service named Ddriver and monitored command prompts, initiating a system reboot if more than 10 prompts were detected. Finally, the script deleted itself and evidence of its activities before executing another downloaded malware (installed.exe).
The malware went on to disable Windows Defender’s real-time monitoring, excluded the entire C drive from scans, and opened a port while setting up a proxy for potential command-and-control (C2) communication. Additionally, the attackers renamed malicious executables and attempted to download additional scripts via PowerShell or scheduled tasks to evade detection.
An analysis by NetbyteSec uncovered msInstall.exe as a malicious executable associated with the LemonDuck variant, which targets remote systems using brute-force attacks with user/password lists to gain access. The malware exploits the EternalBlue vulnerability to achieve SYSTEM privileges, establish persistence, create scheduled tasks, and potentially modify firewall rules. Furthermore, the malware attempts to download additional scripts and utilizes Mimikatz to steal credentials for potential lateral movement within the network.
As cyber threats continue to evolve and grow in sophistication, it is crucial for organizations to implement robust security measures to protect their systems and data. By staying informed about the latest threats and adopting best practices in cybersecurity, businesses can mitigate the risk of falling victim to malicious attacks. Vigilance, proactive monitoring, and timely response are essential in combating the ever-changing landscape of cyber threats.