UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread

Pierluigi Paganini May 20, 2017

Security experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution

The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government could create serious problems for the Internet users, the recent WannaCry massive attack demonstrates it that used the EternalBlue Exploit to spread.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

“As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.” reads the analysis published by Heimdal Security.

Malware researchers at Trend Micro also investigated the UIWIX and confirmed that UIWIX is a stealthier threat that is hard to analyze, it doesn’t write files on the infected machine and it is also able to detect the presence of a virtual machine (VM) or sandbox.

“So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.” wrote Trend Micro.

“UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

UIWIX is able to browser login, File Transfer Protocol (FTP), email, and messenger credentials from the infected system,

Unlike WannaCry, UIWIX leverages a Dynamic-link Library (DLL) to gain persistence.

Below a summary of WannaCry and UIWIX’s notable features reported by Trend Micro:

WannaCry UIWIX
Attack Vectors SMB vulnerabilities (MS17-010), TCP port 445 SMB vulnerabilities (MS17-010), TCP port 445
File Type Executable (EXE) Dynamic-link Library (DLL)
Appended extension {original filename}.WNCRY ._{unique id}.UIWIX
Autostart and persistence mechanisms Registry None
Anti-VM, VM check, or anti-sandbox routines None Checks presence of VM and sandbox-related files or folders
Network activity On the internet, scans for random IP addresses to check if it has an open port 445;  connects to .onion site using Tor browser  Uses mini-tor.dll to connect to .onion site
Exceptions (doesn’t execute if it detects certain system components) None Terminates itself if found running in Russia, Kazakhstan, and Belarus
Exclusions (directories or file types it doesn’t encrypt) Avoids encrypting files in certain directories Avoids encrypting files in two directories, and files with certain strings in their file name
Network scanning and propagation Yes (worm-like propagation) No
Kill switch Yes No
Autostart and persistence mechanisms Registry None
Number of targeted file types 176 All files in the affected system except those in its exclusion list
Shadow copies deletion Yes No
Languages supported (ransom notes, payment site) Multilingual (27) English only

UIWIX malware


Another interesting behavior observed by the researchers is that the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus.

The network activity of the malware leverages mini-tor.dll to connect to .onion site, meanwhile, WannaCry was scanning the Internet for random IP addresses to check if it has an open port 445 and it was connecting to .onion site using the Tor browser.

Most evident differences between WannaCry and UIWIX are:

  • UIWIX doesn’t implement the worm spreading capabilities;
  • UIWIX doesn’t include a kill-switch;
  • UIWIX uses a different Bitcoin address for each victim;

Clearly, the WannaCry attack represents a great opportunity for cyber crime ecosystem, every time a new flaw was discovered cooks try to exploit is in the attack in the wild, for example including the exploit code in crimeware kits used in hacking campaigns.

Recently we reported the case of the Adylkuzz botnet, another malware that exploited the EternalBlue exploit to spread a Monero miner.

“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.” Trend Micro concludes.

“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WannaCry, UIWIX)

[adrotate banner=”13″]

you might also like

leave a comment