Do you need to be a hardcore malware reverser to understand how malware works under the covers? No, not always. Here’s an example of using some free tools and OpenDNS Investigate to expedite the analysis process and rapidly protect your organization.
Subject: Urgent Notification N443111645 Thank you for placing order with our company now! Your purchase is processing right now. Outright Purchase: 4200 AUD Please check the statement given with this email to see more details about your order. ORDER DETAILS Purchase Number: AGS873904473 Order Date: 12:45 Monday, Mar 2 2015 Customer Email: <victim email address>
Attached to the email is a Microsoft Compiled HTML Help file (.chm) that, according to VirusTotal at the time of this writing, has been uploaded 28 times since 2015-03-02 23:11:38.
The file most commonly utilizes the pattern payment_ddddd.chm, where ‘ddddd‘ is a seemingly random generated integer five digits in length.
Full dynamic analysis of this file can be viewed here: https://www.virustotal.com/en/file/0d18bc9bd50080598f9d69032de95b2ed438e77884a6389755f523f3901c0b39/analysis/.
When executed, the .chm file downloads an executable named tv.exe from www[.]igloofire[.]com. The tv.exe file generates domain names using a DGA, tries to resolve the domain names, and finally contacts those domains with a single HTTP GET request and 20 HTTP POST attempts. The VirusTotal dynamic analysis for the tv.exe file can be viewed here: https://www.virustotal.com/en/file/8e801b9171291c11b0a3fcbd4314a078ff2c43305808fd49434858654e4e4bde/analysis/
“But Andrew,” you ask, “how do you know that? We don’t see anything in the VirusTotal analysis to substantiate that.”
That’s absolutely correct. In fact, the dynamic analysis from VirusTotal only shows communication to 134.170.185.211 on UDP port 123 – which is a Microsoft NTP server that the Windows virtual machine likely called out to in order to sync its time.
This exact situation illustrates some of the issues with relying entirely on dynamic analysis engines. That being said, we strongly suggest that you try multiple engines/platforms when performing dynamic analysis to see what shakes out. One alternative is The Shadowserver Foundation’s Malwr.com platform. Analyzing the downloaded tv.exe file on Malwr.com (https://malwr.com/analysis/MTY5MTAxZjE3OTk5NGVkZDkyYTFhNGMwZTVjOTBjNzc/#) shows us that several signatures have been trigged.
As well as interaction with the DGA in question – perviylich[.]ru
Additionally, we can observe the system level communication flow and the Windows hooks involved in said communication.
Now reversing the malware would have eventually given us this domain but we’re in triage mode right now. We can always reverse the malware later to confirm and/or expand our findings.
Looking up the perviylich[.]ru domain in OpenDNS Investigate, we can tell several things:
1) The domain is blocked by OpenDNS
2) The domain only recently became active
3) The majority of clients requesting the domain are from Australia (80%) – perhaps a targeted attack on a particular region?
4) The threat model identifies this domain as having a high likelihood of being a DGA
5) The domain utilizes the following IP addresses: 193.169.86.178 (also the name server) and 62.76.187.73
6) The IPs are allocated to AS’ in Ukraine and Russia, respectively
7) The IP addresses also host a number of other DGA-looking domains
8) In looking at some of the other domains on that infrastructure, we can see a similar pattern across the entire hosting IP addresses
9) We can also see a pattern emerge that shows pairings of DGA registrations utilizing the same domain name combined with both a .ru (Russia) TLD and a .su(Soviet Union) TLD.
10) Using this information, we can create a master list of domains involved in this particular malware infrastructure run:
cvelasiren[.]ru cvelasiren[.]su dobriytsar[.]ru dobriytsar[.]su dobroeutro[.]su eplayavodka[.]ru gromkiyzvuk[.]ru gromkiyzvuk[.]su holodnoepivo[.]su horoshiyden[.]ru horoshiyden[.]su korichneviyrassvet[.]ru korichneviyrassvet[.]su krepkiystul[.]ru krepkiystul[.]su krugovayaporuka[.]ru krugovayaporuka[.]su lasiren[.]su letniydozhd[.]ru letniydozhd[.]su nogaknoge[.]ru nogaknoge[.]su perviyclass[.]su perviylich[.]ru perviylich[.]su perviysneg[.]ru perviysneg[.]su | podliyvrag[.]ru podliyvrag[.]su rozoviyzakat[.]ru rozoviyzakat[.]su shumelkamish[.]ru shumelkamish[.]su silniygrom[.]ru silniygrom[.]su techetreka[.]ru techetreka[.]su temnayanoch[.]ru temnayanoch[.]su temniyles[.]ru temniyles[.]su teplayavodka[.]ru teplayavodka[.]su tihiyshepot[.]ru tihiyshepot[.]su tomniyvecher[.]ru tomniyvecher[.]su truhlyaviypen[.]ru truhlyaviypen[.]su trusliviyzayac[.]ru trusliviyzayac[.]su utliycheln[.]ru utliycheln[.]su |
If you’re a visual person, you can also graph the domains, using the OpenDNS Investigate API and the open source OpenGraphiti tool, to show the linkages. The image below shows the domains (outside edge of circle) and how they’re associated with the two IP addresses found earlier in this post.
To confirm findings, however, you can (and probably should) analyze the memory of the running binary to ensure that there are no subsequent IP addresses or domains called out to that may have been missed by your dynamic analysis engines. In this particular case, there were no additional domains or IP addresses.
11) Digging even further into the domain list, we can query Investigate for any IP addresses these domains resolved to in the past
Placing the domains into Maltego and using OpenDNS’s Investigate transform, we found two IP addresses these domains resolved to. Both
Both of these IP addresses were also the IP addresses of the domains’ name servers. This add to the suspiciousness of the domain names.
12) Identifying the name server domains, we queried Whois to find more information about the registrant of the name server domains.
It turns out the email account, domains.globality87234@yopmail.com, used to register the name server domains also registered a handful of other domain names.
Domain Name | Creation Date |
johny-mrroinson.com | 09-jan-2015 |
financeoutfeet.com | 17-jan-2015 |
jhon-russel.com | 20-jan-2015 |
dnsservice7736.com | 22-jan-2015 |
nick-stoll.com | 30-jan-2015 |
dnsbbbbdns.com | 31-jan-2015 |
jopanikstor.com | 07-feb-2015 |
nsserver-noserver.com | 10-feb-2015 |
dnskkop12.com | 15-feb-2015 |
dnsdomainserv12.com | 16-feb-2015 |
dns-pupkin-vasya.com | 03-mar-2015 |
All of which had similar subdomains of ns1, ns2, ns3, and ns4 and all of which were registered through the notoriously abused BizCN.com registrar and were acting as name servers for fastflux as well as command and control domains.
We dumped all these domains, their subdomain, and their IP addresses into our Maltego graph and found some interesting connections.
13) Noting that YopMail is a free temporary email service, we visited the site and checked the web-based inbox of domains.globality87234@yopmail.com (the registrant of all these name servers associated with malicious domains)
It turns out the registrar confirmation emails were still there, dating March 1 through March 3. This confirms the whois records.
14) It should be noted that AS48031 is a rogue AS that has been serving malicious sites for a while in addition to performing various evasive actions.
We’ve been monitoring it for a while and discussed it in March 2014 in this webcast (minute 19:25 in “Rogue and Stealth ASNs”) and at Virus Bulletin here.
AS48031, XSERVER-IP-NETWORK-AS PE Ivanov Vitaliy Sergeevich,UA, that a lot of security folks will recognize has been hosting all kinds of malicious and shady content (malware, browser-based ransomware, porn sites, spam, radical forums) and it’s been “fluxing” on and off the routable IP space. For example, in earlier 2014, it disappeared off the global routing table but as of early March 2015, AS48031 is online and advertising its prefixes by verifying our BGP routing tables and as shown below.
At the time of this writing, there are 1900+ live IPs on AS48031 IP space, and further checking them reveals finer granularity of allocation. A few suspicious small hosters are selling this sub-allocated IP space for customers via VPS, VDS, and dedicated servers. justhost.in.ua is one of these hosters that warrants further scrutiny. We discussed similar rogue or abused small hosting providers in our recent talks at BlackHat, DefCon and Virus Bulletin.
We wouldn’t be surprised to see a few domains start using dns-pupkin-vasya.com as an authoritative zone very soon and can with confidence, say they are domains you don’t want your devices connecting to.
At this point you should have a good idea of how to leverage OpenDNS Investigate to perform detailed malware triage and infrastructure investigations to protect your organization and its users – all without having to open a hex editor or manual debugger.
Until next time!
The post Investigating A Malicious Attachment Without Reversing appeared first on OpenDNS Security Labs.
As reported by a number of different sources, Google’s primary web property in Vietnam (www.google.com.vn) had its DNS abused by an individual (or individuals) claiming affiliation with Lizard Squad.
Based on the DNS queries over the past 2 days, we noticed that the DNS infrastructure changed from the expected Google name servers (ns1.google.com, ns2.google.com) to CloudFlare (173.245.59.108, 173.245.58.166). This was identified using OpenDNS Investigate and corroborated by several other publicly available tools. Though only a brief redirection, visitors to the legitimate www[.]google[.]com[.]vn site were surreptitiously redirected to a DigitalOcean-hosted server with the following message:
A DigitalOcean IP served as the endpoint for the hijacked site and, according to MaxMind, was located in the Netherlands – at least until it was taken down.
What’s interesting is that the IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001.
Prefix: 2a03:b0c0:2::/48
Prefix description: DigitalOcean
Country code: NL
Origin AS: 202018
Origin AS Name: DOAMS3 — DigitalOcean Amsterdam
RPKI status: No ROA found
First seen: 2014-08-13
Last seen: 2015-02-23
Seen by #peers: 170
We’re not sure if this was an attempt to “confuse” network analysts and legacy tools or if this was simply a case of “we don’t care what IP address we get as we’re mapping a domain name to it”.
The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests.
We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server. In close we’d also like to give kudos to CloudFlare for their diligence in coordinated the taken down of this fraudulent site shortly after the redirect was detected.
The post Google Search Page In Vietnam Hijacked appeared first on OpenDNS Security Labs.
OpenDNS has received numerous questions about the Invincea “Fessleak” report. We have been tracking this “actor”, who went by the name of Michael Zont, for several months, and saw a major uptick in previous weeks. The name “Fessleak” actually comes from the actor’s email address (fessleak@qip[.]ru) used to register the domains.
OpenDNS first became aware of malicious activity around this registrant in April 2014 starting with the creation of prosoknf[.]com, and began an active monitoring campaign to identify, and block, any domains registered by “Fessleak”. Using various techniques such as WhoIs monitoring, the OpenDNS Investigate tool, and our Spike Detection Algorithm (SDA), we were able to keep pace with the deployment of nefarious websites with almost real-time speed, including the sites in the aforementioned report.
Sites we were first monitoring appeared mainly geared towards the hosting of more common types of malware and exploit kits such as Angler, Kovter, and Rig (ex: prosoknf[.]com). More recently, we noticed a shift into forms of malvertising (ex: tunim[.]net and podin[.]net), with the most recent iterations hosting Flash ‘zero day’ exploits (ex: retilio[.]net). These domains were used for a short amount of time, usually in the way of just a few hours, and then discarded, showing no signs of re-use later.
All sites monitored were hosted on Peer1 Networks (AS 13768) and registered under PDR LTD.
The following images provide some insight into the traffic patterns of domains we were tracking during this campaign.
ankapootle[.]org
anster[.]net
azurf[.]org
The complete list of domains tracked during this campaign are shown below. All of the following link to the respective OpenDNS Investigate analysis for each tracked domain. These allow customers can view the full analysis of the campaign information:
The following image is a screenshot of the Fessleak domains as graphed in OpenGraphiti.
Towards the end of 2014 we noticed, on average, two domains registered every 1-2 days. However, since the Invincea report came out, the actor has not registered any new domains using this email address.
Photo source: https://www.flickr.com/photos/sfxeric/4086743445/
The post Fessleak before It Was Cool appeared first on OpenDNS Security Labs.