Threat analysis studies: Mekotio, FluBot, Cring and WannaMine

Posted date 15/04/2021
Author
INCIBE (INCIBE)
Threat analysis studies image

On INCIBE-CERT’s website we will publish, when required, various studies with analyses of threats or malware distribution campaigns that affect Spain. For this purpose, and concerning the most important threats in recent months, the SMS campaigns, malspam, and other distribution vectors detected by internal tools, or various open sources with information on these threats, as well as the incident management carried out by INCIBE-CERT, have been used as a source.

The purpose of these studies of threats is to provide cybersecurity professionals with granular and detailed information about the modus operandi and the operation of these campaigns that affect a broad range of companies, citizens and national bodies so that, once the more technical details and their characteristics are known, the most appropriate detection and protection measures can be implemented.

Mekotio

The first of these studies is focused on the banking Trojan Mekotio, which is especially designed to attack users who use banking or cryptocurrency services. Since it was first detected in Spain, in March 2018, its code and functionalities have been developed and adapted, also maintaining the financial market as the main target, undertaking a high-impact malware distribution campaign in Spain since the beginning of 2021.

Through this study, a detailed technical analysis of the threat is carried out, with a sample of malicious code, belonging to the Mekotio family, which is also available at VirusTotal, and the main aim of which is to identify the actions this malware carries out.

An IOC rule and a Yara rule are included in this analysis to help with detecting samples belonging to the Mekotio family.

The full study can be downloaded below:

FluBot

The second study deals with FluBot malicious code, a Trojan specially designed for Android devices and which has been present in multiple fraudulent SMS campaigns since 2020, in which logistics companies such as FedEx, DHL or Correos are spoofed to induce the user to install a malicious application.

Over the course of the study, a detailed technical analysis is undertaken of the threat through three samples of the malicious code in question, which are also available at VirusTotal, to show the behaviour of this malware and the capabilities it provides.

An IOC rule and a Yara rule are included in this analysis to help with detecting samples belonging to the FluBot family.

The full study can be downloaded below:

Cring

The third study deals with Cring malicious code, also known as Crypt3r, a simple type of malware that is able to partially encrypt a computer and destroy any backup copies stored on it, which makes it, at the very least, interesting for developing ransomware-type cyberattacks especially aimed at the business arena, by focusing on databases and office IT files.

Over the course of the study, a technical analysis is undertaken of a sample of the malicious code, which is also uploaded to the VirusTotal platform, to explain its structure, capacity and behaviour.

An IOC rule and a Yara rule are included in this analysis to help with detecting samples belonging to the Cring family.

The full study can be downloaded below:

WannaMine

The fourth study provides information about a malware of the WannaMine family, whose main purpose is cryptojacking, using the affected machines to carry out cryptocurrency mining. WannaMine is made up of various artifacts, and it is able to extract credentials from the affected systems using MiMimikatz, and to exploit the EternalBlue vulnerability.

The technical report begins by providing general information about each artifacts, below is a summary list of actions the malware carries out, to proceed with the detailed analysis of the sample. The persistence of the sample in the system and the lateral movement mechanisms for their spread are then analysed. Finally, the 2 cryptocurrency mining methods included in the analysed WannaMine sample are explained.

This analysis includes an analysis of a script that eliminates WannaMine from the affected system and IOCs to help with detecting them.

The full study can be downloaded below: