by Miguel Ang, Erika Mendoza and Buddy Tancio
In May, during the Managed Detection and Response service on-boarding process of an electronics company in the Asia-Pacific region, we noticed suspicious activity via the Trend Micro™ Deep Discovery™ Inspector that turned out to be related to EternalBlue, an exploit perhaps more popularly known for being used in the WannaCry attacks. After the discovery, we sent our first alert to the company regarding the possible threat.
A few days later, we managed to find evidence of communication from one of the company’s machines to the following URLs (which we confirmed to be disease vectors):
hxxp://js[.]mykings.top:280/v[.]sct
hxxp://js[.]mykings.top:280/helloworld[.]msi
The URLs contained the word “mykings,” which was similar to the command-and-control (C&C) servers that were used in our previous analysis of the botnet in August 2017. This gave us the first clues as to what the threat was.
Furthermore, we found changes to the machine’s system registry that indicated they were being used as a persistence mechanism. These registry entries were responsible for the C&C callbacks to the URLs mentioned earlier:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” -Name “start”
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” -Name “start1”
HKLMSOFTWAREMicrosoftShared ToolsMSConfigstartupreg” -Name “start”
HKLMSOFTWAREMicrosoftShared ToolsMSConfigstartupreg” -Name “start1”
Digging deeper, we found that the entries were added in 2017, indicating that the malware variant had been hiding in the company’s system for roughly 2 years before it was discovered. This presents an additional challenge since timing is important in determining MyKings’ actual payload. A large number ..
Support the originator by clicking the read the rest link below.
