Ahmed Sonbol

Detecting Dreambot variants using RSA NetWitness

Blog Post created by Ahmed Sonbol Employee on Apr 4, 2017

Ursnif, also known as Gozi and ISFB, is a banking Trojan that primarily targets English-speaking countries. It was first discovered in 2007 and in 2010 its source code was unintentionally leaked [1]; which provided the basis for much of the legacy Ursnif variant diagnosis and detection. Dreambot is a newer variant (ca 2016) of Ursnif that incorporates capabilities such as Tor communications and peer-to-peer functionality [2].

 

Dreambot malware has been observed to spread via many of the conventional crimeware avenues to include exploit kits, e-mail attachments and links [2] [3]. To evade automated malware analysis, Dreambot uses password protected macro attachments and also delays for 250 seconds prior to downloading the malware [4].

 

This threat advisory discusses how to detect Dreambot beaconing activity using RSA NetWitness Logs & Packets.

 

A system infected with Dreambot reaches out to its command and control server as follows:

 

 

The behavior is consistent across many Dreambot samples:

 

 

Then a Tor client is retrieved:

 

 

 

The check-in is different for other Dreambot variants:

 

 

 

Assuming that the appropriate meta keys are enabled, the following queries can be used to detect Dreambot network activity:

  • Detect the check-in activity you can use:

    action = 'get' && filename = '.avi' && extension = 'avi' && directory contains '/images/' && direction = 'outbound'

    action = 'post' && directory begins '/images/' && query begins 'filename=' && extension = 'bin' && direction='outbound'

  • Detect the Tor client retrieval you can use:

    action = 'get' && filename = 'test32.dll',' t32.dll', ' t64.dll' && extension = 'dll' && directory contains '/tor/' && direction = 'outbound'

 

Dreambot samples can be found on VirusTotal here and here, and on Payload Security here and here.

 

All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

To find those IOCs using RSA NetWitness, please refer to this post.

 

In addition, the following Application Rule is now available on Live:


 

 

Below is a screenshot of the Application Rule detecting Dreambot traffic:

 

 

 

Thanks go to Rajas Save for contributing to this threat advisory.

 

References:

  1. https://securityintelligence.com/gozi-goes-to-bulgaria-is-cybercrime-heading-to-less-chartered-territory/#.VdQEtfnddi8
  2. https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
  3. RIG EK at 92.53.127.21 Drops Dreambot – MALWARE BREAKDOWN 
  4. New Password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware !! - Cysinfo 

Outcomes