DirtyMoe: Worming Modules – Avast Threat Labs

MITRE Techniques

• [T1210] Exploitation of Remote Services – EternalBlue SMB Remote Code Execution used to compromise Windows machines. ‘EternalBlue SMB Remote Code Execution (MS17-010)’
• [T1543.003] Create/Modify System Process: Windows Service – The worming module creates and starts a new Windows service remotely via RPC over SMB. ‘a new Windows service is created and started remotely via RPC over the SMB service’
• [T1047] Windows Management Instrumentation – Dictionary attacks against WMI to enable remote command execution. ‘dictionary attack to Windows Management Instrumentation (WMI)’
• [T1218.005] Signed Binary Proxy Execution: Mshta – mshta.exe used as a LOLbin to execute and launch the RCE payload. ‘The Microsoft HTML Application Host (mshta.exe) is used as a LOLbin to execute and create ShellWindows and run @RCE@.’
• [T1021.002] SMB/Windows Admin Shares – Delivery of the payload over SMB/MS SQL protocols. ‘The payload delivery is typically performed using protocols of targeted services, e.g., SMB or MS SQL protocols.’
• [T1059.001] PowerShell – Use of PowerShell to fetch and execute payloads (MsiMake) and run the RCE chain. ‘powershell -nop -exec bypass -c “IEX $decoded; MsiMake @SQLEXEC@;”‘
• [T1046] Network Service Scanning – The worming module tests target IPs by probing ports to verify live, potentially vulnerable hosts. ‘the worming module connects to the specific port where attackers expect vulnerable services and verifies whether the victim’s machine is live’
• [T1110] Brute Force / Credential Access – Dictionary attacks to guess admin passwords for SCMR, WMI, and SQL services. ‘dictionary attack targets two administrator user names, namely administrator for SMB services and sa for MS SQL servers’