APT38 WannaCry

APT38 WannaCry ransomware demonstrates lateral movement using EternalBlue and DoublePulsar exploits. This chain stages a shellcode payload, exploits a vulnerable SMBv1 service, install persistence, then kills running db processes, and finally delete volume shadow copies.

TTP Tuesday: APT38 - WannaCry

Stop a global ransomware outbreak with this one weird trick

Theme Overview

Our last release looked at multi-stage APT40 malware that used packed JPG files to hide malicious executables.

For this week’s TTP Tuesday we’re releasing a new APT38 themed chain based on WannaCry. In May 2017, WannaCry ransomware spread using then recently released EternalBlue and DoublePulsar exploits to unpatched Windows devices. Since the initial outbreak, WannaCry has resulted in more than $4 billion in damages and 200 000+ infected devices across 150 countries.

Kill switch

WannaCry could have been much, much worse but for some luck and quick thinking. One of the first actions WannaCry takes is to check for the existence of a kill switch domain. This a domain that, when the ransomware can resolve it, acts as the trigger for a kill switch to abort execution of the ransomware. The kill switch, discovered by security researcher Marcus Hutchins within hours of the initial outbreak, greatly reduced the number of infections and provided time for organizations to patch their systems.

This release includes a technique to simulate the malware’s request for this kill switch domain.

EternalBlue + DoublePulsar

On April 14, 2017, the Shadow Brokers leaked a number of exploits and tools allegedly developed by the NSA.

Included in the Shadow Brokers leak were two exploits that APT38 integrated into WannaCry. These exploits are EternalBlue, an SMBv1 RCE used by WannaCry for lateral movement, and DoublePulsar with is used to load and execute shellcode in the kernel. Despite Microsoft having released patches for the EternalBlue vulnerability in May 2017, more than 200 000 hosts would be infected by WannaCry.

This release includes a cross-platform PneumaEX module that uses both EternalBlue and DoublePulsar to exploit an SMBv1 service and load arbitrary shellcode in the kernel. We’re demonstrating this technique using calc.exe shellcode, but the technique can be modified to load shellcode you want. Have fun!

WanaDecryptor Persistence

WannaCry contains two different persistence techniques that we have included in this week’s release. The first persistence technique uses wscript to create a .lnk file. The release includes a technique to simulate this behaviour by downloading a PneumaEX agent from Operator and creating a .lnk file to it. The second technique, persistence via StartUp registry, also downloads a PneumaEX agent from Operator but configures a StartUp key to execute it.

Impact

After encrypting files, WannaCry kills database and email server processes. This release includes a technique to kill these processes. Next, the final technique in this week’s chain, is to delete volume shadow copies using vssadmin. Having hopefully made data recovery impossible that concludes this week’s APT38 release.

Thanks for reading! We’ll be back next week with more examples of APT38 tradecraft!

Watch a demonstration: APT38 WannaCry

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Request WannaCry kill switch domain
Stage EternalBlue PneumaEX plugin payload
Exploit SMBv1 service
Install WanaCry persistence via registry
Install WanaDecryptor persistence via .lnk file
Kill database and email processes
WannaCry delete Volume Shadow Copies

Tags

destructive

User-Set Custom Variables

  • eternalblue.address: 127.0.0.1:445