These weeks, I wanted to spend time on Maltego for testing this amazing tool but for that, I needed something to study.
As usual, when I'm in this case, I took a look at CCT for interesting stuff.
7 malicious domains on the same IP 195.14.105.12. VirusTotal Passive dns report 56 malicious domains: it looks perfect for Maltego.
The game here is to collect as much as possible linked C&C via:
- Passive DNS
- Malware analysis
- Registrant Emails reuse
I will show you in this blogpost how some random malware campaigns, like Pony or Loki, are finally connected on each others. This is quick notes about a very big network.
I've try to do my best to collect as much info as possible but I know that this blogpost is only a little part of a really big infrastructure. I'm publishing them in case of they are useful to somebody.
Malware reminding
A quick reminding about the malware we will discuss in this Article.- Pony - Password stealer [1] [2] [3]
- Loki - Password stealer [1] [2]
- KeyBase - Pasword Stealer [1]
- AgentTesla - Passwors Stealer [1]
- BetaBot - Multi purpose (DDoS, formgrabber, loader...) [1] [2] [3]
- Atmos - Banking trojan (Zeus fork) [1] [2] [3]
- DiamondFox - Multi purpose (pwd stealer, POS, wallet stealer, loader...) [1] [2]
- JackPOS - Point of Sales [1] [2]
- LiteHTTP - Loader [1]
- QuantLoader - Loader [1]
- ZyklonHTTP - Multi purpose (DDoS, Loader, pwd stealer...) [1] [2]
Infrastructure
I have erased all the data and start again from zero but this time I have spent time on each domain and IP to be sure to not include bullshits.
After some hours of work, I've obtained this typology.
The little circle is composed of all the interconnected elements (IP, domains, emails or hashes) and the biggest circle are composed of "final-IOC" (CNC url, hashes or emails).
I have found:
- 116 IPs - Full list
- 485 domains - Full list
- 53 Registrants emails - Full list
- 548 identified C&C (web panels) - (full list below)
- 160 Hashes
The huge majority of IPs are located to RU as usual (keep in mind that RU IP != RU actors ;) )
If we look at the top 5 five of most connected element we can found:
- 42.112.16.179
- 91.224.23.174
- 46.173.219.193
- 42.112.16.178
- hdfc.pp.ru
Another interesting pivot: if you look at the domains connected to our initial IP (195.14.105.12) a domain, vividerenaz.com, was registered by abuse@domainprovider.work. This email is a valid email used by crooks for spreading mainly phishing but some malware too. Techhelplist has reported a lot a IP and domains related to this email
I have try to find information on campaigns that used these domains. This is a quick list:
- Email attachment using CVE-2017-8759 exploit targets Argentina
- Threat Round-up for Mar 24 - Mar 31
- 2016-07-13 - NEUTRINO EK DATA DUMP WITH "JUICYLEMON" BANDARCHOR
- ATENCIÓN! Intento de estafa mediante un phishing AFIP (ARGENTINA)
- LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America
- 2017-06-12 - HANCITOR MALSPAM (DOCUSIGN-THEMED)
- 2017-06-15 - HANCITOR MALSPAM (GOOGLE DOCS-THEMED)
- Heads-Up - LokiBot Endpoints - loki c2s
- CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer
- Neutrino modification for POS-terminals
- StegBaus: Because Sometimes XOR Just Isn’t Enough
- 2017-04-05 - TERROR EK SENDS ANDROMEDA
- EMEA Bi-Monthly Threat Reports: Turkey, Saudi Arabia & United Arab Emirates
- Increase in jRAT Campaigns
Malware
Here we go for the panels list.I have only keep the most common families, you can found the full details in the Maltego base.
Pony
LokiBot
Atmos
BetaBot
KeyBase
AgentTesla
DiamondFox
ZyklonHTTP
In the Maltego database you can also found some JackPOS, neutrino, QuantLoader, Btc miner, LiteHTTP, Java RAT...This all these data I have tried to identify groups by url patterns. I have used the dirty way: I have converted the URL list in csv (by replacing / by ;) and sorted the result by directories.
For example: this actor seems to be in the passwords stealing business. Pony and Loki are a close couple in many campaigns.
Loki,http://street-upp.ru/v1/fre.php Loki,http://street-ups.ru/v3/fre.php Pony,http://street-upp.ru/v6/gate.php Pony,http://street-ups.ru/v2/admin.php Pony,http://street-upp.ru/v7/gate.php Loki,http://street-men.ru/v3/fre.php Pony,http://street-mens.ru/v1/gate.php Loki,http://street-men.ru/v4/fre.php Pony,http://street-mens.ru/v2/gate.php Pony,http://street-men.ru/mmb/gate.php Loki,http://street-takeover.ru/okeagwu/fre.php Pony,http://street-men.ru/vpoli/gate.php Pony,http://street-takeover.ru/v1/admin.php Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php Loki,http://street-wise.ru/v2/fre.php Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php Loki,http://street-wise.ru/v3/fre.php Loki,http://fyzeeconnect.ru/my-friend/fre.php Loki,http://street-wise.ru/v4/fre.php Loki,http://fyzeeconnect.ru/street-credibilty/fre.php Loki,http://street-wise.ru/v5/fre.php Loki,http://fyzeeconnect.ru/street-takeover/fre.php Loki,http://street-wise.ru/v6/fre.php Loki,http://fyzeeconnect.ru/street-wise/fre.php Loki,http://street-ups.ru/v3/fre.php Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php Pony,http://street-ups.ru/v2/admin.php Pony,http://fyzeeconnect.ru/maliki/gate.php Loki,http://street-men.ru/v3/fre.php Pony,http://fyzeeconnect.ru/v5/gate.php Loki,http://street-men.ru/v4/fre.php Loki,http://fyzeeconnect.ru/street-credibilty/fre.php Pony,http://street-men.ru/mmb/gate.php Loki,http://fyzeeconnect.ru/street-takeover/fre.php Pony,http://street-men.ru/vpoli/gate.php Loki,http://fyzeeconnect.ru/street-wise/fre.php Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php Pony,http://fyzeeconnect.ru/maliki/gate.php Loki,http://fyzeeconnect.ru/my-friend/fre.php Pony,http://fyzeeconnect.ru/v5/gate.php
Another actor targeting Argentina with BetaBot and Atmos:
BetaBot,http://av.bitdefenderesupdate.ru/.av/logout.php Atmos,http://chester.agenteinformaticos.ru/.scnerio/chusma/tetris.php?m=login Unknown,http://update.agenteinformaticos.ru/.coma/update/panelThere is a lot of different actors with different goals in this infra. We can found a looooot of Nigerian actors, a little bit of ransomware, some banking gang or a little bit of point of sales malware gang...
You can found some emails related here: https://pastebin.com/PXzHNaSR
Misc
Thanks to all these data, we can found funny related stuff related to our infrastructure:- This is a guy asking for help on Whois and take his malicious domain ("adtogroups.com", related to Atmos, Pony or Btc Miner) as example [1] in march [2] in April
- A very strange website that post every week a list of domains related to our infrastructure [1]
- A guy on Hackforum seems pwn his clients with something that contacts "tierastyle.co.uk" [1]
- They like using obvious domains name like lokibotnet.ru, lokivshulk.info, atmosbot.xyz, achakeybase.com.de or azumebot.ru
- One of our botmaster seems to have problems with a car [1]
- Another one use his emails for registering malicious domains and for Linkedin (slyovic84@yahoo.com)[1]
Conclusion
All these elements remind me a malware infrastructure as service. It's a good entry point for a lot of investigations :DThanks to Maltego, after this quick test, I'm a big fan :D
I only have make retro hunting, so quite everything here are known. With a little bit of active hunting, I'm sure you can found double or triple the number panels. I saw new domains every day
Good luck and happy hunting :)
