mercredi 27 décembre 2017

Another normal day in cybercrime: from a random Loki sample to 550 C&C

Hi,

These weeks, I wanted to spend time on Maltego for testing this amazing tool but for that, I needed something to study.
As usual, when I'm in this case, I took a look at CCT for interesting stuff.


7 malicious domains on the same IP 195.14.105.12. VirusTotal Passive dns report 56 malicious domains: it looks perfect for Maltego.
The game here is to collect as much as possible linked C&C via:
  • Passive DNS
  • Malware analysis
  • Registrant Emails reuse
And of course, without false positive or unrelated servers. I have try to not going earlier than 2016.

I will show you in this blogpost how some random malware campaigns, like Pony or Loki, are finally connected on each others. This is quick notes about a very big network.

I've try to do my best to collect as much info as possible but I know that this blogpost is only a little part of a really big infrastructure. I'm publishing them in case of they are useful to somebody.

Malware reminding

A quick reminding about the malware we will discuss in this Article.
  • Pony - Password stealer [1] [2] [3]
  • Loki - Password stealer [1] [2]
  • KeyBase - Pasword Stealer [1]
  • AgentTesla - Passwors Stealer [1]
  • BetaBot - Multi purpose (DDoS, formgrabber, loader...) [1] [2] [3]
  • Atmos - Banking trojan (Zeus fork) [1] [2] [3]
  • DiamondFox - Multi purpose (pwd stealer, POS, wallet stealer, loader...) [1] [2]
  • JackPOS - Point of Sales [1] [2]
  • LiteHTTP - Loader [1]
  • QuantLoader - Loader [1]
  • ZyklonHTTP - Multi purpose (DDoS, Loader, pwd stealer...) [1] [2]
This is the typical asshole cybercrime starter kit. All these tools are open source or really easy to crack and are badly detected by Antivirus industry.

Infrastructure



The Maltego base is available here
Like every Maltego noob, I have firstly use a lot all the transforms on all the domains but after some hours, my graph was full of false positive. Some binaries are contacting whatsmyip, Gmail or Yahoo, some domains was legit in 2012 but not in 2016 etc.
I have erased all the data and start again from zero but this time I have spent time on each domain and IP to be sure to not include bullshits.
After some hours of work, I've obtained this typology.
The little circle is composed of all the interconnected elements (IP, domains, emails or hashes) and the biggest circle are composed of "final-IOC" (CNC url, hashes or emails).
I have found:
  • 116 IPs - Full list
  • 485 domains - Full list
  • 53 Registrants emails - Full list
  • 548 identified C&C (web panels) - (full list below)
  • 160 Hashes
There are some nodes dedicated for phishing, others for malware spreading, others for malware c&c etc.
The huge majority of IPs are located to RU as usual (keep in mind that RU IP != RU actors ;) )


If we look at the top 5 five of most connected element we can found:
  • 42.112.16.179
  • 91.224.23.174
  • 46.173.219.193
  • 42.112.16.178
  • hdfc.pp.ru
hdfc.pp.ru is a good domain for discovering a lot of other IPs. This domain was configured on 49 different IPs in 1 year. It was known for hosting CNCs like Atmos, Pony or Lokibot. ([1][2])

Another interesting pivot: if you look at the domains connected to our initial IP (195.14.105.12) a domain, vividerenaz.com, was registered by abuse@domainprovider.work. This email is a valid email used by crooks for spreading mainly phishing but some malware too. Techhelplist has reported a lot a IP and domains related to this email

I have try to find information on campaigns that used these domains. This is a quick list: It look like there is a many actors using these domains, from Hancitor gang to Nigerian scammer. It is possible that this infrastructure is rent somewhere in a market.

Malware

Here we go for the panels list.
I have only keep the most common families, you can found the full details in the Maltego base.

Pony

LokiBot

Atmos

BetaBot

KeyBase

AgentTesla

DiamondFox

ZyklonHTTP

In the Maltego database you can also found some JackPOS, neutrino, QuantLoader, Btc miner, LiteHTTP, Java RAT...
This all these data I have tried to identify groups by url patterns. I have used the dirty way: I have converted the URL list in csv (by replacing / by ;) and sorted the result by directories.

For example: this actor seems to be in the passwords stealing business. Pony and Loki are a close couple in many campaigns.
Loki,http://street-upp.ru/v1/fre.php                              Loki,http://street-ups.ru/v3/fre.php
Pony,http://street-upp.ru/v6/gate.php                              Pony,http://street-ups.ru/v2/admin.php
Pony,http://street-upp.ru/v7/gate.php                              Loki,http://street-men.ru/v3/fre.php
Pony,http://street-mens.ru/v1/gate.php                              Loki,http://street-men.ru/v4/fre.php
Pony,http://street-mens.ru/v2/gate.php                              Pony,http://street-men.ru/mmb/gate.php
Loki,http://street-takeover.ru/okeagwu/fre.php                      Pony,http://street-men.ru/vpoli/gate.php
Pony,http://street-takeover.ru/v1/admin.php                      Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php
Loki,http://street-wise.ru/v2/fre.php                              Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php
Loki,http://street-wise.ru/v3/fre.php                              Loki,http://fyzeeconnect.ru/my-friend/fre.php
Loki,http://street-wise.ru/v4/fre.php                              Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Loki,http://street-wise.ru/v5/fre.php                              Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Loki,http://street-wise.ru/v6/fre.php                              Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://street-ups.ru/v3/fre.php                              Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Pony,http://street-ups.ru/v2/admin.php                              Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://street-men.ru/v3/fre.php                              Pony,http://fyzeeconnect.ru/v5/gate.php
Loki,http://street-men.ru/v4/fre.php                              Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Pony,http://street-men.ru/mmb/gate.php                              Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Pony,http://street-men.ru/vpoli/gate.php                      Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php     Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php      Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://fyzeeconnect.ru/my-friend/fre.php                      Pony,http://fyzeeconnect.ru/v5/gate.php

Another actor targeting Argentina with BetaBot and Atmos:
BetaBot,http://av.bitdefenderesupdate.ru/.av/logout.php
Atmos,http://chester.agenteinformaticos.ru/.scnerio/chusma/tetris.php?m=login
Unknown,http://update.agenteinformaticos.ru/.coma/update/panel
There is a lot of different actors with different goals in this infra. We can found a looooot of Nigerian actors, a little bit of ransomware, some banking gang or a little bit of point of sales malware gang...
You can found some emails related here: https://pastebin.com/PXzHNaSR

Misc

Thanks to all these data, we can found funny related stuff related to our infrastructure:
  • This is a guy asking for help on Whois and take his malicious domain ("adtogroups.com", related to Atmos, Pony or Btc Miner) as example [1] in march [2] in April
  • A very strange website that post every week a list of domains related to our infrastructure [1]
  • A guy on Hackforum seems pwn his clients with something that contacts "tierastyle.co.uk" [1]
  • They like using obvious domains name like lokibotnet.ru, lokivshulk.info, atmosbot.xyz, achakeybase.com.de or azumebot.ru
  • One of our botmaster seems to have problems with a car [1]
  • Another one use his emails for registering malicious domains and for Linkedin (slyovic84@yahoo.com)[1]

Conclusion

All these elements remind me a malware infrastructure as service. It's a good entry point for a lot of investigations :D
Thanks to Maltego, after this quick test, I'm a big fan :D
I only have make retro hunting, so quite everything here are known. With a little bit of active hunting, I'm sure you can found double or triple the number panels. I saw new domains every day


Good luck and happy hunting :)

dimanche 10 décembre 2017

An inside view of a password stealer campaign

Hi,
After a lightning talks at botconf 2017 I'll try to describe here the full story behind the fav.al malware campaign.
This is not something new, after looking at this internet I've found an article about this case in 2016 but I cannot find any article about the big picture of this case. So, here we go


This is a verrrrry classic case in cyber crime. During the last 5 years I've seen a lot of cases like this one.

Starting line

By looking on public sandboxes I have found a recurrent domain hosting Agent Tesla panel:
[+] 1eb54cd95709b62ebafa50b5dc051a41225b1de236bf8d269ceeac1087f9fbb1 POST -> t4st.fav.al/st/post.php
[+] 78ca1db4616ac10d6ae34a9f8b85b63966fad43fed0f40cf61d9fcde74892d94 POST -> t2st.fav.al/st/post.php
fav.al is known since almost May 2016 for hosting Pony Formbook or Agent Tesla on many different sub domains.
Before giving details on the infrastructure, a quick reminder about the malware used:
Family Method Gate UserAgent
Pony POST gate.php
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
Agent Tesla POST post.php
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Form Book GET / POST config.php?id= / config.php
Mozilla Firefox/4.0
Those malware are designed to crawls the victim computer and search for saved credentials like FTP, RDP, Email, web sites... in Browser, registry, config files ...
Some good analyzes:
Pony:


Agent Tesla:


FormBook:

Almost 2 of these malware are open sources. Pony and Agent Tesla has leaked sometimes ago. I draw your attention on these very lame malware. Here, they used the default configuration for Pony and Agent Tesla. The gate is by default, the web requests are by default etc. Take a look at how, in 2017, crooks used old lame Pony shits to infects people protected by "next gen anti virus".
I've work in AV industry, I know how it's difficult to implement protections on Windows without false positive (thanks to all the fucking third party software developed by n00b) but COME ONE! PONY!

Put a global hook (even in userland LOL) and blocks every POST request on gate.php and white list browsers ! Trust me you will catch 80% of the cyber crime... You can even propose a premium version which blocks POST on fre.php and you can be the best AV on Gartner...


kns1.al, fav.al and ddf.al as panel C&C since 2015

These crooks use only a few domains during the operation, and split different victims on different sub domains.
Each sub domains are configured with 2 panels, Formbook and {Pony|Agent Tesla}. In the past this gang used Zeus too
dff.al was known since almost 2015-08-24 (bd1e28f55b2b335e27762425ebc70ffe17d468d7896bf2869bc0e5fa3e4220e2 - (hxxp://files1.ddf.al/bin1.exe)
This looks like a kind of password stealer as service infrastructure.

                      +-----------------------------+-----------------------------+
                      |                             |                             |    
                   fav.al                         ddf.al                        kns1.al
                      |                             |                             |                                                       
                      |                             |                             |        
                 401.fav.al                     d1.ddf.al                      bin1.kns1.al      
                 402.fav.al                     dbr.ddf.al                     bon1.kns1.al
                 403.fav.al                     f1.ddf.al                      byn1.kns1.al
                 404.fav.al                     files.ddf.al                   dan1.kns1.al
                 ali1st.fav.al                  files1.ddf.al                  dan1-d.kns1.al
                 cent1.fav.al                   frank1.ddf.al                  dave1.kns1.al
                 char2.fav.al                   111.dff.al                     denko1.kns1.al
                 charles1.fav.al                owe1.ddf.al                    dinu1.kns1.al
                 charles1-s.fav.al              owe2.ddf.al                    gt1.kns1.al
                 daniel1.fav.al                 owe3.ddf.al                    jeff1.kns1.al
                 dave1.fav.al                   legend1.ddf.al                 jones1.kns1.al
                 db.fav.al                      s1.ddf.al                      ld1.kns1.al
                 dfg2.fav.al                                                   ld1files.kns1.al
                 dfg3.fav.al                                                   nasty1.kns1.al
                 dfg2-s.fav.al                                                 sailheats2.kns1.al
                 dino1.fav.al                                                  sheats1.kns1.al
                 ebu1.fav.al                                                   swain1.kns1.al
                 gabriel1-st.fav.al                                            swain2.kns1.al
                 g1.fav.al                                                     tunapy1.kns1.al
                 g2.fav.al                                                     wal1.kns1.al
                 g3.fav.al                                                     wal2.kns1.al
                 gr2-s.fav.al                                                  wal3.kns1.al
                 heat1.fav.al                                                  wal4.kns1.al
                 idino2.fav.al                                                 wal5.kns1.al
                 ll1.fav.al
                 nwam1.fav.al
                 oct1.fav.al
                 oct3-st.fav.al
                 oct4-st.fav.al
                 pat1st.fav.al
                 patrick1.fav.al
                 riv1.fav.al
                 sail1st.fav.al
                 sail2st.fav.al
                 senator1st.fav.al
                 skadams1.fav.al
                 swaindino1.fav.al
                 t2st.fav.al
                 t3st.fav.al
                 t4st.fav.al
                 upd1.fav.al
                 upd3.fav.al
                 wal1.fav.al
Some panels example from CCT:





This team don't use mass spreading, they select specific victims (we will understand how later), I have seen ~110 victims dispatched in many sub domains. They use password stealer for grabbing access on company and try to steal money.
Password stealer are only one part of their business. During data analysis I have seen that they also used Phishing, scam and CVV laundering.

An inside view

There is a repetitive behavior with lame botmaster. In many case they infect themselves with the malware.
I suspect 2 behaviours behind that:
  • The botmaster wants know if everything is okay with the botnet and the self-infection is used as monitoring
  • The botmaster is a n00b

I think for this case, it's both :).
On one panel, a victim appears to be one admin behind those Formbook & Agent Tesla panels.



This guy stayed infected from 09/13/2017 to 09/22/2017, I'll try to use the collected data to understand how he works and how are used the stolen data. Notice that doxing is not the point here.

Autopwn

Victims

As the screenshots shows, victims seems not really targeted, they look for small business easy to hack:


They used already pwned email inboxes for spreading password stealer through fake DocuSign notice:

With filename like "RBL-5019.Jpg,2800 PSI,1450 RPM.Jpg.exe" (81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1) or "Desktop.zip" (dfdc0b9e2cffead30a77bfffad6fb621f6eccaf6f5ace4b1d46bfe7b141a6028).

After stealing passwords, this admin spy on victims activities and discuss with other people on how he can hijack money:




The majority of victims came from China and USA:


In this panel we can see 17 victims, after grabbing all the panels I have counted 101 victims

Admin opsec

After a quick look we can easily understand that this guy looks like another Nigerian phishers. They often don't have any opsec, they have facebook account with cash photo etc because they know that there is no law or resources for arresting them.

This is the desktop of this guy:


He uses hacked RDPs and socks proxies for hiding his IP:



Another interesting fact, apparently this guy doesn't really know how malware works. In the conversation below you can see a "MASTER" botmaster angry because somebody uploads malware sample on VirusTotal, and our guy apologies:




I have also seen that they used ICQ, Jabber and Skype to communicate. On the same day and with the same person, they switch between 3 softwares and they quite never used OTR.

Samples

The autopwned guy seems to have the ability to crypt malware. Quite every sample I've found has the same lame VB5 packer


Some samples:
  • 15775abe5573192d8abe6fc03240ef8d0afc94bbae22df5f940a789146295ebb - Agent Tesla - t1st.fav.al/st/post.php
  • 81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1 - Agent Tesla - t4st.fav.al/st/post.php
  • f1b15760d728dc24cd87339be20cc4fe14359bf810f6866b3e21d7ade25846ed - Pony - riv1.fav.al/ddob/gate.php
(I cannot find any formbook sample :/)

Conclusion

This kind of autopwn allows us to better understand how criminals works, how they can make a lot of money with low investments.

This is far from APTs but the consequences are serious too. We seriously saw a lot of cases like this one, every week on public sandboxes or support forums. This is a big impunity industry of money stealing. I'm pretty sure that this guy is not a developer or system administrator. He doesn't know how a keylogger works, he is just one guy part of a big community of panels operators.
I understand that it's difficult to stop these criminals because of different countries law but we can maybe still make an effort on lame malware detection, no?