Trojan.Win32.Siscos

General Explanation

Type: Trojan

Degree of destruction: high

Prevalence: High

Used vulnerability: CVE-2017-0146/ MS17-010 (EternalBlue)

What is a Trojan?

Trojans are types of malware that show themselves in the format of healthy and legal software and most likely act like useful and functional software, but when they are executed caused much damage to the system. Downloaded software from the internet, embedding in the HTML text, attaching to an email, etc. are some ways for Trojans to enter the system. Trojans unlike viruses and computer worms cannot reproduce themselves.

What is Sisco’s malware?

Sisco’s malware is one of the mining malware and belongs to the Trojans category that will take the control of the system by installing a bot in the format of service and instructions receives from a hacker, also, to extract cryptocurrency from the victim’s system. According to this issue, the degree of destruction problem, in the long run, can be high. This malware also increases its permissions for future malicious operations by creating a user account named mml23$ on the system and placing it in the Administrators group.

Technical Explanation

Signs of infection

The main file of the malware is a DLL which enters the victim’s system through EternalBlue vulnerability and Doublepulsar backdoor and will execute as one of a sub-set of systemic processes (generally Isass.exe).

Explaining the function of the main file of the malware:

This DLL creates a user account with the following information:

  • User: mml23$
  • Pass: bengal1!
  • Group: Administrators

You also need a downloader. This DLL consists of two export functions which is a recall for downloading two malware files.

Immediately after recalling the first function (urldown), a file named x86.exe will be downloaded from the following address:

http://k.honker[.]info:8/x86.exe

This file will be stored with the fake name conhost.exe in the Windows folder.

**The conhost.exe file is a standard tool related to Windows OS which normally is in the system32 folder.

By recalling the second function (urldown1) a file name madk.exe will be downloaded from the following address:

http://k.honker.info:8/madk.exe

This file will be stored in the Windows folder with the fake name smss.exe

Explaining the function of x86.exe

A DLL with a random name will be created in the following path and registered as a service

[Root]:\Program Files\NetMeeting\[Random].dll

Then in the common processes list, it will search for 360tray.exe. This process is related to a Chinese antivirus name 360safe. If this anti-virus is running, the malware will finish its work. So, it is completely obvious that the hacker was Chinese and excluded china from infection. If the process of this anti-virus does not execute in the victim’s system, The service of the malware or Issas will be registered in the registry. This service is a bot.

Here you can view a list of C&C instructions of the malware service with their functions:

Control Code Function
01  Updating or removing malware service
02 Reading the service information from the victim’s system registry
03 Connecting to the bitcoin server: post.f2pool.info
05 Removing the hacker’s desired logs about the system, application, and security from the Eventlog section of the system
06 Downloading a specific file
08 Change settings of “Shell open command” about IE browser
0A Applying changes on tokens related to WinSta0\\Default
0C Searching for a process in the current processes list
0E Change proxy settings

It can be concluded from the 0A code that the hacker using this code and mml23$ user account to manipulate his/her desired permissions in the victim’s system.

Explaining the function of madk.exe:

Creating a file name Conhost.exe in the following path:

[Root]:\Windows\Fonts\conhost.exe

Building the following service:

  • Service name: MetPipAtcivator
  • Service path : [Root]:\windows\Fonts\svchost.exe
  • DisplayName: Network Location Service
  • Description:  Provides performance library information from Windows Management.

If this service existed on the victim’s service before this, remove it.

The MetPipActivator will immediately execute and the conhost.exe file which is in the fonts folder will be executed.

The following service must execute rundllhost.exe which is created by the conhost.exe file.

  • Service name: SetPipAtcivator
  • Service path : [Root]:\windows\Fonts\svchost.exe
  • DisplayName: WMI Performance Services
  • Description:  Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.

Rundllhost.exe file is bitcoin and is in connection with the following servers:

  • max.csrss.website:80
  • l.csrss.website:14444

The duties of the conhost.exe file:

  • prevention of the execution of monitoring processes such as autoruns.exe، perfmon.exe، procexp.exe، ProcessHacker.exe and rundll32.exe.
  • Creating a file named [Root]:\Windows\Fonts\rundllhost.exe

Note: This malware applied changes in its newest versions which will completely be introduced in detail here:

Signs of infection in the newest versions of Sisco’s malware:

In the new version, all activities are still the same as before, just the malware will download an f file named smss.exe by recalling the second function (urldown1). This file restoring in the Windows folder by the name of smss.exe

The sign of infection to smss.exe:

  1. System slowness due to the cryptocurrency extractor running
  2. Existence of secret and systematic exe files in system font path. 
  3. Existence of a folder named Mysql in the system font path.
  4. Existence of two services named MetPipAtcivator and SetPipAtcivator running services.
  5. Stopping and removing lanmanserver service.
  6. Removing all adjusted policies on the system and adding a suspicious policy. Now if the user executes Netsh IPsec static show all instructions in the command line, he/she can view a policy among its connections policies named Aliyun. It is noteworthy to say that, the name of the policy in the different types of this malware can be diverse. Of the obvious signs of this type of policy is closing ports 445, 135, and 139.
  7. Interfering in the work of 32-bit processors on 64-bit systems.

Explaining the function of the smss.exe file:

Initially, smss.exe malware will check the aim system to remove the signs of previous versions of the malware and replace it with the newest version of the malware. One of the services which are deleted from the system by the malware are as follows:

  • MetPipAtcivator  (belongs to the oldest version)
  • SetPipAtcivator   (belongs to the oldest version )
  • mssecsvc2.0, mssecscv2.1 (for wannacry ransomware)
  • lanmanserver (Windows standard server for sharing files and resources)

This malware will also remove a user with username mm123, which was built by the oldest version of this malware.

In this step the malware attempt to close monitoring applications such as Procmon, process explorer, and process hacker by searching among existing applications. From this step further, malware will place its new service files in the aim system.

First, it will install and execute one of its files in the path of system fonts as MetPipAtcivator service. Then, it will access cscript.exe which needs for executing its scripts. If the victim adjusts some access restrictions on this application, it will bypass these restrictions with this method.

The above operation is also executed for the WScript.exe file. If some settings had been adjusted for these files in the registry in which a specific program manages their execution, it will remove this setting from the registry.

In the next step, first, it will remove a PowerShell process if it is executing and then it will pass the ownership of the powershell.exe file to the administrator and eventually passes all current accesses of the desired file to the administrator. After applying these changes, it will remove the system accesses to this file. In the following, it will take over the “host” file ownership in the %windir%\system32\drivers\etc path. This file includes the corresponding IP and URL for all sites to which the user connects. Also, the malware will provide all possible access to the file that the user connects to. Also, malware will provide all possible access to this file for all members of the user group. Eventually, it will hide this file. Then it will remove the DNS hidden memory of the user by executing IPconfig/FlushDNS commands.

The next malware action is removing all victim’s system communication policies by executing the following command:

netsh  IPsec static del all

Then, it will apply its desired policies to the system:

netsh  IPsec static add policy name=Aliyun

In the next step, the malware will clean its domain from other malware, especially miners. The interesting note of this malware is the execution of taskkill  /f /t /im servcies.exe command which is one of the most dangerous instructions and causes to fail almost all system services by executing “sc stop services” and “sc delete services” commands, it tries to remove their services so to be no more executable. The next instruction of the malware is taskkill  /f /t /im splwow64.exe which splwow64.exe process is responsible for connecting 32bit processes with the related services of 64bit systems.

Other malware proceedings are to delete each of the services, secretly make their relevant service file to just readable and systemic, and after that restrict the user’s access to the file. After applying these settings it will proceed to download new malware.

Here is the path that the file will be placed in:

  • %windir%\fonts\Mysql]

In the following, you can view the function of downloaded files:

The activities of ctfmon.exe

This file will remove the healthy Mysql and Mssql services by executing some instructions and will replace its files with them and re-runs the service.

Then by adjusting a scheduled task, it will re-run this instruction every day at a specific time.

The tasks that malware created can be recognized in the task list as *Group*, *fost* or *At*.

After applying its scheduled tasks, this file proceeds to clean up its domain of other malware.

The activities of the mks.exe file

This file proceed to change system security policies with the SecEdit command and configures them as it desires

How to deal with it and disinfect the system

Padvish Antivirus will detect this malware and removes it. To prevent any probable infections by this malware which uses EternalBlue vulnerability, it is recommended to use the provided security patch by Microsoft (ms17-010). Padvish anti-virus IPS will detect these types of vulnerabilities and prevent them from entering the system.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>