The attacker renames the KDU tool (open-source Windows driver loader implementing DSG bypass via an exploit) autologin, copies the related program to the temporary directory, and loads and executes the designated driver file to execute code with kernel privileges to terminate the antivirus process. <\/p>\n\n\n\n
Our analysis of the .sys file loaded by the attacker suggests that with simple functions, this program traverses all processes in the system, locates the antivirus process according to its name, and terminates it.<\/p>\n\n\n\n In the driver, process names of multiple antivirus software are saved, like McAfee, Symantec, Windows Defender, and VIPRE.<\/p>\n\n\n\n After the autologin.sys driver is loaded, a tool is used to obtain the output of the driver.<\/p>\n\n\n\n It is noteworthy that KDU loads the driver file to the memory for execution through mapping, instead of following the normal driver loading process. Therefore, a traditional check tool is unable to obtain the loaded driver.<\/p>\n\n\n\n LockFile Execution for Encryption and Self-Deletion Upon Encryption<\/strong><\/p>\n\n\n\n autoupdate.exe is a 64-bit program used by LockFile to encrypt files. This program is packed using UPX.<\/p>\n\n\n\n This program performs the following steps: <\/p>\n\n\n\n 1. Create a mutex “25a01bb859125507013a2fe9737d3c33”.<\/p>\n\n\n\n 2. Decode some wmic commands and execute the following seven commands using cmd \/c to terminate related processes, like VMware, VirtualBox, SQLServer, MySQL, and Oracle.<\/p>\n\n\n\n wmic process where “name like ‘%vmwp%'” call terminate<\/p>\n\n\n\n wmic process where “name like ‘%vbox%'” call terminate<\/p>\n\n\n\n wmic process where “name like ‘%sqlservr%'” call terminate<\/p>\n\n\n\n wmic process where “name like ‘%mysqld%'” call terminate<\/p>\n\n\n\n wmic process where “name like ‘%omtsreco%'” call terminate<\/p>\n\n\n\n wmic process where “name like ‘%tnslsnr%'” call terminate <\/p>\n\n\n\n wmic process where “name like ‘%vmware%'” call terminate<\/p>\n\n\n\n 3. Obtain all logical driver letters. For a hard disk or USB flash drive, a new thread will be created to encrypt the corresponding file, add the .lockfile suffix to the file name, create a ransomware file LOCKFILE-README-<computer name>-<time>.hta (<computer name> is the computer name and <time> is the timestamp) in the driver directory, and write the encoded contents to the .hta file.<\/p>\n\n\n\n After all files are encrypted, autoupdate.exe will generate the %PUBLIC%\\LOCKFILE-README.hta file and invoke mshta to execute the this HTA file.<\/p>\n\n\n\n During encryption, the Rijndael algorithm (used by AES) is used to encrypt file contents.<\/p>\n\n\n\n 4. Create a process to execute the following command to delete itself: cmd \/c ping 127.0.0.1 -n 5 && del “%s” && exit<\/p>\n\n\n\n 1. By reference to the event IoCs, users can check whether communication records of the following IP addresses\/domain names exist in the current network:<\/p>\n\n\n\n sc.microsofts.net<\/p>\n\n\n\n 209.14.0.234<\/p>\n\n\n\n 45.91.83.176<\/p>\n\n\n\n 183.226.73.185<\/p>\n\n\n\n 178.63.226.197<\/p>\n\n\n\n 2. Check system application logs to determine whether the following event sequence exists: Front End HTTP Proxy – Autodiscover – MapiMailboxAppPool.<\/p>\n\n\n\n 3. Check Exchange access logs for the following signature sequences:<\/p>\n\n\n\n 4. Check Exchange audit logs for the following signatures:<\/p>\n\n\n\n 5. Check whether the root directory (such as C:\\inetpub\\wwwroot\\aspnet_client\\) of ASP.Net and the frontend directory (such as C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy \\owa\\auth) contain malicious WebShell. Also, check whether site nodes in IIS storage configuration area files (like C:\\Windows\\System32\\inetsrv\\config\\applicationHost.config) contain suspicious virtualDirectory configuration items.<\/p>\n\n\n\n According to our analysis of detected samples, we find that some attackers plant WebShells to the web path by modifying this configuration file, and create the Windows device name directory for further concealment.<\/p>\n\n\n\n Versions Affected by ProxyShell Vulnerabilities:<\/strong><\/p>\n\n\n\n Versions Affected by PetitPotam Vulnerabilities:<\/strong><\/p>\n\n\n\n Script Check<\/strong><\/p>\n\n\n\n Users can use the official Exchange Server running check script to check whether the current Exchange Server is affected. This script can be downloaded from the following address: https:\/\/microsoft.github.io\/CSS-Exchange\/Diagnostics\/HealthChecker\/<\/p>\n\n\n\n Detection with NSFOCUS Products<\/strong><\/p>\n\n\n\n NSFOCUS Remote Security Assessment System (RSAS) and Web Vulnerability Scanning System (WVSS) are capable of scanning and detecting the vulnerabilities. Please upgrade them to V6.0R02F01.2405 or later.<\/p>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/q-1.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/w.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/e-1024x534.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/r.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/t.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/y.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/g.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/d.jpg\")
<\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2021\/09\/s.jpg\")
<\/figure>\n\n\n\nAttack Check<\/h2>\n\n\n\n
Scope of Impact<\/h2>\n\n\n\n
ProxyShell Vulnerability Check<\/h2>\n\n\n\n