The Nemty ransomware, initially detected in August 2019, has increased its propagation method by merging with the Trik botnet, which now delivers Nemty to computers compromised by Trick botnet. Trik, also known as Phorpiex, has been around for approximately 10 years.
In its early days, the malware self-propagated via removable USB drives, Windows Live Messenger, or Skype private messages. The criminals behind the botnet use the infected computers to send email spam and have been observed pushing out a wide range of malware families, with Nemty being the latest to join the list.
Since the first time it was discovered, Nemty has been under permanent change. Although it isn’t as famous as the Sodinokibi malware, it quickly evolved to be able to kill running processes and services, encrypt the files that are currently uses, and compromise systems, emails, and files.
Trik has been seen distributing sextortion emails but a recent update added a SMB component and hardcoded credentials. The payload distributed this way is Nemty ransomware, note in a report today security researchers from Symantec.
ANATOMY OF THE ATTACK
First, the SMB component creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH OF THE ORIGINAL FILE]" = "[PATH OF THE ORIGINAL FILE]:*:Enabled: Windows NetBIOS Driver"
Trik then checks if the file winsvcs.txt is present or not in the
%AppData% directory on the compromised computer. This file is present if the computer has previously been infected with Trik.
- If winsvcs.txt is not present, the Nemty ransomware is downloaded and executed. This check prevents Trik from being hindered by files on the computer being encrypted by Nemty.
- If winsvcs.txt is present, the SMB component checks if it is running as a service or not. If it is not running as a service, the component tries to spread itself through the SMB protocol.
To find targets, the SMB component generates random IP addresses then tries to connect to them on port 139.
From analysing the malware’s code, we can see that it skips the routine if the created IP address is a local one. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list.
Usernames: Administrator, administrator, Admin, admin
Passwords: 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 123123, 12321, 123321, 123abc, 123qwe, 123asd, 1234abcd, 1234qwer, 1q2w3e, a1b2c3, administrator, Administrator, admin, Admin, admin123, Admin123, admin12345, Admin12345, administrator123, Ad ministrator123, nimda, qwewq, qweewq, qwerty, qweasd, asdsa, asddsa, asdzxc, asdfgh, qweasdzxc, q1w2e3, qazwsx, qazwsxedc, zxcxz, zxccxz, zxcvb, zxcvbn, passwd, password, Password, login, Login, pass, mypass, mypassword, adminadmin, root, rootroot, test, testtest, temp, temptemp, foofoo, foobar, default, password1, password12, password123, admin1, admin12, admin123, pass1, pass12, pass123, root123, abc123, abcde, abcabc, qwe123, test123, temp123, sample, example, internet, Internet
If access is granted, the malware uses the SMB protocol to copy itself to the remote machine. It then uses the Windows Service Control Manager to start the SMB component’s process on the remote machine. The sample running on the remote machine also checks for the presence of winsvcs.txt, which again determines whether or not Nemty is downloaded and executed.