Jul 022013

Gothard Technology is relocating to the Mississippi Gulf Coast.

Effective July 15, 2013, our office will be located in Ocean Springs, MS.

We will continue to provide remote support to Alabama clients on a limited basis indefinitely and can schedule on site service through one of our recommended partners at your request.

We would like to thank all of our customers in the Birmingham area for your support, and know that we will be more than happy to assist you in any way possible, including transitioning to a new local provider.

Jul 212014

ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log

4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=  TTL=30 NS=
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=  TTL=30 NS=

As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked Wordpress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank's case, so no harm done.

But looking at public passive DNS records, it is obvious that "something" is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as "MAGNITUDE EK".

The recently used domain names are all within the Indian TLD ".in", and checking the registration information, they were all registered by the same alleged "Ivan Biloev" from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??

Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in

Brad over at malware-traffic-analysis.net has a write-up [1] on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.

[1]  http://malware-traffic-analysis.net/2014/07/15/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Jul 192014

As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file.
Based on the TrendMicro writeup on this family, the backdoor drops four files, including %Program Files%\%SESSIONNAME%\{random characters}.cc3
This indicates that bybtt.cc3 is one of the dropped files rather than the source file.
Per the Microsoft writeup for Backdoor:Win32/Zegost.B, once installed, it attaches its code to the legitimate Windows process, svchost.exe.
This is therefore likely the svchost.exe (MD5 20a6310b50d31b3da823ed00276e8a50) that Jake sent us. It's all coming together.
The Microsoft writeup also states that after connecting to the C2 server it receives commands to copy, execute, download, and delete files, gather information from the RAS phonebook, and capture screenshots. I'll confirm each of these steps from strings or a specific tool.
Unfortunately, bybtt.cc3 wouldn't run easily in my sandbox (it's a PEDLL and yes, I know it can be done but there's only so much time in the day) but I learned or confirmed everything I needed to create IOCs for you.
First, this sample connects to ip.sousf8.com and while its registered to Peng Peng (um, yeah) the server is actually in the US.
What I really didn't like is that searches for sousf8.com prove that its been embedded as Louis Vitton forum SPAM and other evil crap that point to hxxp://fz.sousf8.com. Do not freaking go there please.
This domain points to Jake reported to us, based on network connections and NetFlow analysis that he had RDP (TCP 3389) connections to using mylcx.exe which we've already discussed. What what!? Oh, boy. So again, these server are in San Jose, CA but they're registered to vpsbus in...wait for it...please hold...prepareth thy shocked face...Jinjiang, in the province of Fujian, in the country of...China.
The three domains hosted on are 9uufu.com, sousf8.com, taobaofu.com.
The ASN for these IPs belong to PEG TECH INC, a notorious spammer
According to Wepawet, who says that fz.sousf8.com is benign, that flow includes a redirect from hxxp://cnzz.mmstat.com to hxxp://pcookie.cnzz.com. Again, please don't. Both are immediately associated with Troj/Clicker-GL (more crap adware).
There are all kinds of malicious attributes in the bybtt.cc3 file too, in addition to all the IOC fodder above.
According to HookAnalyser, there's a ton of what looks like NOP padding in this sample.
[!] Found 373 traces of NOP instructions (a potential shellcode - Suspicious)  
[-] At the offset 00001109, found: '\x90\x90\x90\x90\x90\x90\x90'
And it notes the fact that:
[!] Executable is Debug aware
[!] Executable could spawn a new process
[!] Executable can enemurate processes
[!] Executable could hook to other processes
[!] Executable is potentially anti-debug aware


Strings confirms the RAS phonebook reference from above, not two lines removed from the hostile domain:
%USERPROFILE%\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

References to GDI32.dll and CreateCompatibleBitmap are indicative of the screencapture attribute, and there are way too many elements to its capability to "copy, execute, download, and delete files" to spell each out but Figure 1, created using PeStudio helps confirm.


Figure 1

What a swirling vortex of nastiness. There are so many rabbit holes to go down here, but I promised you IOCs.
I'm not going to go for file name or size or hashes, because they won't match. I'm working from one of the dropped files and as we've seen there's much randomization.
But we know for sure the related domain names, IPs, and we know thanks to Jake who teased a lot of this from the running server during his IR process, that it creates specific registry keys (PeStudio confirmed as did strings). Figure 2 is the IOC build.


Figure 2

Its cool to match the great work Jake did during IR with static analysis and turn it into what is hopefully actionable intelligence for you, dear reader.
I've posted the IOC XML files for you:

  1. http://holisticinfosec.org/iocs/464bfac7-9b16-4acb-9951-2095b6ca3b3e.ioc
  2. http://holisticinfosec.org/iocs/7d540cb4-5a52-46e4-9465-081e6735cb3d.ioc
  3. http://holisticinfosec.org/iocs/dea382df-9592-4528-b9e5-fef136e30805.ioc

Remember that IOCs change quickly and that another very related sample may exhibit entirely different indicators. So don't treat these as a panacea, but do use them as reference for your hunt and detect missions. Please feel free to enhance, optimize, tune, improve, criticize, and assassinate the character of the IOCs; they're always a work in progress, I won't be hurt.

Good luck and let us know how it goes!


Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
%d bloggers like this: