Check Point: new malware found in Windows Servers
- 07 March, 2019 11:26
A new malware has been discovered by technical researchers from Check Point Software that specifically targets Microsoft Windows Servers, the vendor has revealed in a blog post.
It is believed the malware only targets Windows Servers and not Windows PCs or laptops, which aims to steal data residing within such servers and upload the data to a remote FTP server.
The discovery was made by three technical researchers from Check Point Software, Arle Olshtein, Moshe Hayun, and Arnold Osipov.
“During our research, we came across an attack targeting Windows servers in APAC and revealed the attackers infrastructure, where we observed the uploading of sensitive data, such as Windows login credentials, OS version and IP addresses (internal and external) from between 3-10 different victims each second,” said the blog post announcing the discovery.
Similar to the recent WinRAR vulnerability which was also discovered by Check Point researchers, this newly discovered malware was found to also be a .RAR compressed file.
This compressed file was found to be hiding several batch files that effectively triggers the malware, checks the identity of the machines to ensure that it is a server running Microsoft Windows Server, on the assumption that servers would likely host commercial or institutional sensitive data.
“We observed a batch file with an evasive behaviour using interesting techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines,” said the blog post.
“The malware conceals the malicious behaviour as legitimate Windows processes to evade AV detection,” added the post. “Currently, VirusTotal shows a very low positivity rate among many AV products.”
The researchers found that the malicious campaign targets mainly countries in Asia and uses the open-source utility Mimikatz, which facilitates the viewing of credential information from the Windows local security authority subsystem service (Isass) through its sekurlsa module.
The Mimikatz utility is used by the attacker to steal sensitive information from Windows servers, and uploads this stolen data to an FTP server.
As the researchers have noted, that at the time of writing, the ftp server is still open and data is continuously uploaded (stolen) every second.