As promised, I’m finally following up a bit more on the worm that has been so very effective at spreading all the recent strains of WANNACRY and now UIWIX. Since I’ve yet to see it having been given a name, I’ll be calling the worm COBALTTIDE.
For this analysis we’ll be looking at the sample corresponding to MD5 hash db349b97c37d22f5ea1d1841e3c89eb4. I chose to start here for a couple reasons: first is that is was one of the earlier samples that’s had time to get looked at pretty thoroughly. Secondly, this and subsequent variants right after it all share the same IMPHASH of 9ecee117164e0b870a53dd187cdd7174. Why is the Import Hash significant? Because it shows the core of the malware is remaining the same and that only smaller functionality tweaks are being made in each follow on version.
Overall Infection Life Cycle
Below is a quick execution flow for WANNACRY’s life cycle as a whole, courtesy of Amanda Rousseau at ENDGAME Inc:
I used this graphic to demonstrate the overall life cycle of the malware in order to get some scope/perspective. For this post however, we’ll specifically be focusing on the COBALTTIDE worm that it uses to propagate.
First, we’ll take a look at the initial step in the process which is the kill switch domain check. This feature was most likely implemented to halt the spread of the malware should something go wrong, but it also could function as an anti-sandboxing technique (within a sandbox environment it might not be able to connect out, thus exiting and thwarting analysis). So once on the system and executed, this is the first check that is performed:
Fellow researcher Didier Stevens also made a great observation in that the 2nd argument being passed to InternetOpenA is “1“, which correlates to INTERNET_OPEN_TYPE_DIRECT. What this means is that it will resolve host names locally through a direct internet connection. Why is this important? Because it shows that this sample isn’t proxy aware. Meaning that machines that have proxied access to the internet aren’t using the direct connection that COBALTTIDE is looking for; thus they will be unable to properly resolve the now sink-holed kill switch URL, and COBALTTIDE will continue with it’s execution regardless of the fact that the domain now actually does exist. This is important to know because most large organizations (corporations, government, etc) proxy their traffic and thus would still be vulnerable.
Once the url check fails, COBALTTIDE will then need to get the worm payload binary onto the system. It does this by opening up two different buffers in which to inject the payload DLLs from the .data section of the worm. The payload DLLs come in both x86 and x64 variants. Once loaded, it will then copy the rest of the worm binary with it. This will all get copied to disk as “C:\WINDOWS\mssecsvc.exe” and executed.
Scanning and SMB-based Propagation
Once executed, COBALTTIDE creates two threads; one to scan the local network that it finds itself on, and the other to begin scanning randomly generated IPs on the open internet.
In order for it to begin scanning the LAN it first needs to know the IP range on the local network, which it does by calling the GetAdaptersInfo function. Once it has the range it will create an array of every possible IP within that range to be scanned.
Of active IP addresses in the range scanned, COBALTTIDE will attempt to connect on port 445 (SMB). If a connection is successful it will push ETERNALBLUE and attempt exploitation.
The web scanning thread essentially does the same thing, it just selects IP address ranges in a different way. To perform the scan, COBALTTIDE will generate random IP addresses, with the first octet not equaling 127 or being greater than 224 (in order to not scan loopback addresses) and attempt connections again over port 445.
If a connection succeeds, the entire /24 subnet for that address is then scanned. It will attempt to throw ETERNALBLUE at every available connection that it finds, thus creating hop points into new networks and starting the infection cycle over again.
Upon successful execution of COBALTTIDE, the malware will utilize a modified version of DOUBLEPULSAR in order to drop the ransomware dropper payload. If you’d like further information on DOUBLEPULSAR, the folks over at Countercept have written a fantastic piece on it.
Thanks for reading and I’ll see you next time!