UIWIX – Evasive Ransomware Exploiting ETERNALBLUE

May 18, 2017

 |  

Gal Bitensky

Last week everybody talked about the WannaCry ransomware, a non-evasive ransomware which exploited vulnerable servers to propagate, successfully infecting anything from digital billboards to the Russian interior ministry. Here at Minerva we took part in the global effort against evil, releasing a free vaccination tool, explaining how you may vaccinate in enterprise-scale.

WannaCry drew attention to other threats exploiting the very same SMB vulnerability (MS-17-010) using the Shadow Brokers’ ETERNALBLUE-DOUBLEPULSAR combination. Unlike WannaCry, there have been no reports on the number of machines infected by the UIWIX ransomware, neither about the “revenues” generated. We assume that it is a direct result of a single major difference between WannaCry and the UIWIX ransomware family used in these threats. WannaCry did not try to evade detection and some researchers reported that their honeypots were infected only three minutes after they were deployed.

Tweet about honeypots infected within 3 minutes

UIWIX however employed basic evasion techniques to stay under the radar:

Tweet about the difficulty in obtaining a UIWIX sample

In this blog post, we describe how the UIWIX ransomware bypasses existing security defenses to target endpoints.

A Step-By-Step Analysis of How UIWIX Evades Detection

UIWIX did not invent any new technique, they relied on simple known techniques – starting with a direct test for the presence of a debugger:

‍Elementary test for the presence of a debugger

Later moving to detect different sandbox solutions, UIWIX checks the loaded modules against a black list a list of DLLs (see full list below):

‍UIWIX tests if a DLL related to COMODO's sandbox is loaded

Afterwards, the ransomware tests if a Cuckoo sandbox pipe is present:

‍The malware tests if the Cuckoo pipe is present

Ironically, the test for the Cuckoo pipe triggers both a signature and returns false even when executed in a Cuckoo sandbox:

‍Although executed in a Cuckoo, the test returns false

Now, UIWIX tests yet another list of DLLs, this time they are VM related:

‍Sample tests if in a virtual environment

Tracking the Evasion Techniques’ Source Code

From our analysis, it is quite clear that the coders of this ransomware relied on existing lists of artifacts to create the above “DetectSandbox()” and “DetectVM()” functions.

We found some candidates for the source of the evasion techniques. In the image below, a snippet of code looks for sandbox solutions by the loaded DLLs:

And in this source shows another list collected for the very same purpose:

It appears that those two lists were appended together in UIWIX (with dbghelp.dll and vmcheck.dll tested in a different function):

Another interesting similarity is in the malware code section which tests for VM pipes:

And this is how they appear in a Russian hacking forum called “FuckAV”:

Note how the order of the artifacts is an exact match to the malware!

This list can also be found in legitimate websites:

Why Minerva Aces Against UIWIX

Minerva Anti-Evasion Platform creates a virtual reality that fools the malware, making it believe that it is in a hostile environment. Clever environmentally aware malware like UIWIX will avoid execution in a Minerva-protected endpoint as we make the malware believe it is in a VM or sandbox.

UIWIX is exploiting unpatched machines to execute its DLL without writing itself to the disk. Luckily, Minerva works against any type of evasive threat, including file-less attacks like this one.

IoC

Hashes

3860c2526fc8acf5366573cdeb0a292036398d3ee9e7d9764a60ec5d0812582a 

146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc   

Searched VM related DLLs

SbieDll.dll

api_log.dll

dir_watch.dll

pstorec.dll

wpespy.dll

cmdvrt32.dll

SxIn.dll

snxhk.dll 

Searched Sandbox related DLLs

dbghelp.dll

vmcheck.dll

VBoxHook.dll

VBoxMRXNP.dll

Searched Sandbox Pipes

\\.\pipe\cuckoo

Searched VM Pipes

\\.\VBoxMiniRdrDN

\\.\VBoxGuest

\\.\pipe\VBoxMiniRdDN

\\.\VBoxTrayIPC

\\.\pipe\VBoxTrayIPC

\\.\HGFS

\\.\vmci

URLs

(as published by Lawrence Abrams in BleepingComputer)

hxxps://4ujngbdqqm6t2c53[.]onion[.]to                        

hxxps://4ujngbdqqm6t2c53[.]onion[.]cab

hxxps://4ujngbdqqm6t2c53[.]onion[.]nu

hxxps://4ujngbdqqm6t2c53[.]onion[.]to

hxxps://4ujngbdqqm6t2c53[.]onion[.]cab

hxxp://4ujngbdqqm6t2c53[.]onion