dimanche 10 décembre 2017

An inside view of a password stealer campaign

After a lightning talks at botconf 2017 I'll try to describe here the full story behind the fav.al malware campaign.
This is not something new, after looking at this internet I've found an article about this case in 2016 but I cannot find any article about the big picture of this case. So, here we go

This is a verrrrry classic case in cyber crime. During the last 5 years I've seen a lot of cases like this one.

Starting line

By looking on public sandboxes I have found a recurrent domain hosting Agent Tesla panel:
[+] 1eb54cd95709b62ebafa50b5dc051a41225b1de236bf8d269ceeac1087f9fbb1 POST -> t4st.fav.al/st/post.php
[+] 78ca1db4616ac10d6ae34a9f8b85b63966fad43fed0f40cf61d9fcde74892d94 POST -> t2st.fav.al/st/post.php
fav.al is known since almost May 2016 for hosting Pony Formbook or Agent Tesla on many different sub domains.
Before giving details on the infrastructure, a quick reminder about the malware used:
Family Method Gate UserAgent
Pony POST gate.php
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
Agent Tesla POST post.php
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Form Book GET / POST config.php?id= / config.php
Mozilla Firefox/4.0
Those malware are designed to crawls the victim computer and search for saved credentials like FTP, RDP, Email, web sites... in Browser, registry, config files ...
Some good analyzes:

Agent Tesla:


Almost 2 of these malware are open sources. Pony and Agent Tesla has leaked sometimes ago. I draw your attention on these very lame malware. Here, they used the default configuration for Pony and Agent Tesla. The gate is by default, the web requests are by default etc. Take a look at how, in 2017, crooks used old lame Pony shits to infects people protected by "next gen anti virus".
I've work in AV industry, I know how it's difficult to implement protections on Windows without false positive (thanks to all the fucking third party software developed by n00b) but COME ONE! PONY!

Put a global hook (even in userland LOL) and blocks every POST request on gate.php and white list browsers ! Trust me you will catch 80% of the cyber crime... You can even propose a premium version which blocks POST on fre.php and you can be the best AV on Gartner...

kns1.al, fav.al and ddf.al as panel C&C since 2015

These crooks use only a few domains during the operation, and split different victims on different sub domains.
Each sub domains are configured with 2 panels, Formbook and {Pony|Agent Tesla}. In the past this gang used Zeus too
dff.al was known since almost 2015-08-24 (bd1e28f55b2b335e27762425ebc70ffe17d468d7896bf2869bc0e5fa3e4220e2 - (hxxp://files1.ddf.al/bin1.exe)
This looks like a kind of password stealer as service infrastructure.

                      |                             |                             |    
                   fav.al                         ddf.al                        kns1.al
                      |                             |                             |                                                       
                      |                             |                             |        
                 401.fav.al                     d1.ddf.al                      bin1.kns1.al      
                 402.fav.al                     dbr.ddf.al                     bon1.kns1.al
                 403.fav.al                     f1.ddf.al                      byn1.kns1.al
                 404.fav.al                     files.ddf.al                   dan1.kns1.al
                 ali1st.fav.al                  files1.ddf.al                  dan1-d.kns1.al
                 cent1.fav.al                   frank1.ddf.al                  dave1.kns1.al
                 char2.fav.al                   111.dff.al                     denko1.kns1.al
                 charles1.fav.al                owe1.ddf.al                    dinu1.kns1.al
                 charles1-s.fav.al              owe2.ddf.al                    gt1.kns1.al
                 daniel1.fav.al                 owe3.ddf.al                    jeff1.kns1.al
                 dave1.fav.al                   legend1.ddf.al                 jones1.kns1.al
                 db.fav.al                      s1.ddf.al                      ld1.kns1.al
                 dfg2.fav.al                                                   ld1files.kns1.al
                 dfg3.fav.al                                                   nasty1.kns1.al
                 dfg2-s.fav.al                                                 sailheats2.kns1.al
                 dino1.fav.al                                                  sheats1.kns1.al
                 ebu1.fav.al                                                   swain1.kns1.al
                 gabriel1-st.fav.al                                            swain2.kns1.al
                 g1.fav.al                                                     tunapy1.kns1.al
                 g2.fav.al                                                     wal1.kns1.al
                 g3.fav.al                                                     wal2.kns1.al
                 gr2-s.fav.al                                                  wal3.kns1.al
                 heat1.fav.al                                                  wal4.kns1.al
                 idino2.fav.al                                                 wal5.kns1.al
Some panels example from CCT:

This team don't use mass spreading, they select specific victims (we will understand how later), I have seen ~110 victims dispatched in many sub domains. They use password stealer for grabbing access on company and try to steal money.
Password stealer are only one part of their business. During data analysis I have seen that they also used Phishing, scam and CVV laundering.

An inside view

There is a repetitive behavior with lame botmaster. In many case they infect themselves with the malware.
I suspect 2 behaviours behind that:
  • The botmaster wants know if everything is okay with the botnet and the self-infection is used as monitoring
  • The botmaster is a n00b

I think for this case, it's both :).
On one panel, a victim appears to be one admin behind those Formbook & Agent Tesla panels.

This guy stayed infected from 09/13/2017 to 09/22/2017, I'll try to use the collected data to understand how he works and how are used the stolen data. Notice that doxing is not the point here.



As the screenshots shows, victims seems not really targeted, they look for small business easy to hack:

They used already pwned email inboxes for spreading password stealer through fake DocuSign notice:

With filename like "RBL-5019.Jpg,2800 PSI,1450 RPM.Jpg.exe" (81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1) or "Desktop.zip" (dfdc0b9e2cffead30a77bfffad6fb621f6eccaf6f5ace4b1d46bfe7b141a6028).

After stealing passwords, this admin spy on victims activities and discuss with other people on how he can hijack money:

The majority of victims came from China and USA:

In this panel we can see 17 victims, after grabbing all the panels I have counted 101 victims

Admin opsec

After a quick look we can easily understand that this guy looks like another Nigerian phishers. They often don't have any opsec, they have facebook account with cash photo etc because they know that there is no law or resources for arresting them.

This is the desktop of this guy:

He uses hacked RDPs and socks proxies for hiding his IP:

Another interesting fact, apparently this guy doesn't really know how malware works. In the conversation below you can see a "MASTER" botmaster angry because somebody uploads malware sample on VirusTotal, and our guy apologies:

I have also seen that they used ICQ, Jabber and Skype to communicate. On the same day and with the same person, they switch between 3 softwares and they quite never used OTR.


The autopwned guy seems to have the ability to crypt malware. Quite every sample I've found has the same lame VB5 packer

Some samples:
  • 15775abe5573192d8abe6fc03240ef8d0afc94bbae22df5f940a789146295ebb - Agent Tesla - t1st.fav.al/st/post.php
  • 81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1 - Agent Tesla - t4st.fav.al/st/post.php
  • f1b15760d728dc24cd87339be20cc4fe14359bf810f6866b3e21d7ade25846ed - Pony - riv1.fav.al/ddob/gate.php
(I cannot find any formbook sample :/)


This kind of autopwn allows us to better understand how criminals works, how they can make a lot of money with low investments.

This is far from APTs but the consequences are serious too. We seriously saw a lot of cases like this one, every week on public sandboxes or support forums. This is a big impunity industry of money stealing. I'm pretty sure that this guy is not a developer or system administrator. He doesn't know how a keylogger works, he is just one guy part of a big community of panels operators.
I understand that it's difficult to stop these criminals because of different countries law but we can maybe still make an effort on lame malware detection, no?

2 commentaires:

  1. Nice post benkow. Just a thought regarding "blocks every POST request on gate.php and white list browsers !":
    1) Don't underestimate the number of different (and weird) clean software in the world. Even a single false positive is too high for AVs: the gap between 1st and last place on AV comparatives ranking is often as small as a few false postives on 100k urls.
    2) if you block these urls using aggresive regex, it will take them 5 minutes to change the default installation name and make it random (and thus harder for AVs to detect internally)

  2. :) I understand the point 1 but not the point 2. It take 5 min to change the default install for a good reverser or cracker but 99% of cybercrime operator are lame and don't know how to do that. They don't even know how malware works. Everybody use the default installation for Pony since 2014