This is a write-up of a malware infection PEI has been engaged to address. This post is quite short for a Reverse Engineering and honestly speaking, there isn’t much to reverse engineer when the malware developer is polite enough to leave a complete and nicely organized log file behind describing exactly what they did.
Finding the Malware
I started working on this the first week of October 2017. Our customer called in and reported a financial database not being accessible to users. A first look at vCenter revealed 5 line of business servers with 80%+ CPU utilization and the Oracle11g database service being stopped, presumably due to lack of CPU resources.
First order of business for CPU UTIL is ProceXP from Sysinternals; this is what I found:
SPPSCV.EXE
SPPSCV.EXE is intended to mimic Windows Software Protection Platform SPPSVC.EXE this is the core cryptocurrency miner executable.
The developer also implemented a well-known commercially available (and not-malicious) service manager that is capable of
- Detecting app crash or service stoppage in case of user attempting to kill the process
- Re-installing service if user removes it
- Cpu watchdog monitors of miner ensures core OS resources are not starved for CPU
Looking further through Process Explorer, we find the file resides in C:\windows\Fonts directory. This makes it harder for a normal user to remove as on Windows 7, 8 and 10 this is a ‘themed’ directory and by default only font files are displayed in file explorer.
Not to fear, you can use Windows Commander, WinDirStat or any other alternative file explorer software to work around this. I used WinDirStat since it was already installed. I was able to not only see the executable, but handy enough, the bad guys included an AWESOMELY complete log file.
157MB of cleartext dating back to the exact date and time of infection (yes, that is almost 6 months ago). Pro tip: don’t open it in notepad, that won’t work.
The malware devs were VERY thorough in logging all their actions and nice enough to include the url and port number pointing back to their command and control center.
Looking at the traffic log, it appears we’re contacting a command and control center in France through a JSON API using a non-standard port number.
This is neat and tidy; most botnets use IRC. The problem with IRC is nobody else other than botnets uses it these days, so security conscious organizations block IRC protocol altogether. Using JSON API calls allows the bad guys to sneak through.
A quick WHOIS lookup of the registered domain reveals a handy phone number to contact the French registrar should you want to start your legal action.
We also see the NAME AND NUMBER of the company this domain is registered to. So yeah, you can call them! You can call and ask why are they mining bitcoin with your servers.
(I have omitted the name of the company and phone number so I don’t have to have a meeting with Legal.)
How to block malicious traffic
A more practical method to stop the attack dead in its tracks is to tell your firewall admin to black-hole the route to the IP address of the command and control center.
ACTUAL FIX
Truthfully, this infection wasn’t very hard to contain. Simply locating the service manager and actual miner service and deleting them after stopping both services was enough for the infection to remain contained.
Implications
The source of infection in this case was easy to discover. One of the servers infected was a domain controller. The company only has a single sysadmin with access to the domain controller…
This attack is very different than a cryptolocker infection mainly as it’s more of an annoyance than an all-stop to your business.
This is not custom malware. Simply running Malwarebytes revealed the infection (although it could not quite remove it due to the service manager being present).
So why did the infection occur in the first place if this is a common form of malware?
No Anti-Virus in place. That’s really it. All that was needed to stop the infection from occurring was install and monitor quality Anti-Virus software.
We can do that for you btw. Maybe we should talk… 303-974-6881.
JacobR, PEI
