Indexsinas SMB Worm Campaign Infests Whole Enterprises

sandworm APT

The self-propagating malware’s attack chain is complex, using former NSA cyberweapons, and ultimately drops cryptominers on targeted machines.

The Indexsinas SMB worm is on the hunt for vulnerable environments to self-propagate into, researchers warned – with a particular focus on the healthcare, hospitality, education and telecommunications sectors. Its end goal is to drop cryptominers on compromised machines.

Indexsinas, aka NSABuffMiner, has been lurking since 2019. It makes use of the old Equation Group weapons arsenal, including the infamous EternalBlue and EternalRomance exploits for invading Windows SMB shares, as well as the DoublePulsar backdoor. Indexsinas’ hallmark is making aggressive use of lateral movement to fully consume targeted environments. Lately, the activity has resurged.

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar and EternalRomance,” according to a Guardicore Labs analysis published Wednesday. “These exploits are used to breach new victim machines, obtain privileged access and install backdoors.”

EternalBlue and EternalRomance, the NSA-developed exploits that gained notoriety for their key roles in the WannaCry and NotPetya cyberattacks four years ago, remain effective, researchers noted. According to Shodan, there are more than 1.2 million internet-facing SMB servers out there today.

Since 2019, Indexsinas has used a large infrastructure made up of more than 1,300 devices acting as attack sources (most likely compromised machines, Guardicore noted, mainly in India, the U.S. and Vietnam), with each device responsible for only a few attack incidents each. There have been around 2,000 separate attacks in Guardicore’s telemetry to date, it said.

It remains difficult to pierce the veil of the attacks to discover more about the cyberattackers behind Indexsinas.

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched and exposes no redundant ports to the internet. The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets’ statistics.”

Attack Flow for Cryptomining Campaign

The attack begins when a machine is breached using the NSA’s aforementioned exploitation tools, according to Guardicore Labs.

“These exploits run code in the victim’s kernel and are capable of injecting payloads to user-mode processes using asynchronous procedure calls (APCs),” researchers noted. “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

The file downloads contain a whole, reversed DLL, a Portable Executable file that turns out to be a version of the Gh0stCringe remote access tool (RAT), researchers said.

The loader also calls a pair of exported functions – Install and MainThread. The first installs the RAT, and the second performs the core functionality of awaiting commands from the C2 and reporting machine information, such as computer name, malware group ID, installation date and CPU technical specs.

“The tool has various capabilities; it can download and execute additional modules, install them as services, and interact with the user by opening message boxes and presenting URLs in Internet Explorer,” researchers explained.

Meanwhile, the iexplore.exe and services.exe files install two services using a tool that impersonates the Windows function svchost.exe. The first service is responsible for dropping the cryptominer (a version of the XMRig Monero-mining code), while the second simply runs the cryptominer module.

Another payload that’s downloaded as part of the first stage is c64.exe, which in turn drops two files. One of these is the ctfmon.exe executable – the propagation tool.

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.”

A daily scheduled task runs a batch script, which installs a service. The service runs another batch script which performs the port scanning and exploitation.

“The batch scripts in these flows also uninstall competitors’ services, terminate their processes and delete their files,” according to the analysis. “In addition, they clean old Indexsinas traces.”

The writeup added, “The attack flow consists of many batch scripts, executable payloads, downloaders, services and scheduled tasks. A prominent characteristic of the campaign is its competitiveness; it terminates processes related to other attack campaigns, deletes their file system residues and stops services created by other attack groups. It also attempts to evade detection by killing programs related to process monitoring and analysis. In addition, it makes sure to delete its own files immediately after execution.”

How to Prevent Indexsinas Worm Infections

There are several standard best practices that can help enterprises avoid infection.

“Indexsinas and other attack campaigns leverage vulnerable SMB servers to breach networks and move laterally inside them,” researchers said. “There are more than 1 million SMB servers accessible to anyone on the internet, and many of them still vulnerable to MS-17010; this is exactly what makes Indexsinas and similar attack campaigns profitable.”

Thus, patching SMB servers would be the first order of business. The next thing is to identify vulnerable entry points into the organization. And then, achieving environmental visibility and using network segmentation are two tried-and-proven ways to avoid becoming a victim, researchers said.

“It is crucial that network administrators, IT teams and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.”

For instance, corporate business functions and manufacturing/production operations should be separated. Also, policy rules can be implemented that can protect an organization’s SMB servers, such as disallowing access from the internet over SMB, or allowing only certain IP addresses to access internet-facing file servers in the organization.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles