The EternalBlue POC can be found in this GitHub:Ĭomparing both the trickbot's shellcode and the original shellcode from GitHub, it have been noticed that the original one doesn't perform an APC injection into lsass.exe process as the original shellcode does. This is the first part of the trickbot shellcode.ĭoing a little research, it have found that the initial part of the shellcode corresponds to this code:
The first one is the Ring 0 part that gets ready in order to perform a Ring 3 APC injection into the targeted process to execute the malicious Ring 3 code (if the injection is performed in lsass.exe or services.exe it will be executed with System priviledges) The examples given here come from x86 shellcode. This module contains two shellcodes, one for 32 bits systems (left) and the other for 64 bits systems (right)īoth shellcodes contain a malicious URL from which the malicious code will be downloaded. The final stage of this process is to inject a shellcode into the targeted system. Then, the function creates the required structures to perform the EternalBlue attack and takes advantage of the vulnerability. If the version contains one of these strings, it will try to infect the device: If everything works as expected, the EternalBlue infection starts:įirst, the module checks the OS version. This function performs socket operations in order to establish communication with the targeted machine. With this info, OpenSocket_ThenEternalBlue function is called. Then, it obtains the IP of the hosts using gethostbyname and inet_ntoa functions.
When the new thread is created, the module enumerates all the servers from the same domain using NetServerEnum. The export that starts the malicious operations is Control.
This module tries to infect all the devices into the same domain of the infected machine using EternalBlue.Īs it is usual in the Trickbot modules, the DLL has 4 exports: In this post, I going to analyze Trickbot's wormDll32 module, this module allows Trickbot to spreads using EternalBlue. This exploit takes advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol ( CVE-2017-0143), sending crafted packets using SMBv1 allows arbitrary code execution into the target system. Was widely known when was used as part of the wordwide Wannacry ransomware attack on May 12,2017. Is an exploit developed by the NSA, leaked by the Shadow Brokers hacker group on April 14, 2017. In this series of articles, I going to explain how the different malware families implement EternalBlue and how they take advantage of it.
0 kommentar(er)
