Check Point found a new campaign focus on Windows servers in Asia Pacific

campaign focus on Windows servers in Asia Pacific

Image: checkpoint

Recently, security researchers from Checkpoint discovered new stealing malware that is targeting Windows servers in APAC, stealing sensitive data, including login credentials, operating system version, IP address, and uploading the stolen data to an FTP server.

The malware called GetVersionExA was used in a large malware campaign targeting the Asia Pacific region (US, Malaysia). By analyzing the malware it is also related to the XMRig mining software, the Mirai botnet.

Image: checkpoint

The attacker will download the executable file ups.rar through the C2 server (66.117.6.174) and then determine the target server environment. Most anti-virus software is currently unable to detect the malware. “The attack continues only if the compromised machine is a Windows server.

After that, the malware calls GetVersionExA to extract the operating system version, which returns the OSVERSIONINFOEXA structure. After checking the operating system, malware will not work on the following versions:

  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
  • Windows XP Professional
  • Windows XP Home Edition
  • Windows 2000 Professional

When the target “Windows Server” is found, the C2 server sends two GET requests, one is to deploy the batch file (My1.bat) and trigger a fileless attack, and the other is to send a request to synchronize with the C2 server to get the updated version. The batch file contains the Mirai botnet module, which the attacker has enhanced to make new malicious behavior.

This new module runs PowerShell commands which connect to external URLs.

  1. Creates a WMI Event customer object which runs PowerShell and leverages admin permission (privilege escalation).
  2. Tries to download and execute the following malicious malwares:

“Mirai”, “Dark cloud” and “XMRig” miner.

  1. Collects user names and passwords along with other private information stored on local machine and sends it to an FTP server.
  2. Runs the JavaScript file, which already was seen in previous attacks such as the MyKing botnet.

When downloading malware, it uses the cradle obfuscator method and calls the contents of IP: http://173[.]208.139.170/s.txt. To avoid detection, it calls another command to download a ps1 file that runs various commands.

It can extract the details of the processor and call Mimikatz from the external URL to dump all the passwords. The password is saved and saved in a file, and then uploaded to the FTP server managed by the attacker.

Check Point recommends users:

  • Upgrade the operating system and common software patches in time, and upgrade the virus database of the anti-virus software to the latest version;
  • Do not download apps from unknown sources and do not visit potentially risky sites.