mercredi 27 décembre 2017

Another normal day in cybercrime: from a random Loki sample to 550 C&C

Hi,

These weeks, I wanted to spend time on Maltego for testing this amazing tool but for that, I needed something to study.
As usual, when I'm in this case, I took a look at CCT for interesting stuff.


7 malicious domains on the same IP 195.14.105.12. VirusTotal Passive dns report 56 malicious domains: it looks perfect for Maltego.
The game here is to collect as much as possible linked C&C via:
  • Passive DNS
  • Malware analysis
  • Registrant Emails reuse
And of course, without false positive or unrelated servers. I have try to not going earlier than 2016.

I will show you in this blogpost how some random malware campaigns, like Pony or Loki, are finally connected on each others. This is quick notes about a very big network.

I've try to do my best to collect as much info as possible but I know that this blogpost is only a little part of a really big infrastructure. I'm publishing them in case of they are useful to somebody.

Malware reminding

A quick reminding about the malware we will discuss in this Article.
  • Pony - Password stealer [1] [2] [3]
  • Loki - Password stealer [1] [2]
  • KeyBase - Pasword Stealer [1]
  • AgentTesla - Passwors Stealer [1]
  • BetaBot - Multi purpose (DDoS, formgrabber, loader...) [1] [2] [3]
  • Atmos - Banking trojan (Zeus fork) [1] [2] [3]
  • DiamondFox - Multi purpose (pwd stealer, POS, wallet stealer, loader...) [1] [2]
  • JackPOS - Point of Sales [1] [2]
  • LiteHTTP - Loader [1]
  • QuantLoader - Loader [1]
  • ZyklonHTTP - Multi purpose (DDoS, Loader, pwd stealer...) [1] [2]
This is the typical asshole cybercrime starter kit. All these tools are open source or really easy to crack and are badly detected by Antivirus industry.

Infrastructure



The Maltego base is available here
Like every Maltego noob, I have firstly use a lot all the transforms on all the domains but after some hours, my graph was full of false positive. Some binaries are contacting whatsmyip, Gmail or Yahoo, some domains was legit in 2012 but not in 2016 etc.
I have erased all the data and start again from zero but this time I have spent time on each domain and IP to be sure to not include bullshits.
After some hours of work, I've obtained this typology.
The little circle is composed of all the interconnected elements (IP, domains, emails or hashes) and the biggest circle are composed of "final-IOC" (CNC url, hashes or emails).
I have found:
  • 116 IPs - Full list
  • 485 domains - Full list
  • 53 Registrants emails - Full list
  • 548 identified C&C (web panels) - (full list below)
  • 160 Hashes
There are some nodes dedicated for phishing, others for malware spreading, others for malware c&c etc.
The huge majority of IPs are located to RU as usual (keep in mind that RU IP != RU actors ;) )


If we look at the top 5 five of most connected element we can found:
  • 42.112.16.179
  • 91.224.23.174
  • 46.173.219.193
  • 42.112.16.178
  • hdfc.pp.ru
hdfc.pp.ru is a good domain for discovering a lot of other IPs. This domain was configured on 49 different IPs in 1 year. It was known for hosting CNCs like Atmos, Pony or Lokibot. ([1][2])

Another interesting pivot: if you look at the domains connected to our initial IP (195.14.105.12) a domain, vividerenaz.com, was registered by abuse@domainprovider.work. This email is a valid email used by crooks for spreading mainly phishing but some malware too. Techhelplist has reported a lot a IP and domains related to this email

I have try to find information on campaigns that used these domains. This is a quick list: It look like there is a many actors using these domains, from Hancitor gang to Nigerian scammer. It is possible that this infrastructure is rent somewhere in a market.

Malware

Here we go for the panels list.
I have only keep the most common families, you can found the full details in the Maltego base.

Pony

LokiBot

Atmos

BetaBot

KeyBase

AgentTesla

DiamondFox

ZyklonHTTP

In the Maltego database you can also found some JackPOS, neutrino, QuantLoader, Btc miner, LiteHTTP, Java RAT...
This all these data I have tried to identify groups by url patterns. I have used the dirty way: I have converted the URL list in csv (by replacing / by ;) and sorted the result by directories.

For example: this actor seems to be in the passwords stealing business. Pony and Loki are a close couple in many campaigns.
Loki,http://street-upp.ru/v1/fre.php                              Loki,http://street-ups.ru/v3/fre.php
Pony,http://street-upp.ru/v6/gate.php                              Pony,http://street-ups.ru/v2/admin.php
Pony,http://street-upp.ru/v7/gate.php                              Loki,http://street-men.ru/v3/fre.php
Pony,http://street-mens.ru/v1/gate.php                              Loki,http://street-men.ru/v4/fre.php
Pony,http://street-mens.ru/v2/gate.php                              Pony,http://street-men.ru/mmb/gate.php
Loki,http://street-takeover.ru/okeagwu/fre.php                      Pony,http://street-men.ru/vpoli/gate.php
Pony,http://street-takeover.ru/v1/admin.php                      Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php
Loki,http://street-wise.ru/v2/fre.php                              Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php
Loki,http://street-wise.ru/v3/fre.php                              Loki,http://fyzeeconnect.ru/my-friend/fre.php
Loki,http://street-wise.ru/v4/fre.php                              Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Loki,http://street-wise.ru/v5/fre.php                              Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Loki,http://street-wise.ru/v6/fre.php                              Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://street-ups.ru/v3/fre.php                              Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Pony,http://street-ups.ru/v2/admin.php                              Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://street-men.ru/v3/fre.php                              Pony,http://fyzeeconnect.ru/v5/gate.php
Loki,http://street-men.ru/v4/fre.php                              Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Pony,http://street-men.ru/mmb/gate.php                              Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Pony,http://street-men.ru/vpoli/gate.php                      Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php     Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php      Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://fyzeeconnect.ru/my-friend/fre.php                      Pony,http://fyzeeconnect.ru/v5/gate.php

Another actor targeting Argentina with BetaBot and Atmos:
BetaBot,http://av.bitdefenderesupdate.ru/.av/logout.php
Atmos,http://chester.agenteinformaticos.ru/.scnerio/chusma/tetris.php?m=login
Unknown,http://update.agenteinformaticos.ru/.coma/update/panel
There is a lot of different actors with different goals in this infra. We can found a looooot of Nigerian actors, a little bit of ransomware, some banking gang or a little bit of point of sales malware gang...
You can found some emails related here: https://pastebin.com/PXzHNaSR

Misc

Thanks to all these data, we can found funny related stuff related to our infrastructure:
  • This is a guy asking for help on Whois and take his malicious domain ("adtogroups.com", related to Atmos, Pony or Btc Miner) as example [1] in march [2] in April
  • A very strange website that post every week a list of domains related to our infrastructure [1]
  • A guy on Hackforum seems pwn his clients with something that contacts "tierastyle.co.uk" [1]
  • They like using obvious domains name like lokibotnet.ru, lokivshulk.info, atmosbot.xyz, achakeybase.com.de or azumebot.ru
  • One of our botmaster seems to have problems with a car [1]
  • Another one use his emails for registering malicious domains and for Linkedin (slyovic84@yahoo.com)[1]

Conclusion

All these elements remind me a malware infrastructure as service. It's a good entry point for a lot of investigations :D
Thanks to Maltego, after this quick test, I'm a big fan :D
I only have make retro hunting, so quite everything here are known. With a little bit of active hunting, I'm sure you can found double or triple the number panels. I saw new domains every day


Good luck and happy hunting :)