Pierluigi Paganini
May 20, 2017
The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government could create serious problems for the Internet users, the recent WannaCry massive attack demonstrates it that used the EternalBlue Exploit to spread.
Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.
UIWIX is a fileless malware discovered by experts at Heimdal security early this week while investigating on WannaCry.
Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.
“As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.” reads the analysis published by Heimdal Security.
Malware researchers at Trend Micro also investigated the UIWIX and confirmed that UIWIX is a stealthier threat that is hard to analyze, it doesn’t write files on the infected machine and it is also able to detect the presence of a virtual machine (VM) or sandbox.
“So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.” wrote Trend Micro.
“UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”
UIWIX is able to browser login, File Transfer Protocol (FTP), email, and messenger credentials from the infected system,
Unlike WannaCry, UIWIX leverages a Dynamic-link Library (DLL) to gain persistence.
Below a summary of WannaCry and UIWIX’s notable features reported by Trend Micro:
| WannaCry | UIWIX | |
| Attack Vectors | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), TCP port 445 |
| File Type | Executable (EXE) | Dynamic-link Library (DLL) |
| Appended extension | {original filename}.WNCRY | ._{unique id}.UIWIX |
| Autostart and persistence mechanisms | Registry | None |
| Anti-VM, VM check, or anti-sandbox routines | None | Checks presence of VM and sandbox-related files or folders |
| Network activity | On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser | Uses mini-tor.dll to connect to .onion site |
| Exceptions (doesn’t execute if it detects certain system components) | None | Terminates itself if found running in Russia, Kazakhstan, and Belarus |
| Exclusions (directories or file types it doesn’t encrypt) | Avoids encrypting files in certain directories | Avoids encrypting files in two directories, and files with certain strings in their file name |
| Network scanning and propagation | Yes (worm-like propagation) | No |
| Kill switch | Yes | No |
| Autostart and persistence mechanisms | Registry | None |
| Number of targeted file types | 176 | All files in the affected system except those in its exclusion list |
| Shadow copies deletion | Yes | No |
| Languages supported (ransom notes, payment site) | Multilingual (27) | English only |
Another interesting behavior observed by the researchers is that the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus.
The network activity of the malware leverages mini-tor.dll to connect to .onion site, meanwhile, WannaCry was scanning the Internet for random IP addresses to check if it has an open port 445 and it was connecting to .onion site using the Tor browser.
Most evident differences between WannaCry and UIWIX are:
Clearly, the WannaCry attack represents a great opportunity for cyber crime ecosystem, every time a new flaw was discovered cooks try to exploit is in the attack in the wild, for example including the exploit code in crimeware kits used in hacking campaigns.
Recently we reported the case of the Adylkuzz botnet, another malware that exploited the EternalBlue exploit to spread a Monero miner.
“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.” Trend Micro concludes.
“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching.”
[adrotate banner=”9″]
(Security Affairs – WannaCry, UIWIX)
[adrotate banner=”13″]
Data Breach / November 21, 2024
