Home / malwarePDF  

Trojan:PowerShell/Lonit.PA


First posted on 09 February 2018.
Source: Microsoft

Aliases :

There are no other names known for Trojan:PowerShell/Lonit.PA.

Explanation :

This threat is a form of fileless malware that uses the EternalBlue exploit (CVE-2017-0144). For more details about EternalBlue, see the Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers.

After the system is exploited, this threat uses its elevated permissions to persist in Windows Management Instrumentation (WMI) and execute from the Task Scheduler. In the case of this malware, persistence is created to run bitcoin miners.

The WMI instance contains variables "funs" (base64 expression).

This threat also fetches the already infected WmiClass "root\default:Office_Updater" (it could also have other names other than Office_Updater).

It immediately executes the "funs" element of the WmiClass. The "funs" element is base64 encoded and this is the malicious payload. It could be anything from bitcoin miners to ad clickers.

Then, it removes all other WMI Objects not called "SCM Event Logs" in the root\subscription folder. It checks if the malware is running by checking port connections on 80 or 14444.

If it finds that the malware isn't running, it will fetch the malware from the WmiClass and run it again. That is how the malware persists.

The tool also uses Mimikatz, another malware, to get NTLM credentials. With these credentials, it checks for other network adapters/connections to connect with. If it finds new addresses, it will check for vulnerabilities. If it finds a possible vulnerability, the malware spreads to the new machine.

WMI Object values:

  • funs - payload. Base64 encoded.
  • mimi - Mimikatz
  • ipsu - Previously infected IPs.
  • i17 - PingCastle port scanner
  • sc - Unknown.


Payload

Connects to a remote host

We have seen this threat connect to a remote host, including the following ports:
  • 80
  • 14444
Malware connects to a remote host to allow backdoor access and control of and send stolen information from your mobile device to the malicious hacker or cybercriminal




Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
  • Downloading and uploading files
  • Enumerating running processes
  • Executing arbitrary commands
  • Gathering system information such as IP address and computer name
  • Changing some of your device settings





This analysis was published using the following file SHA1: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952

Last update 09 February 2018

 

TOP