RSA Admin

Kargen Botnet Teams With Chameleon Encoding

Blog Post created by RSA Admin Employee on Jul 2, 2014

I previously wrote about Kargen here.  It's main characteristics are a set beacon filename length put to a /b/req/ or /b//opt/ directory on a compromised webserver.

 

I previously wrote about Chameleon encoding here, which primary characteristics were domains that were actually hexadecimal color codes, registered, I think, to frustrate researchers looking to search the internet for these domain names involved in an incident.  Instead of information about the incident, results from web searches only include any embedded matching hex color code in thousands of web pages crawled by the search engines.

 

In the sample below, we can see similar Kargen activity, coupled with beaconing to a Chameleon encoded domain.  The Kargen beacon has changed length strings a bit, and the Chameleon Encoding put commands are now url-encoded beacons rather than search engine strings.  Here is a screenshot of that beacon.

 

87508

 

This PCAP, attached below, is available for everyone to evaluate for new rules to detect this threat.  It came from MalwareTrafficAnalysis here, dated 6/29.  The infection is a result of the Magnitude Exploit Kit, but the post-infection network traffic should be familiar as Kargen.  This threat is new, but it builds on older techniques and methods of botnet masters that we have previously discussed in this space.  As always, the domains here will be added to the Live C2 domains list.

 

Please discuss among yourselves how best to detect this new combined variant.

 

Good Luck and Happy Hunting!

Outcomes