Malware Propagation — SMB Vuln Exploitation
WannaCry also tries to propagate to the network by actually exploiting the SMB EternalBlue vulnerability. The exploit used is the DoublePulsar which was initially developed by the NSA and was later leaked by a hacking group called Shadow Brokers. We will now take a look at how the WannaCry leverages the vulnerability to exploit it and propagates to the network like a worm.
The WannaCry dropper, if executed without the command line arguments which we saw earlier, that malware was checking, will try to propagate to the network which it does by opening the service “mssecsvc2.0” having the full access permissions, it then changes the service configuration by calling the ChangeServiceConfig2A function and later calls the StartServiceCtrlDispatcherA function.
StartServiceCtrlDispatcherA starts the control dispatcher thread. The dispatcher thread returns whenever there’s an error and when all the processes have been terminated. Below code registers the Service Control Handler and starts up a thread that contains the exploit payload.
The malware spreads by setting up a Windows sockets API and uses Windows default Cryptography Service Provider (CSP) “Microsoft Base Cryptographic Provider 1.0” to generate a crypto algorithm which is later used to generate random numbers by calling CryptGenRandom function.
Below is the image which initiates the thread containing the payload to transfer to other machines and for this malware calls the GetAdaptersInfo function on the local machine to get the IPs located inside the function named _LAN_config.
The below code contains a call to the _getAdaptersInfo which contains information about the network adapter on the machine and one of the members IpAddressList provides the list of the IP addresses associated with the particular network adapter. So, the malware after enumerating a network adapter on the system and identifying their respective IP addresses on a network, starts a thread and attempts to connect to the IP on port 445 and attempts to exploit an SMB vulnerability. Kindly, refer to the https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 for more info on the vulnerability.
If connection succeeds, it proceeds by negotiating to get the SMB tree ID. It then makes 5 attempts to send a packet based on the ETERNALBLUE (MS17–010) exploit.
The response that it expects from the target is a value of 0x51 found in the response data.
This means that it signals that the exploit was successful and that it can send the payload containing this Wannacrypt malware file using the DOUBLEPULSAR shellcode. The payload is then encrypted using simple byte XOR before it gets into the target computer.
File Encryption Summary:
- Ransomware Executable Imports its RSA Private Key from .data section to Decrypt a Payload DLL to File t.wry.
- Payload DLL Generates a New RSA Key Pair.
- New RSA Public Key is saved to 00000000.pky.
- New RSA Private Key is encrypted by CryptEncrypt API by using Payload DLL’s RSA Public Key from its .data section.
- Encrypted RSA Private Key is saved to 00000000.eky.
- Payload DLL Finds the Target Files and generates one AES Key per File.
- Payload DLL uses NEW Public RSA Key from 00000000.pky to Encrypt AES Key of target File and saves Encrypted AES Key to the target File.
- Payload DLL AES Encrypts the target File and writes it to new File with .WCRY Extension.
- To decrypt the files, the WANNACRY Decryptor looks for 00000000.dky file which contains the RSA Private Key from Malware Authors.
- RSA Private Key from Malware Authors can be used to Decrypt AES Key per File, then Decrypt each File using AES Keys.
Adding Up the Cost of WannaCry:
Over a year after the initial ransomware attack, WannaCry is still making headlines and causing residual damage. The National Health Service (NHS) has revealed WannaCry costs totaled more than $100 million.
According to estimates from the UK’s Department of Health and Social Care, the initial damages from the attack were about $25 million, but the bulk of the costs came in the aftermath at around $94 million related to IT support and restoring data and systems.
WannaCry hit thousands of organizations in over 150 countries, demanding a ransom equal to roughly $300 per attack.
However, the vast majority of the financial burden came in the months following the attack, with an estimated £72m spent across June and July 2017 in order to fix the damage and help ensure that systems were more secure in future.
Vulnerability disclosure
The specific vulnerability that it uses to propagate is ETERNALBLUE.
This was developed by “equation group” an exploit developer group associated with the NSA and leaked to the public by “the shadow brokers”. Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.
