WannaCry ransomware’s outbreak during the weekend was mitigated by having its kill switch domain registered. It was only a matter of time, however, for other cybercriminals to follow suit. Case in point: the emergence of UIWIX ransomware (detected by Trend Micro as RANSOM_UIWIX.A) and one notable Trojan our sensors detected.
UIWIX is not WannaCry
Contrary to recent news citing UIWIX as WannaCry’s new—even evolved—version, our ongoing analysis indicates it’s a new family that uses the same Server Message Block (SMB) vulnerabilities (MS17-010, code named EternalBlue upon its public disclosure by Shadow Brokers) that WannaCry exploits to infect systems, propagate within networks and scan the internet to infect more victims.
So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.
UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.
Here is a summary of WannaCry and UIWIX’s notable features:
| WannaCry | UIWIX | |
| Attack Vectors | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), TCP port 445 |
| File Type | Executable (EXE) | Dynamic-link Library (DLL) |
| Appended extension | {original filename}.WNCRY | ._{unique id}.UIWIX |
| Autostart and persistence mechanisms | Registry | None |
| Anti-VM, VM check, or anti-sandbox routines | None | Checks presence of VM and sandbox-related files or folders |
| Network activity | On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser | Uses mini-tor.dll to connect to .onion site |
| Exceptions (doesn’t execute if it detects certain system components) | None | Terminates itself if found running in Russia, Kazakhstan, and Belarus |
| Exclusions (directories or file types it doesn’t encrypt) | Avoids encrypting files in certain directories | Avoids encrypting files in two directories, and files with certain strings in their file name |
| Network scanning and propagation | Yes (worm-like propagation) | No |
| Kill switch | Yes | No |
| Ransom amount | $300 paid in Bitcoins | $200 paid in Bitcoins |
Figure 1: Test files encrypted by UIWIX (left) and one of the ransom notes (right)
UIWIX uses a different Bitcoin address for each victim it infects. If the victim accesses the URLs in the ransom note, it will ask for a “personal code” (which is also in the ransom note), then prompt the user to sign up for a Bitcoin wallet.
Figure 2: UIWIX’s payment site
Other malware are cashing in on EternalBlue
It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.
Patch your systems and adopt best practices
UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching. Enterprises must balance how it sustains the efficiency of its business operations while also safeguarding them. IT/system administrators and information security professionals, their sentry, should enforce strong baselines that can mitigate attacks that threaten the integrity and security of their systems and networks.
Given how UIWIX uses the same attack vector as WannaCry’s, the best practices against UIWIX and other similar threats should be familiar (and intuitive):
- Patch and update your systems, and consider using virtual patching
- Enable your firewalls as well as intrusion detection and prevention systems
- Proactively monitor and validate traffic going in and out of the network
- Implement security mechanisms for other points of entry attackers can use, such as email and websites
- Deploy application control to prevent suspicious files from executing on top behavior monitoring that can thwart unwanted modifications to the system
- Employ data categorization and network segmentation to mitigate further exposure and damage to data
We will update with more details as more information from our analysis become available.
Trend Micro Solutions
Trend Micro OfficeScan™ with XGen endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and other threats. Trend Micro’s security solutions that come with Predictive Machine Learning and all relevant ransomware protection features enabled are already protected against threats like UIWIX and WannaCry.
Trend Micro Deep Security™ and Vulnerability Protection, Deep Discovery™ Inspector, TippingPoint and Trend Micro Home Network Security protect users and businesses against these threats.
Indicators of Compromise
146581F0B3FBE00026EE3EBE68797B0E57F39D1D8AECC99FDC3290E9CFADC4FC (SHA256) — detected as RANSOM_UIWIX.A
C72BA80934DC955FA3E4B0894A5330714DD72C2CD4F7FF6988560FC04D2E6494 (SHA256) – detected as TROJ_COINMINER.WN
C72BA80934DC955FA3E4B0894A5330714DD72C2CD4F7FF6988560FC04D2E6494 (SHA256) – detected as TROJ_COINMINER.WN
Command and Control (C&C) domains related to TROJ_COINMINER.WN:
- 07[.]super5566[.]com
- aa1[.]super5566[.]com
No comments:
Post a Comment