mardi 29 août 2017

From Onliner Spambot to millions of email's lists and credentials

Hey! It's time for another writeup about spambot.
Here I will explain how I have found millions of emails and credentials on a spambot server and why your creds can be in these databases.

I have written a lot about spambot on this blog for many reason. Spambots are often ignored by researchers and I don't understand why.
In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too.
Some malware campaigns like Locky are successful also because the spamming process works well.
This case is a good example :).

Spam the world


As introduction, we will have a look at what is a spambot, why crooks use them and why they need huge list of credentials.
In the past, it used to be easier for attackers to send mass spams: they just had to scan the Internet to find vulnerable SMTP server (with weak passwords or in Open Relay mode) and use them to send Spams.
However, nowadays, it's more complicated. There are a lot of anti spam companies, products or firewalls. Most of the open relays are blacklisted and the attackers have to find another way to send mass spams.
Among the available options, I have seen 2 very common behaviour:

PHP Mailer

The most used tricks I have seen is to use compromised websites. For instance, this kind of spamming campaign has been used for a big Andromeda campaign.
The principle is simple:
  • The spammer hacks a lot (10k/20k) of websites (via well known vulnerabilities on Wordpress, Joomla, OpenCart or FTP/SSH bruteforce etc) or buy access to a lot of websites on a random shop
  • He uses these websites for hosting a PHP script in charge of sending emails.
  • He controls all the websites via a software or a web panel and uses them to send spam
Due to the almost infinite number of out-of-date websites on the Internet, it's difficult to blacklist every websites and it's really easy to use them for the spammer.

Malware spammer

The other common way to send spam is more brutal. Here, the attacker creates or buys a specifique malware used to infects people and send spams.
The more the attacker infects people, the more he can distribute spams through different IPs.
However, a random pwned Windows machine is not enought to send spam. For that, the attacker needs some email server (SMTP) credentials. This is where you can be concerned by Spambot :)

Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it :D
And it's the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.
Lets go through an example to see how attackers create SMTP credentials lists:

Credentials: Spambots gasoline

I will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan called Gozi. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.
Some emails example:
DHL notification:

Email targeting Hotel business:

If you're curious about this case, I have tried to give some details in 3 blog posts:
TL;DR: this malware, after infecting your machine, uses 2 modules:
  • A module in charge of sending spam
  • A module in charge of creating a huge list of SMTP credentials

To create the list, the attacker provides to the second module a list of emails and credentials like sales@cliffordanddrew.co.uk / 123456 or peter.warner@mcswholesale.co.uk / MysuperPass.
Then, the module tries to send an email using this combinaison. If it works, credential are added to the SMTP list. Else, credentials are ignored.
Thanks to free email services like outlook, gmail or your ISP, the attacker can suppose that a lot of people reuse the same password and use your outlook adress to send spam :)

It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop. Somebody even show me a spambot with a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like "user" or "admin".

Thanks to an open directory on the web server of the Onliner Spambot CNC, I was able to grab all the spamming data
It's composed of ~40GB of emails, credentials or SMTP configuration.
These data are composed of:
  • Huge lists of credentials like email:password (in clear text)
  • Huge lists of Emails to spam
  • Spambot configuration files
I have found around 80 millions credentials (unsorted, it's an estimation, I cannot deal with so big txt files).
One part (~2 millions) seems to come from a Facebook phishing campaign, those I have tested seems to be working and were not on HIBP.
Therefore, it's difficult to say where did your credentials come from.

Making emails lists like a pro

Inside all these data, we can see a lot of emails (used for sending spam to).
Because I have been following these guys for almost a year I'm able to explain how they built these lists.

After looking at the spambot logs, I have seen that it was used to send fingerprinting spam. What does this mean?.
Before starting a new malware campaign, the attacker used the spambot to send this kind of emails:
If you look at the email you will see that inside this random spam, there is a hidden 1x1 gif. This method is well known in the marketing industry.
Indeed, when you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif. With these information, the spammer is able to know when you have opened the email, from where and on which device (Iphone ? Outlook?...).
At the same time, the request also allows the attacker to know that the email is valid and people actually open spams :).
This is an example of a classification script found on one Onliner spambot server:

Example of output :


As a reminder: DON'T OPEN SPAM!

Conclusion

If you're a malware researcher, it's time to look deeper in the spambot business. It's a creative market which interracts with a lot of other cybercrime business.
Around Spambot you will often found phisher, password stealer botmaster, website scanners, malware developers, dropper developers, payload hosters, and so on.
The way is maybe short between the lame Pony you have received last month in a stupid .ace archive and a spambot that spread Gozi.


Annexe


Some urls found in spam configuration files:
  • hxxp://119.28.18.104/IMG_8026.zip
  • hxxp://21emb.com/IMG_0557.zip
  • hxxp://cielitodrive.com/2.docm
  • hxxp://cielitodrive.com/IMG_0557.zip
  • hxxp://dcipostdoc.com/3.docm
  • hxxp://fondazioneprogenies.com/1.docm
  • hxxp://fondazioneprogenies.com/IMG_7339.zip
  • hxxp://intesols.com/IMG_8026.zip
  • hxxp://jltl.net/IMG_8026.zip
  • hxxp://liyuesheng.com/Report_Bill_ID20039421.zip
  • hxxp://lopezdelaisidra.com/107490427.zip
  • hxxp://maikaandfriends.com/Report_Bill_ID20593601.zip
  • hxxp://mc-keishikai.com/Report_Bill_ID73086492.zip
  • hxxp://pacific-centre.com/IMG_8026.zip
  • hxxp://reliancemct.com/IMG_9647.zip
  • hxxp://resital.net/IMG_0557.zip
  • hxxp://speaklifegreetings.com/IMG_9647.zip
  • hxxp://tspars.com/087578952.zip
  • hxxp://usedtextilemachinerylive.com/IMG_9647.zip
  • hxxp://webtoaster.net/IMG_0273.zip
  • hxxp://whatisaxapta.com/5.docm
  • hxxp://womenepic.com/4.docm
  • hxxp://www.loidietxarri.com/Report_Bill_ID87793518.zip

Thanks to Hydraze for reviewing \o/

dimanche 20 août 2017

A third look at JSDropper/ursnif campaign - Proxy Statistics

Hey

I've already talk a lot about the Ursnif campaigns against EU and mainly Italy spreaded by a JScript (you know, the jscript that contacts /r6.php?cmd=p&id= / /l2.php?cmd=p&id= / /re.php?cmd=p&id= etc) but 6 months after my last blogpost, crooks are still working and I have enough data for some cool statistics.
For the last 6 months I've collected access.log logs of one proxy used by this botnet. I'll try to details that here.
There is no magic, I've just use Splunk :D


As reminding, this campaign is used to spread Ursnif like that:

In the same "Proxy server", you can found further "proxy scripts" (usually 1 script / campaign) and those scripts looks like :

So, I've retrieve access.log of one of these proxies and I've extract traffic relative to our case.

Global

Some global statistics for 1 proxy:
From February 2017 to August 2017
  • Total number of hits on all the proxy scripts: 924 021
  • From 108 367 unique IPs
  • on 16 different PHP proxy scripts
Filename Hits First seen url Malware
/3E2s4R.php 610787 June http://194.247.13.196/asus/ Onliner
/re.php 137352 June http://94.177.196.246/loadere/gate.php JSDropper
term.php 121669 February http://94.177.196.246/loader/gate.php JSDropper
l2.php 52288 February http://109.120.142.156/loader2/gate.php JSDropper
r4.php 1848 February http://109.120.142.156/loader4/gate.php JSDropper
/0iSP0c.php 7 June http://194.247.13.222/tess/ Onliner
/130D0G.php 7 June http://194.247.13.222/tess/ Onliner
/1AtJai.php 7 June http://194.247.13.222/tess/ Onliner
/HTsGeg.php 7 June http://194.247.13.222/tess/ Onliner
/J65oH1.php 7 June http://194.247.13.222/tess/ Onliner
/PaD8qo.php 7 June http://194.247.13.222/tess/ Onliner
/XI2jHR.php 7 June http://194.247.13.222/tess/ Onliner
/8QE2UX.php 6 June http://194.247.13.222/tess/ Onliner
/Xou0HC.php 6 June http://194.247.13.222/tess/ Onliner
/19pYvo.php 5 June http://194.247.13.222/tess/ Onliner
/LPQQLc.php 5 June http://194.247.13.222/tess/ Onliner
We can see 2 different cases:
  • Some PHP proxies are used in production
  • Some PHP proxies seems used for tests only.

Tests proxies

I'll start with the "tests proxies". I call them like that because they have only a few hits (~5) and all the hits on those pages are done by the same IP :]
66.180.197.197
This IP is not new in this game :), do you remember the white listing feature set in the spam bot panel ?
This IP was in list of allowed IP in the Spambot panel:


Proxy scripts are configured to forward traffic to hxxp://194.247.13.222/tess/, it's Onliner Spambot, proably the testing instance.

Production proxies

Some details about each proxy scripts:

3E2s4R.php

This one is my favourite.
The proxy records 610 787 hits on this file, from ~ 100 000 unique IPs and I'm unable to find any sample on public sandox.
This is a lot of hits if we think that these statistics concern only 1 proxy! It was used to forward the Spambot traffic to 194.247.13.196

re.php

This one was hit 137 352 times by 1335 uniques IPs. It is used to forward JSDropper traffic to 94.177.196.246.
This Proxy was used for the JSDropper campaign "NEWIT" (Ursnif)
Interesting fact of this one: 51.28% of hits are done by the IP 2.228.128.141 (Italy).
Some IOCs:
urls:
samples:
  • d5291865ff80cd7cc9f425a145351bb7234383f1
  • 67e1c342f6b41d163a6208b3ccebb991c0650473

term.php

Used to forward JSDropper traffic to 94.177.196.246
121 669 hits from 2259 unique IPs.
It was used for campaigns "WASP","iphone","summer","old", "u1", "NEWIT" and "404" (Ursnif)

Some IOCs:
urls:
  • hxxp://www.volf.de/term.php?cmd=e
  • hxxp://pajaje.borec.cz/term.php?cmd=e
  • hxxp://hotelsantantonio.com/term.php?cmd=e
  • hxxp://46.163.110.45/css/term.php?cmd=e
  • hxxp://fb-arredamenti.it/term.php?cmd=e
  • hxxp://psymaster.wz.cz/term.php?cmd=e
  • hxxp://getting-reconnected.de/term.php?cmd=e
  • hxxp://ebkk.nl/term.php?cmd=e
  • hxxp://supercondmat.org/term.php?cmd=e
samples:
  • 2016dfb44f452adcdd96b7781fdfb581ac72b0f7392404805f08d57210d16ad9
  • a1bd385b59efe1be13da9e8a008e06a6fb6cc07acd2727be22d076c7a2b27155
  • 01853d1552ca4032e5fdc251cc92d57dffd5912411666c7842106d730ada09f4

l2.php

Used to forward JSDropper traffic to 109.120.142.156 52 288 hits from 716 unique IPs.
This one is very old. I've logs from November 2016 for this scripts.
At this time they was not using campaign or group name, and they was using ... Ursnif.

Some IOCs:
urls:
  • http://151.236.13.49/l2.php
  • http://191860.webhosting63.1blu.de/l2.php
  • http://454391.webx04.mmc.at/l2.php
  • http://46.163.110.45/css/l2.php
  • http://ballettschule-nottuln.de/l2.php
  • http://edle-steine.at/l2.php
  • http://enmoto.com/l2.php
  • http://evastrutzmann.at/l2.php
  • http://evi-verein.at/l2.php
  • http://fioravanti-production.org/l2.php
  • http://friesl-keramik.at/l2.php
  • http://ftp.dimensionevideo.it/l2.php
  • http://ftp.italiabrowsergame.com/l2.php
  • http://getting-reconnected.de/l2.php
  • http://gunnebo.eniac.it/l2.php
  • http://hobbygartenteich.at/l2.php
  • http://hotelsantantonio.com/l2.php
  • http://humanitas-gbr.de/l2.php
  • http://jambasket.com.hk/l2.php
  • http://juwelier-hohenberger.de/l2.php
  • http://katstones.de/l2.php
  • http://lklv.wz.cz/l2.php
  • http://mauriz.at/l2.php
  • http://meindl-edv.eu/l2.php
  • http://nr11303.vhost-enzo.sil.at/l2.php
  • http://pajaje.borec.cz/l2.php
  • http://patrickhess.de/l2.php
  • http://pferdemedizin-stanek.at/l2.php
  • http://portoverde.it/l2.php
  • http://positivemindstates.com/l2.php
  • http://psymaster.wz.cz/l2.php
  • http://reimer-wulf.de/l2.php
  • http://sca.homelinux.com/l2.php
  • http://spatialpourtous.com/l2.php
  • http://supercondmat.org/l2.php
  • http://tennis-arnfels.at/l2.php
  • http://tischlerei-kreiner.at/l2.php
  • http://umzuegeberlin.com/l2.php
  • http://www.diamondfitness.hu/l2.php
  • http://www.drogenhilfezentrum.de/l2.php
  • http://www.dtk-brandenburg.de/l2.php
  • http://www.elektro-morjan.de/l2.php
  • http://www.kurzhaarteckel-trakehner.de/l2.php
  • http://www.midnightlady2006.de/l2.php
  • http://www.msinformatica.it/l2.php
  • http://www.seelackenmuseum-sbg.at/l2.php
  • http://www.skyways-ragdolls-zwergspitze.de/l2.php
  • http://www.teeversand24.net/l2.php
  • http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php
  • http://www.webstream.at/l2.php
samples:
  • a10cd296e3f58fe329bbff6edaf0bdbb1f9099a088b7a5cede583dda09dd7cf2
  • 5add967a8dc9d7669e7d8da9882329600874b3a35d2a8f087820438ae112cecd
  • fbfe6048514c7fc944c0f56a480d8c4963fce9018b5d3ae8cf39c5840979930c
  • 9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6
  • 0bf1c1b457818bf7acb6eda33b0f8eb6e9ce026aee620707f6b4e4b58a2e77d0

r4.php

And the last one: r4.php.
1884 hits by 302 IPs. Used during the campaigns "mk1" "mk2" "bomber" and one with no name ""
Some IOCs:
urls:
  • hxxp://191860.webhosting63.1blu.de/r4.php?cmd=e
  • hxxp://werbekalender-werbenotebooks.de/r4.php?cmd=e
  • http://positivemindstates.com/r4.php?cmd=e
  • di000240.host.inode.at/r4.php?cmd=e
  • http://patrickhess.de/r4.php?cmd=e
samples:
  • c827511b425cbc91faf947f1c3d309db3dde7419fe8c892380a03c71b5196e0e

Résumé


This threat start to be very noisy, they continue to spread malware always in the same way.
If somebody who's reading this works on the Ursnif part, don't hesitate to ping me I'll share my data :]

I hope that this example can help you to better understand cybercrime threats. Happy hunting \o/

mercredi 16 août 2017

Quick look at another Alina fork: XBOT-POS

Edit: In fact after looking at the sample it's a pure copy pasta of Tiny Nuke :) - cd025523e3aec57f809552b9d1adc4b89526cc632f6d4c481aa2c8c3501dda6b

Hi, it's time for a new post. Today I'll try to have a look at the "Team NZMR"
I've found this funny team by hazard on Twitter via the bot @ScumBots I would like to write this little blog post because I think that this is interesting to see an Alina panel behind a .onion domain and as you can see later, I like look at some weird panels :D.
Let's have a look on this server.
As we know, we have an Alina (Well known POS malware) panel at thzsmrjqqzpaz2mz.onion.link/al/loading.php.
Samples: 26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe)


In the same boring way, we can found:
  • a Fareit/Pony panel at https://thzsmrjqqzpaz2mz.onion.link/pn/admin.php (I don't have sample)
  • an Atmos at https://thzsmrjqqzpaz2mz.onion.link/at/cp.php :
    Sample e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (https://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe)

    Thanks to CCAM we can get 2 new servers used by this team:
    • http://netco1000.ddns.net/at/file.php
    • http://22klzn6kzjlwlmt2.onion.link/at/file.php
Those guys really want your creds and your credit card numbers :D


They also try to deal with ransomware (NZMR Ransomware) at https://thzsmrjqqzpaz2mz.onion.link/ed2/ without success...


But I've write this quick blog post for the last panel,
Let me introduce you XBOT panel \o/: https://thzsmrjqqzpaz2mz.onion.link/panel/
(click to enlarge)

The bot ad:
Selling xbot ,new bank trojan -- Modules -- Webinject -- Formgrabber -- Socket4/5 -- Hidden VNC
New bot bank xbot is available for rent (800$/monthly) -- server on tornetwork/clearnet
Customized programming service and web developer/c/c++/Python/NET/others
Team Coder/NZMR
xbot costs 3k $ modules available >webinject -- formgrabber -- Socket4/5 -- Hidden VNC
When buying xbot what do you get?
You will get the builder,bin/exe+socket.exe/server.exe hvnc
[+] - Free installation on your server in tornetwork or clearnet, you choose
[+] - monthly support paid 100 $ (you choose,with or without support)
[+] - Update bot for new version 400 $
[+] Rent xbot
Panel access (Clearnet/Tornetwork)
Bin (exe)
Socket.exe/hvnc.exe
Priçe
800 $ monthly (First 6 customers, others 1k $)
Support monthly 100 $ (btc)
I don't have any sample yet but if you have one, i'm REALLY interrested :D.
Thanks to Xylitol this panel looks like a mix between Alina and Dexter. For example the URI scheme "/front/stats.php", the successstatuscode 666 or this page "Version Control":

This panel looks designed for Banking stuff (webinjects) and POS malware.
From XBOT panel you can DL/Exec, Start VNC sessions, socks sessions and update bots:


We can also found some strange "webinjects" stuff:

where "view content" leads to these kinds of data:


Some settings (look at the Alinas 666 status code):


You can also add some bins in the panel database. Currently, they have 8472 Bins in the database.
And finally the bot lists (~600 bots if I trust the bots list).

I've uploaded the whole list of bots on this album. Ping me if you're on the list :D I'm really curious to see the binary part
And finally the database structure reminds again Alina: By this way we will find soon more Alina forks than Zeus forks \o/

So, NOPE! it's not a super new next gen POS malware, it's just another Alina Fork :D but this webinjects part looks curious :) and the team seems very active.
But come one, 3k$ for open sourced malware haha...

Thanks for your time, thanks to Xylitol and happy hunting :)

IOCs:

http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe (Alina) http://thzsmrjqqzpaz2mz.onion.link/payload.exe (Neutrino) http://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe (Atmos) http://22klzn6kzjlwlmt2.onion.link/al/Spark.exe (Alina) http://22klzn6kzjlwlmt2.onion.link/al/payload.exe (Neutrino http://22klzn6kzjlwlmt2.onion.link/al/files/us.exe (Atmos) http://netco1000.ddns.net http://netco400.ddns.net/Dia (Gorynch) http://netco400.ddns.net/at/(Atmos) e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (atmos) 26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (Alina) 8a62f61c4d11d83550ab4baceb9b18d980a4c590723f549f97661a32c1731aff (neutrino)