dimanche 20 août 2017

A third look at JSDropper/ursnif campaign - Proxy Statistics

Hey

I've already talk a lot about the Ursnif campaigns against EU and mainly Italy spreaded by a JScript (you know, the jscript that contacts /r6.php?cmd=p&id= / /l2.php?cmd=p&id= / /re.php?cmd=p&id= etc) but 6 months after my last blogpost, crooks are still working and I have enough data for some cool statistics.
For the last 6 months I've collected access.log logs of one proxy used by this botnet. I'll try to details that here.
There is no magic, I've just use Splunk :D


As reminding, this campaign is used to spread Ursnif like that:

In the same "Proxy server", you can found further "proxy scripts" (usually 1 script / campaign) and those scripts looks like :

So, I've retrieve access.log of one of these proxies and I've extract traffic relative to our case.

Global

Some global statistics for 1 proxy:
From February 2017 to August 2017
  • Total number of hits on all the proxy scripts: 924 021
  • From 108 367 unique IPs
  • on 16 different PHP proxy scripts
Filename Hits First seen url Malware
/3E2s4R.php 610787 June http://194.247.13.196/asus/ Onliner
/re.php 137352 June http://94.177.196.246/loadere/gate.php JSDropper
term.php 121669 February http://94.177.196.246/loader/gate.php JSDropper
l2.php 52288 February http://109.120.142.156/loader2/gate.php JSDropper
r4.php 1848 February http://109.120.142.156/loader4/gate.php JSDropper
/0iSP0c.php 7 June http://194.247.13.222/tess/ Onliner
/130D0G.php 7 June http://194.247.13.222/tess/ Onliner
/1AtJai.php 7 June http://194.247.13.222/tess/ Onliner
/HTsGeg.php 7 June http://194.247.13.222/tess/ Onliner
/J65oH1.php 7 June http://194.247.13.222/tess/ Onliner
/PaD8qo.php 7 June http://194.247.13.222/tess/ Onliner
/XI2jHR.php 7 June http://194.247.13.222/tess/ Onliner
/8QE2UX.php 6 June http://194.247.13.222/tess/ Onliner
/Xou0HC.php 6 June http://194.247.13.222/tess/ Onliner
/19pYvo.php 5 June http://194.247.13.222/tess/ Onliner
/LPQQLc.php 5 June http://194.247.13.222/tess/ Onliner
We can see 2 different cases:
  • Some PHP proxies are used in production
  • Some PHP proxies seems used for tests only.

Tests proxies

I'll start with the "tests proxies". I call them like that because they have only a few hits (~5) and all the hits on those pages are done by the same IP :]
66.180.197.197
This IP is not new in this game :), do you remember the white listing feature set in the spam bot panel ?
This IP was in list of allowed IP in the Spambot panel:


Proxy scripts are configured to forward traffic to hxxp://194.247.13.222/tess/, it's Onliner Spambot, proably the testing instance.

Production proxies

Some details about each proxy scripts:

3E2s4R.php

This one is my favourite.
The proxy records 610 787 hits on this file, from ~ 100 000 unique IPs and I'm unable to find any sample on public sandox.
This is a lot of hits if we think that these statistics concern only 1 proxy! It was used to forward the Spambot traffic to 194.247.13.196

re.php

This one was hit 137 352 times by 1335 uniques IPs. It is used to forward JSDropper traffic to 94.177.196.246.
This Proxy was used for the JSDropper campaign "NEWIT" (Ursnif)
Interesting fact of this one: 51.28% of hits are done by the IP 2.228.128.141 (Italy).
Some IOCs:
urls:
samples:
  • d5291865ff80cd7cc9f425a145351bb7234383f1
  • 67e1c342f6b41d163a6208b3ccebb991c0650473

term.php

Used to forward JSDropper traffic to 94.177.196.246
121 669 hits from 2259 unique IPs.
It was used for campaigns "WASP","iphone","summer","old", "u1", "NEWIT" and "404" (Ursnif)

Some IOCs:
urls:
  • hxxp://www.volf.de/term.php?cmd=e
  • hxxp://pajaje.borec.cz/term.php?cmd=e
  • hxxp://hotelsantantonio.com/term.php?cmd=e
  • hxxp://46.163.110.45/css/term.php?cmd=e
  • hxxp://fb-arredamenti.it/term.php?cmd=e
  • hxxp://psymaster.wz.cz/term.php?cmd=e
  • hxxp://getting-reconnected.de/term.php?cmd=e
  • hxxp://ebkk.nl/term.php?cmd=e
  • hxxp://supercondmat.org/term.php?cmd=e
samples:
  • 2016dfb44f452adcdd96b7781fdfb581ac72b0f7392404805f08d57210d16ad9
  • a1bd385b59efe1be13da9e8a008e06a6fb6cc07acd2727be22d076c7a2b27155
  • 01853d1552ca4032e5fdc251cc92d57dffd5912411666c7842106d730ada09f4

l2.php

Used to forward JSDropper traffic to 109.120.142.156 52 288 hits from 716 unique IPs.
This one is very old. I've logs from November 2016 for this scripts.
At this time they was not using campaign or group name, and they was using ... Ursnif.

Some IOCs:
urls:
  • http://151.236.13.49/l2.php
  • http://191860.webhosting63.1blu.de/l2.php
  • http://454391.webx04.mmc.at/l2.php
  • http://46.163.110.45/css/l2.php
  • http://ballettschule-nottuln.de/l2.php
  • http://edle-steine.at/l2.php
  • http://enmoto.com/l2.php
  • http://evastrutzmann.at/l2.php
  • http://evi-verein.at/l2.php
  • http://fioravanti-production.org/l2.php
  • http://friesl-keramik.at/l2.php
  • http://ftp.dimensionevideo.it/l2.php
  • http://ftp.italiabrowsergame.com/l2.php
  • http://getting-reconnected.de/l2.php
  • http://gunnebo.eniac.it/l2.php
  • http://hobbygartenteich.at/l2.php
  • http://hotelsantantonio.com/l2.php
  • http://humanitas-gbr.de/l2.php
  • http://jambasket.com.hk/l2.php
  • http://juwelier-hohenberger.de/l2.php
  • http://katstones.de/l2.php
  • http://lklv.wz.cz/l2.php
  • http://mauriz.at/l2.php
  • http://meindl-edv.eu/l2.php
  • http://nr11303.vhost-enzo.sil.at/l2.php
  • http://pajaje.borec.cz/l2.php
  • http://patrickhess.de/l2.php
  • http://pferdemedizin-stanek.at/l2.php
  • http://portoverde.it/l2.php
  • http://positivemindstates.com/l2.php
  • http://psymaster.wz.cz/l2.php
  • http://reimer-wulf.de/l2.php
  • http://sca.homelinux.com/l2.php
  • http://spatialpourtous.com/l2.php
  • http://supercondmat.org/l2.php
  • http://tennis-arnfels.at/l2.php
  • http://tischlerei-kreiner.at/l2.php
  • http://umzuegeberlin.com/l2.php
  • http://www.diamondfitness.hu/l2.php
  • http://www.drogenhilfezentrum.de/l2.php
  • http://www.dtk-brandenburg.de/l2.php
  • http://www.elektro-morjan.de/l2.php
  • http://www.kurzhaarteckel-trakehner.de/l2.php
  • http://www.midnightlady2006.de/l2.php
  • http://www.msinformatica.it/l2.php
  • http://www.seelackenmuseum-sbg.at/l2.php
  • http://www.skyways-ragdolls-zwergspitze.de/l2.php
  • http://www.teeversand24.net/l2.php
  • http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php
  • http://www.webstream.at/l2.php
samples:
  • a10cd296e3f58fe329bbff6edaf0bdbb1f9099a088b7a5cede583dda09dd7cf2
  • 5add967a8dc9d7669e7d8da9882329600874b3a35d2a8f087820438ae112cecd
  • fbfe6048514c7fc944c0f56a480d8c4963fce9018b5d3ae8cf39c5840979930c
  • 9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6
  • 0bf1c1b457818bf7acb6eda33b0f8eb6e9ce026aee620707f6b4e4b58a2e77d0

r4.php

And the last one: r4.php.
1884 hits by 302 IPs. Used during the campaigns "mk1" "mk2" "bomber" and one with no name ""
Some IOCs:
urls:
  • hxxp://191860.webhosting63.1blu.de/r4.php?cmd=e
  • hxxp://werbekalender-werbenotebooks.de/r4.php?cmd=e
  • http://positivemindstates.com/r4.php?cmd=e
  • di000240.host.inode.at/r4.php?cmd=e
  • http://patrickhess.de/r4.php?cmd=e
samples:
  • c827511b425cbc91faf947f1c3d309db3dde7419fe8c892380a03c71b5196e0e

Résumé


This threat start to be very noisy, they continue to spread malware always in the same way.
If somebody who's reading this works on the Ursnif part, don't hesitate to ping me I'll share my data :]

I hope that this example can help you to better understand cybercrime threats. Happy hunting \o/