Indexsinas SMB Worm Attacks Vulnerable Environments

The  Indexsinas SMB worm is aiming for susceptible situations in which scientists cautioned – focusing on healthcare, hospitality, education, and the telecommunications industries. Its ultimate objective is to reduce crypto miners on hacked PCs. 

Since 2019, Indexsinas, aka NSABuffMiner, has been lurked. It uses the old weapon arsenal Equation Group, along with EternalBlue and EternalRomance, to invade Windows SMB shares and DoublePulsar backdoor. Indexsinas is using lateral mobility to assimilate specific environments aggressively. 

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar, and EternalRomance,” as per a Guardicore Labs analysis 

Since 2019, Indexsinas has deployed a broad infrastructure consisting of over 1,300 devices operating as sources of attack, and every device is accountable for only certain cases of attack (most likely hacked systems, Guardicore observed, particularly in India, the USA, and Vietnam). To date, almost 2,000 different attacks have been reported in Guardicore’s telemetry. 

The shroud of attacks to find out more about cyber attackers behind Indexsinas is quite difficult to breach. 

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched, and exposes no redundant ports to the internet. The attackers use a private mining pool for their crypto mining operations, which prevents anyone from accessing their wallets’ statistics.” 

According to Guardicore Labs, the attack commences when a machine is infringed using the NSA’s tools. These attacks run code in the kernel of the victim and can inject payloads to user mode utilizing asynchronous procedure calls (APCs). 

Researchers noted, “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

It has been reported that there is a whole reversed DLL file in the file downloads which is a Portable Executable file, a version of a Gh0stCringe remote access tool (RAT). 

The first one installs the RAT, while the second provides a key feature for C2 commands and reporting machine information, including computer name, malware group ID, date of installation, and technical specs of CPUs. 

The files iexplore.exe and services.exe meanwhile install two services utilizing the tool which impersonates the Windows svchost.exe function. The first service has to drop the crypto miner, whereas the second just runs the crypto miner module. 

c64.exe, which in turn dumps two files is yet another payload downloaded as part of the initial stage. One is the executable ctfmon.exe — the propagation tool. 

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.” 

A timetabled task performs a batch script that installs a service. The service launches a second batch script that scans and uses the port. 

The batch scripts in these flows also uninstall the services of competitors, end their operations and erase their files. 

“It is crucial that network administrators, IT teams, and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.” 

Corporate functions and production activities, for example, should be separated. Policy rules can also be applied that secure SMB servers of an organization, such as the interdiction of internet access via SMB or only permit specified IP addresses to access the firm’s internet fileserver. This can help in prevention against Indexsinas Worm Infections.