Windows BSOD Betrays Cryptominer Hidden in WAV File

[steven36]

The infamous blue screen of death (BSOD) on computers belonging to a company in the medical tech sector was the tell for a malware infection that spread across more than half the network.

 

 

The malware was hiding its modules in WAV audio files and spread to vulnerable Windows 7 machines on the network via EternalBlue, the exploit for SMBv1 used in the devastating WannaCry and NotPetya cyber attacks from 2017.

EternalBlue and cryptojacking

Security researchers providing incident response services found that more than 800 computers had been compromised starting October 14, 2019. The discovery was possible by investigating systems that experienced a BSOD crash since that date.

 

With the lack of kernel memory dumps, which would have pointed to what triggered the error, the researchers from Guardicore relied on attack residue data to determine the cause.

 

They found that infected machines accessed data in a registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Shell) and executed a rather long command, which turned out to be an unclassified, but publicly available, PowerShell script encoded with base-64.

C:\Windows\System32\WindowsPowershell\v1.0\PowerShell.exe -NonInteractive -WindowStyle Hidden -EncodeCommand JABTAEUAZgA4AGMAYQBXAGoAIAA9ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAG…==

An endpoint detection and response (EDR) platform the company installed in its attempt to solve the problem revealed that the malware-loading process consisted of deploying two processes named cscdll.dll and cscomp.dll, tasked with "compiling C# and executed when C# code is loaded and executed from memory."

 

The payload was a module that mines for Monero cryptocurrency using the CryptonightR algorithm. To evade detection, the authors resorted to steganography to embedded it in WAV‌ audio files. As a result, the files seem harmless but carry an extra load that is later extracted and executed on an infected host.

 

This exact technique was reported on October 16 last year by researchers at BlackBerry Cylance, who said that some of the audio could be played and “had no discernible quality issues or glitches.” However, Guardicore saw it integrated in a full attack flow.

 

Another module hidden this way was tasked with scanning the network and for lateral movement. “The code implements the infamous EternalBlue exploit and spreads the malware over SMB,” reads Guardicore Lab Team’s analysis.

Weak spots

While this attack is not sophisticated, it shows that some mid-size organizations are ill-prepared to defend against a cybersecurity incident and set up the environment to support post-infection analysis efforts.

 

For this particular case, the victim company used Windows 7, an operating system that on Tuesday received its last batch of updates and is no longer supported by Microsoft.

 

This may have not been relevant for the attack but leaving the systems unpatched for almost three years is what provided the opportunity to spread to over 50% of the network computers.

 

Guardicore hit some bumps during their investigation because the computers analyzed had not been configured to save kernel memory dumps, “which could have been helpful in forensics analysis and in understanding the root cause of the [BSOD] errors.”

 

Source