Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Robert Conley

RSA NetWitness Platform

6 Posts authored by: Robert Conley Employee
Robert Conley

Getting to Know Mirai

Posted by Robert Conley Employee Aug 30, 2017

Overview

The Mirai botnet seeks out poorly secured Internet of Things(IoT) devices. IoT refers to any consumer or business smart device that can connect to the internet. When found they are infected with its virus. They then become a part of the botnet. Mirai was discovered by the white hat research group MalwareMustDie in 2016[1]. The source code was released by its author in late 2016[2].

Mirai has exploited IP security cameras, routers, and DVRs. This list will grow as more devices are sold every day and new connected devices enter the market. One Gartner report claims 20.4 billion IoT devices will be in use by 2020[1].

Mirai has become so prevalent that it’s actively being monitored and tracked by a number of websites. For example, the IoT search engine Shodan.io provides many statistics that include Top Countries, Top Services, and Top Organizations, Figure 1. It even provides live views from Mirai infected devices.

 Figure 1, source- https://www.shodan.io/search?query=mirai.

 

 

Statistics are impressive and great talking points during meetings, but at the end of the day victims should be concerned about their vulnerable devices becoming hijacked by a botnet. Unlike ransomware or a trojan, your personal files won’t become encrypted nor will your online banking credentials get stolen; however botnets are an even greater menace. They provide operational infrastructure to threat actors and have the potential to wreak havoc on many aspects of society including communication grids, mass transit, and even emergency services.

 

 

Discovery and Infection

Botnet are comprised of two components, the C2 servers and the bots. In the case of Mirai, C2 servers constantly seek new bots scanning the internet for IoT devices listening on telnet ports. When found, Mirai launches a brute force password attack that iterates through a pre-loaded table of commonly used default and factory logins, see Table 1 below. Upon successful access, malicious executables are installed and the device becomes part of the botnet.

 

 

Figure 2 below shows a code snippet from Mirai’s build.sh file. It’s used to infect IoT devices. The code can be compiled and run on many different CPU architectures, to include x86, Mips, ARM, and a number of other OSes that are also targeted.  

Figure 2

 

 

Attack Capabilities

Mirai bots are designed to launch a variety of distributed denial of service (DDoS) flood attacks. Each targets a different layer of the TCP/IP stack but share the same goal which is to disrupt normal operations of a targeted network resource. Listed below are a sample of the attack types, a brief description of each, and source code illustrating functionality.

  • UDP Flood 

                  UDP packets flood random ports on a target causing resources to be consumed unnecessarily, Figure 3.

Figure 3

 

 

  • Domain Naming Service (DNS)

                 Spoofed UDP packets target the host’s DNS service, Figure 4.

Figure 4

 

 

  • Plain UDP

                  UDP packets saturate the target’s network and consume bandwidth, Figure 5.

Figure 5.

 

 

  • TCP SYN

                  Exploits the TCP handshake by not replying to SYN/ACK responses, Figure 6.

Figure 6.

 

 

  • TCP ACK

                     Spoofed packets are sent without containing sessionless ids, Figure 7.

Figure 7

 

 

  • Simple Text Oriented Messaging Protocol (STOMP) Flood

                  STOMP requests are sent to target in order to saturate network resources, Figure 8.

Figure 8

 

 

  • Generic Routing Encapsulation (GRE) IP

                    Packets target tunneling and VPN protocols, Figure 9.

Figure 9

 

 

  • HTTP

                     GET, POST or other HTTP requests are aimed at disabling target web services, Figure 10.

Figure 10

 

 

 

Propagation

In addition to launching attacks, bots are also tasked with searching for new victims. They take their cue from the file scanner.c. A quick walk through of the file shows TCP/IP packet assembly, network scanning, and IP address selections.

 

Setup up TCP/IP headers and load the payload, Figure 11.

Figure 11

 

Read packets and get SYN/ACKs, Figure 12.

Figure 12

 

Choose a random IP address to attack. Exclude certain IP ranges, such as General Electric Company, Hewlett-Packard Company, US Postal Service, and IANA, Figure 13.

Figure 13

 

 

Exclusion

Mirai likes to keep what it kills. After it has compromised a device it enables security to lock out other botnets. Killer.c’s code disables port 23 and stops processes such as telnet, SSH, and HTTP, Figures 14 and 15.

Figure 14

 

Figure 15

 

 

 

Detection

RSA NetWitness Packets can be used to detect Mirai. Its C2 servers use the telnet protocol, default port 23, to fingerprint remote ip addresses, Figure 16.

Figure 16

 

Pivoting into the sessions provides more details, Figure 17.

Figure 17

 

Successfully locating an IoT device with an open telnet port results in a system login prompt, Figure 18.

Figure 18

 

Next, Mirai attempts to login. Using its login credentials table, see the Discovery and Infection section above, it iterates through each userid/password pair. For example root/xc3511 worked on this device, Figure 19.

Figure 19

 

Mirai is now logged in as the root user. The Busybox prompt awaits its next instructions. Busybox is a stripped down version of Linux utilities that’s commonly run on embedded systems, Figure 20.

Figure 20

 

After gaining access to the device, Mirai executes a series of steps that will ensure it has sole ownership of it. For example, it will escalate its privileges, disable SSH, block remote administration ports, and search for any competing botnets. If any are found, they are killed. The final step is to download and install the bot virus.

 

RSA NetWitness feeds are capable of detecting Mirai[4]. Both the Malware IP List (nwmalwareiplist) and Malware Domain List (nwmalwaredomainlist) contain Mirai IOCs.

 

 

  • Malware IP List

Description: List of IP addresses commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: ip.addr

Registered Meta Keys: threat.category, threat.desc, threat.source

  • Malware Domain List

Description: List of domains commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

 

 

 

Summary

The IoT is a double edged sword. For every new convenience it provides, another device has potentially become the newest member of a botnet. Getting a text message from the refrigerator when the egg supply is low or one from the fish tank when the filter needs changing helps many of us stay on top of our hectic, daily lives. The same IoT software that enables these types of notifications also presents an attack vector. The Mirai botnet was designed to attack and exploit it, the goal being to seize complete control of a device. When successful, it's then leveraged for nefarious purposes such as DDoS attacks. More often than not, all of this happens without its owner being aware. Changing a device's default password, installing software patches, and periodically rebooting it are ways to combat the spread of Mirai.

 

 

Thanks to Kevin Stear and Jim Ward for their contributions to this blog post.

 

 

PCAP

https://github.com/ixiacom/ATI/blob/master/PCAPS/Mirai_command_and_control.pcap

 

 

 

Tracking

https://www.shodan.io/search?query=mirai

https://twitter.com/MiraiAttacks

https://intel.malwaretech.com/botnet/mirai

https://tracker.h3x.eu/c2/680

 

 

 

References

[1]http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html

[2]https://github.com/jgamblin/Mirai-Source-Code

[3] http://www.gartner.com/newsroom/id/3598917

[4]https://community.rsa.com/docs/DOC-76076

 

 

 

Additional reading

https://community.rsa.com/community/products/netwitness/blog/2017/06/09/an-introduction-to-botnets

https://community.rsa.com/community/products/netwitness/blog/2016/10/13/rsa-firstwatch-mirai-and-all-things-iot

https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

https://blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot/

https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mirai-botnet/

https://www.corero.com/blog/793-untangling-the-dark-web-behind-mirai-iot-botnet-ddos-attacks.html

Robert Conley

Necurs Delivers

Posted by Robert Conley Employee Jul 13, 2017

The shotgun effect

Botnets are the shotgun within a cybercriminal's arsenal.  They provide an amplified delivery mechanism for malware and other threats.  Deployment varies, but they are typically installed on an unsuspecting victim's system through the use of an exploit kit (EK).  They compromise a known system vulnerability to allow unauthorized access.  After taking control of a large group of systems, commonly referred to as zombies, a ‘botmaster’ will use them to conduct nefarious activities, like sending spam.

 

Some botnets are reported to have over one million zombies.  That’s a lot of spam blasted across the internet, and perhaps what Necurs is best known for.

 

This article will discuss the Necurs botnet, its architecture, highlight recent, notable payloads, and identify how RSA NetWitness products can identify it.

 

 

Necurs

Necurs is one of the largest botnets, some claim it's the largest.  Reports have it containing upwards of six million endpoints [1]. It was identified in 2012 and remains active on the threat landscape.  Its activity has seen periodic ebbs, but Blackhats continue using it.  With regards to payloads, Necurs has been responsible for delivering many high profile malware campaigns including Dridex, Locky, and Jaff.  It has also been used to transmit a slew of other spam and phishing attacks.  Security researchers recently observed that a new module was added to carry out distributed denial of service (DDoS) attacks [2].

 

Necurs is a highly resilient piece of malware.  Its strength and longevity can be attributed to many factors including a kernel-mode rootkit [8], modularity, anti-AV features, and domain generation algorithms [8].  Additionally, it contains a hybrid network architecture which leverages two different Command and Control (C2) models.

 

The first model uses centralized C2 servers and a flat hierarchy for managing and organizing a legion of zombies.  Although effective, it's also a weakness because it offers a central point of failure.  If law enforcement or other appropriate parties can disable or even blacklist a couple of servers they will have impacted the botnet.

 

To mitigate this weakness, Necurs uses a second model which has built-in peer-to-peer communications to provide C2 server redundancy [3].  Conceptually, it constitutes a meshed network wherein every node, server and client, talks to each other.  If one server becomes inaccessible others will not only detect it, they will initiate operations to promote another to replace it.  In so doing, they regain control of any orphaned zombies.

 

Detecting Necurs, or any botnet for that matter, is challenging because of its custodial role as a transport vehicle for other malware. Its presence is discreet and often discovered only after the transported malware has been exposed. With this in mind we’re going to discuss detection first as it pertains to transported malware, and then on Necurs.

 

 

Payloads

  • Jaff Ransomware

In May 2017 the Jaff ransomware was being delivered globally via a large, malicious spam campaign.  Researchers determined that its source was the Necurs botnet [4].  The malspam contains a PDF attachment.  Opening it shows one line of text, Figure 1.

Figure 1

 

 

A user is then prompted to open the embedded Word document, Figure 2.

Figure 2

 

 

Embedded Javascript macros open the Word doc which then download and execute an encrypted binary, the Jaff ransomware loader.  Analyzing the Word file on www.whatsthisfile.net produces a high threat score, Figure 3.

Figure 3

 

 

Figure 4 shows a Jaff Request/Response event using NetWitness for Logs and Packets.

Figure 4

 

 

The event’s meta, shown in Figure 5, is then reviewed to understand why the session was flagged.  In this instance, both host name and header count are strong indicators of suspicious activity.

Figure 5

 

 

After a victim's files are encrypted a ransom note file is dropped.  In it are instructions to visit a payment portal site.  Once there, a user can make a bitcoin payment in order to decrypt their files.

 

Kaspersky Lab provides a free decrypter utility for Jaff ransomware.  Their RakhniDecryptor application, version 1.21.2.1, can unlock files having either .jaff, .wlu, or .svn extensions [5].

 

 

 

  • Locky ransomware

First seen in 2016, Locky ransomware was sent via a Necurs spam campaign to millions of unsuspecting victims [7].  Each email contained an attached Microsoft Word document laden with malicious macros.  It’s engineered to execute when opened by the user and then downloads the loader.

 

A sample of Locky network traffic, seen in Figure 6, shows network communications direct to an IP address as opposed to a host name.

Figure 6

 

 

Figure 7 shows the Request contains a Post command instead of a typical Get. The infected host could either be transmitting data back to the downloader site or grabbing executables.

Figure 7

 

 

A close inspection of the streams confirms files are being sent, Figure 8.

Figure 8

 

 

Locky and Jaff share some common characteristics.  For example, they’re both ransomware, delivered via Necurs, and have similar payment pages.  Is it possible Jaff is a newer version Locky?  This doesn’t appear to be the case based on analysis conducted by RSA’s Data Science team.  The scientists applied fuzzy hashing techniques to executable code fragments and import libraries of each malware.  Their findings indicated a low degree of confidence that there’s a shared code base between the two. 

 

 

  • Trickbot Banking Trojan

In early June 2017 security researchers identified an email campaign delivering the Trickbot banking trojan.  Closer examination of the infection chain revealed that it was identical to that used for the delivery of Jaff ransomware.  This leads them to conclude that the Necurs botnet was the delivery mechanism [6].  Trickbot first appeared in late 2016 and targeted banks in the UK and Australia.  The current campaign has expanded targets.  Now included are France, Sweden, Norway, Finland, and Denmark.

 

Viewing Trickbot network traffic using RSA NetWitness Logs and Packets reveals the following about the malware.  It sends HTTP traffic over a non-standard port, Figure 9.

Figure 9

 

 

A closer examination of the sessions reveals HTTP traffic is being sent over port 443, instead of the standard port 80.  The destination is 203.150.19.63, Figure 10.

Figure 10

 

 

The session’s details present an exchange wherein a Get command retrieves an obfuscated cookie, Figure 11.  This will be injected into a user’s browser.  The server responds with a 404 Not Found page.  This is a diversion.  It’s used to distract the victim while the infection process executes.

Figure 11

 

 

Existing reports confirm the cookie is associated with the Trickbot Trojan.  Figure 12 shows one from www.hybrid-analysis.com.  Also seen is the ip address/port combination which were already identified.

Figure 12

 

 

 

 

  • Pump and dump spam

In early 2017 a significant upswing in pump and dump spam traffic was observed by the security industry.  The campaigns claimed to provide insider tips and information on supposedly ‘hot’ stocks. In reality, they were merely a social engineering ploy to entice recipients to buy now and then enjoy a handsome return on their investment at a later date [8].  This type of scam isn’t new.  As in the past, the goal is to pump up a stock’s price. After this happens, the perpetrator’s sell their shares and pocket a nice profit.  Close examination of email header configurations and recipients’ lists revealed strong similarities to previous Necurs based campaigns.

 

Figure 13 shows an email which targeted InCapta Inc (INCT). 

Figure 13, source www.bleepingcomputer.com

 

 

The stock’s price spiked during the spam run, Figure 14.

Figure 14, source https://www.bleepingcomputer.com

 

 

Unwanted emails of this nature can easily be filtered at the email server level.  In addition, using a messaging authentication protocol is another means of blocking unsolicited emails. The Domain-based Message Authentication, Reporting & Conformance protocol is one example, https://dmarc.org/.

 

 

  • Detecting Necurs

RSA NetWitness products can alert on and detect botnet activity in many different ways.  To illustrate, here’s a brief hunting exercise on Necurs malware in a controlled environment.  To facilitate it a few preliminary steps were taken.  They included detonating known Necurs malcode in a sandbox and pre-populating indicators of compromise (IOCs) into an RSA Live feed.  Clearly, these steps improved detection results. However, their primary purpose was to improve the clarity and logical flow of this hunting exercise as well as to demonstrate botnet activity.

 

To begin hunting I used NetWitness Security Analytics and loaded the RSA Threat Analysis profile, I focused on the meta labelled c2-domain, c2-ip, hostname aliases, and beaconing, all of which represent botnet behavior.  Beaconing is when zombies send small messages, often over either Transport Control Protocol (TCP) or Hypertext Transfer Protocl (HTTP), to C2 servers at predetermined intervals.  They’re used to exchange updates, get instructions, and issue keep-alive heartbeats.

 

Figure 15 shows captured network traffic.  Necurs IOCs appear in the c2-domain and c2-ip meta.

Figure 15

 

Hostname-aliases is a subset of the c2-domain category.  Ciiltire.com, circled in red in Figure 16, has been flagged.  It warrants closer scrutiny.

Figure 16

 

 

Cross referencing it on VirusTotal.com reveals malicious activity, see Figure 17.

Figure 17

 

 

Performing a double check on the domain’s reputation, using a site like surbl.org, is a good next step.  The results, see Figure 18, support the findings in the previous step.  Its integrity is questionable.

Figure 18

 

 

Returning to the Security Analytics interface, I proceeded to drill down on ciiltire.com in order to identify destination IP addresses.  I chose one to check, 192.185.129.5, shown in Figure 19.

Figure 19

 

 

Searching this IP address on Virustotal.com confirms malicious network traffic has been detected, Figure 20.

Figure 20

 

Returning to Security Analytics, I next investigated TCP beaconing meta, Figure 21.  It, too, confirmed Necurs activity.

Figure 21

 

 

Summary

Necurs is a massive botnet, possibly the largest in the world.  Its architecture has received periodic updates which have contributed to its versatility and longevity.  It has a track record of effectively using spam email to deliver ransomware, banking trojans, and many other malicious payloads.  Threat actors use Necurs’ wide reach to quickly saturate targeted markets with their campaigns, thereby increasing its potential infection rate.  

 

Thanks to Steven Sipes, Kevin Stear, Ray Carney, Ahmed Sonbol, and Lisa Bayen for their contributions to this blog post.

 

 

 

Hashes

Necurs

644ab8d77313f99c5103940b53768ac25e515d67478f05b517f12f50e087805b

42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097
3d9728ec88afe74e3ad5bee49c5c64a771f6d39b5f4b16fab280175b989d79a6

 

 

Jaff

2078e056553199dd6cb108fb3944e2b13009acabf76b52ed3ec36a429562df70

41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287

0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f

824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13

 

 

Trickbot

ecc1cbdb2dd3b58ffb8a260dab2bcde93970ff63a4383a84e3f9d3dc15a1b4c7

79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c

5e363a42d019fc6535850a2867548f5b968d68952e1cddd49240d1f426debb73

 

Locky

2d967601187354d2b1f47bdbb5f6bc17472c9f3dcb202bef34528e908ab22eb4

2a40da48c9dc3e20bc6e30c986306ceccbc2d8be55b355b7a73d95c1a54319a4

f6c4e41e637a164f0f1fb8ef0dffe5639716c9c908d64cb3e87c675b28afd08c

e325dcb905b3adaaf5e33ef15a0c488f948dd90eb8577714c97482a3b7ad74bb

 

 

 

Necurs IOCs added to the RSA C2-IP and C2-Domain feeds

51.254.240.48

185.82.216.55

91.219.29.41

217.12.223.83

64.124.69.50

162.88.60.13

162.88.60.15

162.88.60.17

162.88.61.15

162.88.61.17

162.88.61.19

205.251.192.237

205.251.195.34

205.251.197.193

205.251.199.135

208.109.255.18

216.69.185.18

239.255.255.250

sportsandsocialchange.org

0hbtyHGROCKe67tfgc4uybfbnfmd.org

0hbtyHGROCKzonnit.com

ciiltire.com

yourworshipspace.com

rhvpwqledatdxerrx.info

sonuh5glplozcs2m.tor2web.org

 

 

 

References

[1] https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/

[2] http://securityaffairs.co/wordpress/56725/malware/necurs-botnet-ddos.html

[3] https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/

[4] https://www.flashpoint-intel.com/blog/necurs-botnet-jaff-ransomware/

[5] https://support.kaspersky.com/viruses/disinfection/10556#block2

[6] https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets

[7] http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html

[8] http://blog.talosintelligence.com/2017/03/necurs-diversifies.html

 

 

Additional reading

https://community.rsa.com/community/products/netwitness/blog/2017/05/17/hunting-pack-use-case-delivery-documents

https://community.rsa.com/community/products/netwitness/blog/2016/02/22/detecting-locky-variants-using-security-analytics

What is a botnet?

The term botnet is derived from the words robot and network.  A bot, sometimes referred to as a zombie, is an individual device connected to an Internet Protocol (IP) network, typically the internet.  Historically, this meant desktop computers, laptops, printers, home router, etc. were vulnerable to becoming a bot.

Today however, as the Internet of Things (IoT) evolves our household devices are increasingly more often connected to the Internet.  This means that the candidate list of potential botnet devices has greatly expanded.  Included now are web cams, baby monitoring controls, and even toasters.  After a device becomes infected with botnet malware, it can be leveraged via its network connectivity to conduct a slew of unauthorized and malicious activities. 

 

Botnet herders are actors who control bots remotely.  They setup and deploy command and control (C&C) servers, and these serve as the interface to the bots. Coded within the botnet malware are C&C check-in IP addresses, schedules, and instructions.  Their purpose is to establish communications channels from the herders to the bots.  For example, IRC channels are frequently employed for this purpose.  After communications are setup, the compromised hosts are often times further organized and issued updated instructions.  They have now become an organized group of hosts under centralized control.  Figure 1 shows the elements of a botnet.

 

 

Figure 1

 

 

According to the Internet Society-

Botnets are a complex and continuously evolving challenge to user confidence and security on the Internet. Combating botnets requires cross-border and multidisciplinary collaboration, innovative technical approaches, and the widespread deployment of mitigation measures that respect the fundamental principles of the Internet1.

 

There are two types of botnets, involuntary and voluntary. A botnet that consists of willing participants is a voluntary botnet.  In this model, frequently used by hacktivists, users willingly allow their computers to become a bot. They permit a third party to not only gain remote access and full control, but also allow it to be used for any means.  Typically this involves illicit activities.

 

In contrast is the involuntary model.  It will be the focus of this blog post as well as any follow up posts. In it, consent is not given to use a computer's resources.  It consists of users who are unaware that their computers have been compromised. To accomplish this a threat actor must deliver malware to victims.  Exploit kits, trojans or phishing scams are commonly employed to complete this step.  If successful, the computer becomes infected which opens the door for the payload delivery, a bot executable.  If this step succeeds then a new bot has been enlisted.

 

 

Current State

Rustoc, Conficker, and Zeus are some of the best known botnets.  They infected thousands of computers worldwide from 2006-2011.  Others came before them.  Botnets have long been a going concern for internet security.  They’re frequently used for spam-marketing, phishing, password stealing, and hijacking financial data.

 

Most recently, botnets made headline news when major DDoS (distributed denial of service) attacks were aimed at two notable websites, krebsonsecurity.com2 in retaliation for his continuing work and dyn.com to demonstrate the at-scale efficacy and impact of a the Mirai botnet.  The Dyn attack disrupted internet traffic on the U.S. East Coast for an entire business day3.  Botnets facilitated both of these attacks.  They were instructed to flood their targets with massive amounts of TCP and UDP requests, the goal being to knock them out of service.  They succeeded.

 

Botnets are not however invincible, and there have been numerous takedowns throughout the years.  Most recently in April 2017, the Kelihos botnet was shut down after a lengthy law enforcement process4.  Kelihos was associated with cybercriminal activities that included spam e-mail and ransomware.  In spite of such takedown efforts, hackers continue adding features and functionality to botnets.  They're motivated by financial gain and this drives them to innovate in order to stay one step ahead of law enforcement as well as detection and remediation technologies.

 

For example, a decentralized or peer to peer command structure is being used more frequently5.  In it each bot serves as both a C&C client and server.  This multiplies and provides redundant communication channels.  Plus, it eliminates a single point of failure.  As previously discussed, tapping into the Internet of Things (IoT) has presented an array of possible new recruits.  Many security researchers are currently monitoring port scans and brute force password attacks on many home networks that are attempting to convert benign devices into zombies6

 

 

Botnet Tracking

There exists a number of online resources designed to track and report on botnet activities. Table 1 presents a few of them, but many others exist.  Each one offers information in a slightly different format.  From them, you can learn at a glance which botnets are active, their location, statistics, and other pertinent information.             

                        

Table 1

 

 

Summary

This article is the first in a series about botnets.  Future articles will cover individual aspects of botnets, current campaigns they support, and related malware. 

 

 

Thanks to Kevin Stear and Ray Carney for their contributions to this blog post.

 

 

References

(1)http://www.internetsociety.org/policybriefs/botnets?gclid=CPCp1u2QhtQCFQ5XDQodpGkHUw

(2)https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

(3)https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/

(4)https://www.technologyreview.com/s/604138/the-fbi-shut-down-a-huge-botnet-but-there-are-plenty-more-left/

(5)http://www.cs.ucf.edu/~czou/research/P2P-Botnet-ICCCN09.pdf

(6)https://www.researchgate.net/publication/294457975_Scanning_for_Vulnerable_Devices_in_the_Internet_of_Things

Blackmoon (also known as KRBanker) is a banking trojan that was first detected in 2014.  Its purpose is to steal financial account login credentials using a man in the browser attack.  The perpetrators then impersonate legitimate users to conduct fraudulent transactions with banks or a variety of wealth management, investment, retirement, etc. services(1). In this way, Blackmoon victimizes both consumers and businesses when the campaign is successful.   South Korea is currently a primary target.

 

The latest version of Blackmoon uses a new multi-phase framework to evade current detection and facilitate more effective program modifications in its victims. 

 

Referred to as the Blackmoon Downloader Framework(1), it consists of three stages or modules which are designed to work in unison.

 

Stage 1-Dropper

Blackmoon propagates via a dropper commonly delivered via adware, phishing, or in some cases exploit kits.  Upon execution the dropper code spawns multiple processes, of which each is necessary to ensure a successful infection.  During the first stage, a browser vulnerability is exploited to request/receive bytecode to initiate stage 2.

 

Stage 2-Downloader

The second stage runs bytecode.  Its purpose is to expand the malware's functionality and resolve any functions it needs.  It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, from which the malware retrieves an EXE file typically masked as a JPG file to avoid detection. 

 

Stage 3-EXE

The framework’s final stage uses a Base64 string encoding technique to mask operations.  This obfuscation hides decoding of the Command and Control (C2) IP addresses used for bot check-in, downloading of the EXE payload, and its execution.  This stage results in a victim’s browser being redirected to a compromised website, similar to the one shown in figure 1.  After a user attempts to authenticate, their login credentials are harvested and redirected to the threat actors.

 

Figure 1 Source-https://blog.fortinet.com/

 

NetWitness Detection

RSA Netwitness Endpoint can detect Blackmoon.  Endpoint dives deeper into network endpoints to better analyze and identify zero-day, new, hidden, and even those “file-less”, non-malware attacks that other endpoint security solutions miss entirely.

 

 

 

Thanks to Kevin Stear, Bill Motley, and Christopher Ahearn for their contributions to this threat advisory.

 

 

These IOCs will be added to the Third Party Feed

r.pengyou.com

baoro.org

dmdan.co.kr

www.leeve.co.kr

2.22.8.162

 

Hashes

9ccb6b7626c9574697cabfac2574b4c6bb8a6a0b76789dfc537ba5eb2bbbc6cd

b50249b6d223f6d947e14ced2133992504d6397a3284945eb684270776f360f3

9fcdf3aac12e582bfd214b3fdcf620015633bef333989dfcf2119fe779efd695

cecc2cbe9038587618290cbd6a9bb3ffd73ce79c36be71a33c16a982f10f50ed

b2d0290e237c6e03fe589767e07dfa344192bbc63e59b9fea4fcb81ccf8da73f

a6b0379b194d81da387ad092f04bb1094a07e29156803b4244fd9f0b4b222ce0

d0e0335ccabcfedb481aadebcb0379e6b8c45591ef946a51dbe524366f81f749

ab149cce386655799d79ccbffc9f11601dc0ec514abc9788c4e76fbb5f00fcc6

 

Additional Reading-

(1)https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework

https://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/

https://blog.fortinet.com/2016/04/23/over-100-000-south-korean-users-affected-by-blackmoon-campaign

http://www.darkreading.com/attacks-breaches/blackmoon-banking-trojan-goes-modular-/d/d-id/1328814?utm_content=53913196&utm_medium=social&utm_source=twitter

https://www.scmagazineuk.com/trio-of-downloaders-used-in-recent-blackmoon-banking-trojan-campaign/article/655131/

The Dridex Trojan is a strain of banking malware that began spreading in 20141. Its transport mechanism continues to be spam email, commonly referred to as malspam. It steals a victim's banking credentials in order to commit fraudulent financial transactions. Historically, Dridex relied on Microsoft Office macros to successfully infect a victim. A new campaign, however, reveals that it's now leveraging a Microsoft Word zero-day vulnerability (CVE-2017-0199) instead.

For the exploit to land, a user must open an attached Microsoft Word RTF (Rich Text Format) document. Contained within it is an embedded OLE2link object which executes winword.exe. That process sends a HTTP request to a remote server which retrieves a malicious .hta file, the payload2.

To enable detection of malicious RTF documents, users need to verify that their NetWitness installation has been configured with the:

-‘fingerprint_rtf_lua parser’ from RSA Live.

 

Once you have subscribed to and enabled this content in your environment, NetWitness will identify suspicious strings in the RTF header. Shown below is the parser flagging RTF traffic.

Thanks to Kevin Stear, Bill Motley, Angela Stranahan, and Christopher Ahearn for contributing to this threat advisory.

 

References:

1http://www.webopedia.com/TERM/D/dridex-malware.html

2https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

 

Additional reading:

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html

https://isc.sans.edu/diary/22280

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199

Spora, a new variant of ransomware recently identified by security researchers, is written with robustness and features making it more evolved than its counterparts.[1]  Similar to existing ransomware, Spora will encrypt a user’s files and hold then hostage until a payment has been made.  However, Spora differs in numerous ways from other ransomware.  For example, it can encrypt files offline, offers a tiered payment system, and utilizes a professional-looking payment portal, which includes a Chat tool.

 

Although Spora mainly targets Russian-speaking victims, it has begun spreading globally with reported infections in Saudi Arabia, Austria, the Netherlands, and a few other Western European countries.[2] 

 

Spora propagates via spam emails, a fake Chrome font pack, or the RIG-v exploit kit (EK).  Most often it will use spam email to infect victims, disguised as an invoice from a Russian accounting software business 1C.  The email contains one attachment, an HTA file.  When double-clicked, the HTA file runs Jscript loader code and drops two files into the %TEMP% directory and executes both-

 

  • doc_6d518e.docx
  • 81063163ded.exe

 

The first opens a text reader, such as Notepad or Word, but displays invalid data.  This is believed to serve as a diversion.  While the victim tries to figure out why they have a corrupt text document, the second file has already begun encrypting the user’s files.

 

Security researchers have also discovered Spora spreading by means of a fake Chrome browser font pack update.[3]  The RIG-v EK is being used to deliver JavaScript code which displays a pop-up window asking the user if they wish to download a Chrome Font Pack. If a user accepts, the Spora payload is delivered in the form of a single executable file named Update.exe. Running the .exe will begin the process of encrypting the user’s files.

 

Since all the key generation and encryption happens locally, it precludes the need for the malware to communicate with any C2.  In other words, an internet connection is not needed to ensure a successful campaign.  Also, since the encryption keys are specific to each victim (even specific to each victim’s files), there is no ‘master’ unlock key like some other ransomware[4].

 

Spora uses a mixture of static and generated RSA and AES keys to encrypt victim data.  The steps are as follows:

 

  • Step 1: The process begins with the malware using a hardcoded AES key to extract an embedded RSA public key from the malware.
  • Step 2: The malware then generates a new RSA public/private key pair as well as a new AES key.
  • Step 3: The new AES key is used to encrypt the newly generated RSA private key.
  • Step 4: The new AES key is then encrypted using the malware’s initial, embedded public RSA key.
  • Step 5: The victim’s files are encrypted using AES keys that are generated individually for each file.
  • Step 6: These individual AES keys are encrypted with the RSA public key generated in Step 2 and are stored with the associated encrypted file.

 

 

One of the hallmarks of the Spora campaign is the high level of customer service provided to victims.  If a victim decides to pay the ransom fee, they are instructed to connect to a payment portal that is well-organized with a customer-friendly UI.  The portal includes a real-time chat tool for communicating with the threat actors.  It is believed that this level of customer service and communication are provided to encourage payments from the victims.

 

In addition to file decryption, the portal offers additional services for purchase. For example, victims can pay to receive immunity from future infection, remove all Spora related files from their computer, or decrypt a single file. 

 

Detection:

Some variants of Spora can be detected using NetWitness for Logs and Packets (NWLP).  To enable detection, verify that your installation has been configured with this content:

 

  • Fingerprint_zip parser
  • Hunting Pack

 

Screenshots for finding both of these pieces of content are shown here.

Fingerprint_zip parser

 

Hunting Pack-

 

 

Once you have subscribed to and enabled this content in your environment, NWLP will detect Spora infections that use the HTA method referenced above.  Shown below is the parser actively detecting a Spora Zip file attachment.

 

 

These IOCs have been added to the Live Third Party feed.

186.2.161.51

52.85.184.201

52.85.184.216

spora.bz

spora.biz

 

 

Thanks to Ray Carney, Kevin Stear, Bill Motley, and Steven Sipes for their contributions.

 

References:

[1] http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

[2] http://virusguides.com/spora-ransomware-spreads-worldwide/

[3] http://virusguides.com/chrome-malware-campaign-drops-spora-ransomware/

[4] http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

 

Additional reading:

https://id-ransomware.malwarehunterteam.com/index.php

https://www.scmagazine.com/spora-ransomware-targets-russian-users-and-encrypts-offline/article/631056/

http://www.forbes.com/sites/leemathews/2017/01/12/spora-is-the-highly-sophisticated-future-of-ransomware/#13c88d5a608b

https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-011107-2825-99

http://www.malware-traffic-analysis.net/2017/01/30/index3.html

Filter Blog

By date: By tag: