Introduction
Late last year, Marco Ramilli posted an article on in-memory Powershell-WMI CryptoWorm. Here at SentinelOne, we found a new active variant of this spreading CryptoWorm. In this post we will review what’s new in this variant and suggest how to remove it from an infected network.
What’s new in this version?
Communication
This CryptoWorm communicates through HTTP. It uses an IP address for the main server and DNS addresses as a fallback.
Figure 1 – Command-and-Control Servers Fallback
The malicious addresses are 195.22.127.93 and the subdomains of windowsdefenderhost.club (port 8000). Unlike the CryptoWorm previous version, this time the server replies with 403 Forbidden HTTP error code if content is downloaded outside of Powershell. The worm can also get updated from its CNC server. It checks its own version and compares it to the version written in the ver.txt file on the server. If higher version is available, it will download it and update itself.
Figure 2 – Version Control
Right now, the CryptoWorm version is 1.4. It has 2 Powershell scripts, one for each operating system architecture: info3.ps1 for 32bit, and info6.ps1 for 64bit.
Persistency
The malware uses WMI timer method for persistence. It sets a timer and uses WMI Event Consumer. The current version uses the names `SCM Events Log Filter`, `SCM Events Log Consumer` for the timer and the event consumer. The previous version used `SCM Event Filter` and `SCM Event Consumer` respectively.
Spreading
Like the older version, this worm uses few methods in order to spread across the network. It steals credentials by issuing Invoke-ReflectivePEInjection and loading Mimikatz.
Afterwards it spreads using Invoke-WMIExec and Eternal Blue implemented in Powershell. Finally, it runs remote installation command on the remote machine.
Block SMB Connections
The CryptoWorm blocks incoming SMB connections to the infected machines. Probably in order to prevent other types of malware from spreading using the same methods, deleting the CryptoWorm or utilizing the CPU.
Figure 3 – Firewall Blocking Rules
Conclusion
SentinelOne customers should not worry from any version of this CryptoWorm because SentinelOne agent detects and blocks it using the Behavioral AI engine starting from version 2.0. For readers who don’t have SentinelOne, here is an explanation how to remove this CryptoWorm from their network:
It’s a cumbersome process to run the same command on all the network computers simultaneously. Because of that, the most difficult part of removing a worm from your network is preventing it from spreading back from other computers to the newly cleaned computer.
Therefore, in order to remove this worm, it’s first recommended to blacklist its remote command lines. This measure will prevent it from spreading back again.
Afterwards, we recommend to kill the CryptoWorm Powershell process, remove its firewall rules and also the WMI timer filter and the WMI event consumer.
Here is a remover PS script that deletes the firewall rules and removes the WMI entries. It should be run as administrator.
At the Appendix, we detail the relevant command lines and IPs to block.
Demo
In this demo, we run fileless CryptoWorm, which is downloaded from its real CNC straight into memory.
It can be seen how SentinelOne agent detects and blocks it.
Appendix
IOCs
Malicious IP and domain addresses:
- 195.22.127.93
- windowsdefenderhost.club
Malicious files (SHA1 hashes):
- Info3.ps1 – 266D7C2E7F48EB0C1778EBCF76658575982BA41E
- Info6.ps1 – ABAAC4E9005BFE692AA583DDBD10AA5429E49F87
Malicious Command Lines
Available here.