A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name k8h3d | |
First seen in Guardicore Centra | 2019-02-23 |
Last seen in Guardicore Centra | 2020-08-02 |
The k8h3d attack campaign combines a Monero cryptominer and a worm module which exploits EternalBlue to gain lateral movement. Initially, the attacker breaches victim machines via MS-SQL. Then, the attacker creates a new user named “k8h3d” with password “k8d3j9SjfS7”, and changes the MS-SQL system admin password to a random string. After the backdoor user is created, it is used by the attacker to connect to the machine over SMB and drop multiple malicious scripts and binary files. These include a dropper, Trojan horse, Monero cryptominer and an EternalBlue worm, among others. Malicious payloads remain persistent by installing scheduled tasks and services (names include “Autocheck”, “Autoscan”, “Bluetooths”, “DnsScan”, “WebServers” and “Ddriver”). In addition, system information is sent to the attacker’s command-and-control servers, from which additional payloads can be downloaded and executed. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Connect-Back Servers
- 27.102.107.137
- 171.245.55.188
- 200.58.75.221
- 128.199.64.236
- 178.128.92.192
- 110.77.220.97
- 79.98.145.42
- 45.79.77.20
- 171.243.27.163
- 112.206.208.231
- 197.254.25.86
- 222.252.17.180
- 122.165.219.173
- 202.70.66.227
- 84.205.228.1
- v.beahh.com
- dl.haqo.net
- _ldap._tcp.dc._msdcs.SERVER-BACKUP
- ip.42.pl
- ii.haqo.net
- info.ackng.com
- info.abbny.com
- linode.com
- info.beahh.com
- 42.pl
- oo.beahh.com
- amazonaws.com
- down.ackng.com
- com.com
Associated Files
| Path | Hash | Size |
|---|---|---|
C:\adRhGFvP.exe, C:\AFtSjdJC.exe, C:\AGTgJjbO.exe… | 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 | 55.00 KB |
C:\WINDOWS\Temp\_MEI13522\python27.dll, C:\Windows\Temp\_MEI13642\python27.dll, C:\WINDOWS\Temp\_MEI13922\python27.dll… | e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4 | 2.52 MB |
c:\windows\guiwcg.exe, c:\windows\hkxzwz.exe, c:\windows\mipr.exe… | 7d317cb1ee2c6afabe13387f240f330773dc2f107ce93b32214596bafc694cbb | 12.08 MB |
C:\Windows\Temp\bnjsriz.exe, C:\Windows\Temp\mnsv.exe, C:\Windows\temp\svchost.exe | fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 | 6.64 MB |
C:\Windows\bcZf.exe, C:\Windows\NcLZVVk.exe, C:\Windows\temp\svchost.exe… | 45176261a7362c49abe4c3e668235e206e8bad44f66d428caf9d9e5118d83210 | 5.98 MB |
C:\installed2.exe, c:\windows\system32\drivers\svchost.exe, c:\windows\syswow64\drivers\svchost.exe… | bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc | 197.05 KB |
C:\WINDOWS\Temp\_MEI13522\msvcr90.dll, C:\WINDOWS\Temp\_MEI13922\msvcr90.dll, C:\WINDOWS\Temp\_MEI24442\msvcr90.dll… | 8e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8 | 637.83 KB |
C:\Windows\System32\config\systemprofile\AppData\Roaming\7981e734ce2a4433b20fd12aafcf2e0c$dpx$.tmp\86ad355955734945be2e6ccb5f76f902.tmp, C:\Windows\System32\config\systemprofile\AppData\Roaming\f371f6b7fb5241cd8551c53d2fb32c7d$dpx$.tmp\975cd435570c8144a2e21787be589462.tmp, c:\windows\system32\config\systemprofile\appdata\roaming\opencl.dll… | 2ee4104c24d9c4c5a00e9d705e14d5a29ef94f56673e2779025e5539fa7c8f20 | 111.00 KB |
C:\Windows\Temp\_MEI4962\_ctypes.pyd, C:\Windows\Temp\_MEI5322\_ctypes.pyd, C:\Windows\Temp\_MEI6162\_ctypes.pyd… | 11c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327 | 71.50 KB |
C:\windows\temp\msInstall.exe, C:\windows\temp\svchost.exe, C:\Windows\temp\svchost.exe | c50186852c138cdedaff387e0982cd3c63bfe930ea6872903b8b5ec488c08d70 | 63.48 KB |
C:\windows\temp\msInstall.exe, C:\windows\temp\svchost.exe, C:\Windows\temp\svchost.exe | 245855cd9c89326b531c7ce02aa313320a2a61b26771c389b6e0f997cf248e58 | 126.95 KB |
c:\windows\system32\wmiex.exe, c:\windows\syswow64\wmiex.exe, c:\windows\temp\ttt.exe… | b771267551961ce840a1fbcd65e8f5ecd0a21350387f35bbcd4c24125ec04530 | 72.05 KB |
C:\Windows\Temp\_MEI5322\select.pyd, C:\Windows\Temp\_MEI5802\select.pyd, C:\Windows\Temp\_MEI6162\select.pyd… | 385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0 | 11.50 KB |
C:\Windows\IsZN.exe, C:\Windows\rOkU.exe, C:\Windows\temp\svchost.exe | 69ff04aa3967dd2747e33cd97e7517026d49eaf13340774b6a0d5d7fd95ac35f | 6.64 MB |
C:\Windows\System32\config\systemprofile\AppData\Roaming\f371f6b7fb5241cd8551c53d2fb32c7d$dpx$.tmp\03faf8f33cd4d24f918c73305775f1b5.tmp, c:\windows\system32\config\systemprofile\appdata\roaming\ucrtbase.dll, C:\Windows\Temp\2e5cd024627846a09a294b47f9cab077$dpx$.tmp\7919324c906ecf4299403c00b3860470.tmp… | 4c5b8e529854cedfa8f46cd6906952400cdbbf25efc4cf37dda2c42d8e96ddcb | 973.69 KB |
Attack Flow
Breached Services | MSSQL SMB |
Tags | SMB Share Connect User Added to Group Execute MsSql Shell Command MSSQL Service Creation Download File Successful MSSQL Login Service Start IDS – Attempted User Privilege Gain Download and Execute User Created File Operation By CMD Successful SMB Login SMB CMD |
Incident Summary
IDS detected Attempted User Privilege Gain : SQL sp_configure – configuration change | IDS – Attempted User Privilege Gain |
IDS detected Attempted User Privilege Gain : sp_password – password change | IDS – Attempted User Privilege Gain |
IDS detected Attempted User Privilege Gain : xp_cmdshell – program execution | IDS – Attempted User Privilege Gain |
A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: White List | Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: Previously Approved User | Successful MSSQL Login |
MSSQL executed 1 shell commands | Execute MsSql Shell Command |
User k8h3d was created with the password *********** added to groups: Administrators and logged in using SMB | Successful SMB Login User Added to Group User Created |
A user logged in using SMB with the following username: k8h3d – Authentication policy: Correct Password | Successful SMB Login |
The file C:\Windows\LtXTflwR.exe was downloaded and executed | Download and Execute |
c:\windows\system32\services.exe installed and started %systemroot%\ltxtflwr.exe as a service named DyqE under service group None | Service Start Service Creation |
C:\Windows\temp\svchost.exe was downloaded | Download File |
Connection was closed due to user inactivity |
For additional reading materials, visit the links below: