Critical SMBv3 Vulnerability: Remote Code Execution
[Update March 12, 2020]
Microsoft released patches for the affected systems: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
--
SMB has already been a targeted protocol several times and it came back today in stage with a new CVE: CVE-2020-0796. This time, version 3 of the protocol is affected by a remote code execution vulnerability. The SMB protocol was enhanced multiple times by Microsoft and more features were added. The one that is targeted today seems to be the data compression. At this time, Microsoft did not release information and no patch is available. What do we know?
Affected Windows versions:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
The victim's computer can be compromised by exposing a vulnerable SMBv3 resource in the wild but a client might be affected just by visiting a malicious SMBv3 server. Both clients and servers are affected!
How to protect your resources?
- Microsoft published a workaround[1] via Powershell (see below)
- Restrict SMB traffic to the strict minimum
- Do not expose servers in the wild, restrict access to them
- Do not allow SMB traffic to the outside world. We can guess that malicious emails and malware will include "smb://" URLs soon.
The Powershell workaround is:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force`
We will continue to update this diary based on the information collected.
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Hancitor distributed through coronavirus-themed malspam
Introduction
The criminal group behind Hancitor malware has been quiet during the past few weeks. For the past year or so, this group has stuck with DocuSign-themed malspam to distribute Hancitor (like this example from January 2020). However, today @mesa_matt reported a new wave of Hancitor malspam using a coronavirus theme. Today's diary reviews two quick infection runs using information from @mesa_matt's Twitter thread on Wednesday 2020-03-11.
My thanks to everyone on Twitter who keeps an eye on Hancitor and tweets about it.
Shown above: Screenshot of the malspam from a tweet by @mesa_matt on 2020-03-11.
Infection traffic
We're still seeing the same sequence of events from previous Hancitor runs so far this year.
- Step 1: Link from malspam
- Step 2: leads to another URL that returns a zip archive
- Step 3: Extract VBS from zip archive
- Step 4: VBS drops and executes Hancitor DLL
- Step 5: Hancitor-style post-infection traffic
Shown above: Traffic from an infection filtered in Wireshark.
Indicators of Compromise (IoCs)
Traffic from an infected Windows host:
- URL from link in the malspam (various URLs from step 1, not in my pcaps)
- 8.208.77[.]171 port 80 - freetospeak[.]me - GET /0843_43.php
- port 80 - api.ipify[.]org - GET /
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /4/forum.php
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /mlu/forum.php
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /d2/about.php
- 68.183.232[.]255 port 80 - shop.artaffinittee[.]com - GET /wp-includes/sodium_compat/1
- 68.183.232[.]255 port 80 - shop.artaffinittee[.]com - GET /wp-includes/sodium_compat/2
Malware from my infected lab hosts:
SHA256 hash: 4f6d4d8f279c03f1ddfa20f95af152109b7578a2bec0a16a56ff87745585169a
- File size: 230,431 bytes
- File location: hxxp://freetospeak[.]me/0843_43.php
- File name: SE-670131329809_5500.zip
- File description: zip archive downloaded from link in malspam distributing Hancitor (1st run)
SHA256 hash: 6897a3b85046ba97fb3868dfb82338e5ed098136720a6cf73625e784fc1e1e51
- File size: 1,130,515 bytes
- File name: SE670131329809.vbs
- File description: VBS file extracted from downloaded zip archive (1st run)
SHA256 hash: 8a9333204db83c2571463278cb6a6241ae5f215b2166bf4af5693d611049d5a9
- File size: 228,383 bytes
- File location: hxxp://freetospeak[.]me/0843_43.php
- File name: QU-555033076467_5558.zip
- File description: zip archive downloaded from link in malspam distributing Hancitor (2nd run)
SHA256 hash: 8da0eb3a2378d218043e9f3188e59e3158f1fd01bbcd979f05197c74c2fb7a1c
- File size: 1,125,138 bytes
- File name: QU555033076467.vbs
- File description: VBS file extracted from downloaded zip archive (2bd run)
SHA256 hash: 291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9
- File size: 253,952 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\adobe.txt
- File description: Hancitor DLL dropped after executing above VBS files (both runs)
For further information:
- Twitter thread from @mesa_matt with a screenshot of a malspam example: link
- Initial info on Pastebin for Hancitor malspam from @mesa_matt Twitter thread: link
- Any.Run sandbox analysis for URL used to kick off my infection runs: link
- File hashes on Pastebin for this Hancitor from paste by JAMES_INTHE_BOX: link
Final words
Pcaps of my infection traffic along with the associated malware can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments