The Anti-virus Times

Friday, May 26, 2017

The authorship of the much-talked-about WannaCry is a question that interests everyone—from law enforcement agencies and information security specialists to ordinary users. The information set forth below is not the official opinion of Doctor Web; it's just reflections on how easy it is for someone to be accused of cybercrimes when there is a shortage of information.

Let's start with the facts:

1. The hacker group Shadow Brokers published another batch of hacker tools stolen from Equation Group, which is suspected of having ties to the US National Security Agency This time exploits for vulnerabilities in various versions of Windows were published—from Windows 2000 and Server 2012 up to Windows 7 and 8. The published archive contains at least 23 tools, including EternalBlue, Oddjob, Easybee, EducatedScholar, EnglishmanDentist, EsikmoRoll, EclipsedWing, Emphasismine, EmeraldThread, EternalRomance, EternalSynergy, Ewokefrenzy, ExplodingCan, ErraticGopher, EsteemAudit, Doublepulsar, Mofconfig and Fuzzbunch.
2. Microsoft (notified by an “unknown friend" about the upcoming publication) conducted an analysis of the exploits and stated that vulnerabilities in the SMB v1-3 protocol exploited by EternalBlue, EmeraldThread, EternalChampion, EternalRomance, ErraticGopher, EducatedScholar and EternalSynergy had already been fixed in previous years and that some had been eliminated this year (CVE-2017-0146 and CVE-2017-0147). A security patch was released three years ago, in 2014, to close a vulnerability in domain controllers, running Windows 2000, 2003, 2008 and 2008 R2, that was exploited by the tool EsikmoRoll. It was noted that the tools EnglishmanDentist, EsteemAudit, and ExplodingCan don't work on Windows-supported versions so patches won’t be released for them.
   
   In particular, the vulnerabilities eventually used by WannaCry were closed with the MS 17-010 update released in March, 2017.
3. Using tools published by the hacker group The Shadow Brokers (in particular, EternalBlue and Doublepulsar), the new encoder started spreading at about 10 a.m., and already by that evening, the mass media (not anti-virus manufacturers!) began reporting on numerous infections.
4. The Shadow Brokers on Tuesday, May 16, announced "TheShadowBrokers Data Dump of the Month" service, whereby each month it will provide its subscribers with new exploits for previously unknown vulnerabilities in browsers, routers, handhelds, and Windows 10, as well as with data stolen from SWIFT banking systems and information related to the Russian, Chinese, Iranian, and North Korean nuclear programs.

Creating an exploit is not the same thing as creating a Trojan and using it to conduct an attack.

But who created the Trojan? Who is responsible for the attack—i.e. for spreading the Trojan?

Almost immediately, information appeared about the connection between WannaCry and the hacker group Lazarus.

In this regard, let’s recall what’s been attributed to Lazarus Group:

1. The successful attack carried out against Sony Pictures in 2014. The hackers also robbed a series of banks; in particular, they stole $81 million from the Central Bank of Bangladesh.
2. The attack carried out against SWIFT interbank system. In particular, in February 2016, the hackers managed to transfer $81 million out of the Central Bank of Bangladesh.
3. The attack carried out against Banco del Austro in Ecuador in January 2015. As a result, $9 million were stolen.

A serious organisation that has already existed for ten years. Note that all those successful operations are based on hacking, rather than on trying to malware distribution.

What about WannaCry (Doctor Web’s specialists’ description of it can be found here)?

1. The Trojan is not packed and, moreover, it cannot be repacked. Detection tools observe most Trojans for about nine minutes—for days, WannaCry attacked using the same code, without trying to hide from anti-virus solutions. Only the striking ignorance of system administrators allowed it to cause damage.
2. The Trojan is an archive with an embedded unpacking key that is visible to any researcher.

   

   (https://www.linkedin.com/feed/update/urn:li:activity:6269238070189654016)

3. The Trojan does not even try to hide in the system—any anti-virus file monitor is able to detect its files.
4. Some email address can be found inside the Trojan:

   00:34 < nulldot> 0x1000ef48, 24, BAYEGANSRV\administrator
   00:34 < nulldot> 0x1000ef7a, 13, Smile465666SA
   00:34 < nulldot> 0x1000efc0, 19, wanna18@hotmail.com
   00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
   00:34 < nulldot> 0x1000f024, 22, sqjolphimrr7jqw6.onion
   00:34 < nulldot> 0x1000f088, 52, https://www.dropbox.com/s/deh8s52zazlyy94/t.zip?dl=1
   00:34 < nulldot> 0x1000f0ec, 67, https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
   00:34 < nulldot> 0x1000f150, 52, https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1
   00:34 < nulldot> 0x1000f1b4, 12, 00000000.eky
   00:34 < nulldot> 0x1000f270, 12, 00000000.pky 
   00:34 < nulldot> 0x1000f2a4, 12, 00000000.res

   https://habrahabr.ru/company/pentestit/blog/328606
   https://habrahabr.ru/post/328548

5. The attack was carried out from a single location.

   

   https://www.hybrid-analysis.com/sample/24d004...

6. The hackers earned very little due to an error in the bitcoin receive module. Is that why a huge number of victims will never get their data restored—because they simply can’t pay the ransom?

That doesn’t fit the mould of the successful Lazarus hackers who’ve made millions of dollars. Furthermore, among the tools stolen from the National Security Agency, there was a special utility capable of inserting phrases in the target language into the program’s text. And, of course, inserting a piece of needed code is no problem...