Our last release looked at multi-stage APT40 malware that used packed JPG files to hide malicious executables.
For this week’s TTP Tuesday we’re releasing a new APT38 themed chain based on WannaCry. In May 2017, WannaCry ransomware spread using then recently released EternalBlue and DoublePulsar exploits to unpatched Windows devices. Since the initial outbreak, WannaCry has resulted in more than $4 billion in damages and 200 000+ infected devices across 150 countries.
WannaCry could have been much, much worse but for some luck and quick thinking. One of the first actions WannaCry takes is to check for the existence of a kill switch domain. This a domain that, when the ransomware can resolve it, acts as the trigger for a kill switch to abort execution of the ransomware. The kill switch, discovered by security researcher Marcus Hutchins within hours of the initial outbreak, greatly reduced the number of infections and provided time for organizations to patch their systems.
This release includes a technique to simulate the malware’s request for this kill switch domain.
On April 14, 2017, the Shadow Brokers leaked a number of exploits and tools allegedly developed by the NSA.
Included in the Shadow Brokers leak were two exploits that APT38 integrated into WannaCry. These exploits are EternalBlue, an SMBv1 RCE used by WannaCry for lateral movement, and DoublePulsar with is used to load and execute shellcode in the kernel. Despite Microsoft having released patches for the EternalBlue vulnerability in May 2017, more than 200 000 hosts would be infected by WannaCry.
This release includes a cross-platform PneumaEX module that uses both EternalBlue and DoublePulsar to exploit an SMBv1 service and load arbitrary shellcode in the kernel. We’re demonstrating this technique using calc.exe shellcode, but the technique can be modified to load shellcode you want. Have fun!
WannaCry contains two different persistence techniques that we have included in this week’s release. The first persistence technique uses wscript to create a .lnk file. The release includes a technique to simulate this behaviour by downloading a PneumaEX agent from Operator and creating a .lnk file to it. The second technique, persistence via StartUp registry, also downloads a PneumaEX agent from Operator but configures a StartUp key to execute it.
After encrypting files, WannaCry kills database and email server processes. This release includes a technique to kill these processes. Next, the final technique in this week’s chain, is to delete volume shadow copies using vssadmin. Having hopefully made data recovery impossible that concludes this week’s APT38 release.
Thanks for reading! We’ll be back next week with more examples of APT38 tradecraft!
Watch a demonstration: APT38 WannaCry
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg