Archive for the ‘Malware’ Category
Ryuk Ransomware Threat Intel Report
I cobbled together some stuff on Ryuk in case you all want to have a report you can re-purpose.
K…
PDF is here
Ryuk Ransomware Threat Intelligence Report
1/4/2019
Table of Contents
The Ryuk variant of ransomware is a new type of ransomware that first appeared in August 2018 and has been used since then in an targeted attack scheme by unknown actors online. The evolution of the attack has taken shape to mimic some of the attack methodologies used by the SAMSAM group (Iran) in locating vulnerable enterprises/organizations through reconnaissance and phishing to then gain a foothold in as a first phase of their attack.
The Ryuk actors then escalate the incursion by loading the ransomware (Ryuk) onto servers in the enterprise and thus locking that business down completely from daily business. The attacks have been seen recently (Dec/January 2018-2019) in attacks against publishing and media corporations such as the LA Times, Chicago Times (Tribune Group) as well as DataResolution Cloud Service. The financial damages to those companies has yet to be determined but due to the attack on the Tribune group, printing of newspapers was degraded or stopped for a time.
The Ryuk actor group uses two probable means to gaining access to internal networks:
1) phishing to infect systems with EMOTET (trojan variant using PowerShell via doc files that use macros to start ps.exe) and then pivot laterally to gain more access.
2) Locating vulnerable systems online using Shodan and other tools to find open RDP sessions and exploits them to escalate the attack.
In both attack vectors the second stage of the attack is to use the access gained to recon the org to locate systems (servers) to infect with Ryuk. The Ryuk infection will then encrypt all data, delete shadow copies and leave a message that the systems have been encrypted and where to send bitcoins.
The malware campaign to date (Aug 2018 to today) has accrued approximately $2,680,077.93 in bitcoin transfers from affected organizations. The average demand for money per each attack, is per the organizations tolerances judged by the actors estimate of what they can afford. This method is a lot like the SAMSAM group.
Threat intelligence on the malware and the tactics of the group provide the following recommendations for response to this threat:
-
Put all IOC’s into HIDS/NIDS
-
Block known C2’s
-
Assess for vulnerable RDP sessions to the internet (Shodan)
-
Block all hashes and C2’s for EMOTET campaigns
-
Be aware of ps.exe (powershell) sessions going to the internet
The malware immediately begins by shutting down A/V systems and specifically SOPHOS and McAfee as well as other processes focusing not only on A/V but backup programs. Early Virus Total assessments as well as Hybrid Analysis online show some signs that the actors had tested early versions of the malware and that it had been detected by SOPHOS and McAfee.
Strings:
stop “Enterprise Client Service” /y
stop “Sophos AutoUpdate Service” /y
stop “Sophos Clean Service” /y
stop “Sophos Device Control Service” /y
stop “Sophos File Scanner Service” /y
stop “Sophos Health Service” /y
stop “Sophos Safestore Service” /y
stop “Sophos System Protection Service” /y
stop “Sophos Web Control Service” /y
stop “SQLsafe Backup Service” /y
stop “SQLsafe Filter Service” /y
stop “Veeam Backup Catalog Data Service” /y
stop “Zoolz 2 Service” /y
stop Antivirus /y
stop BackupExecAgentAccelerator /y
stop BackupExecAgentBrowser /y
stop BackupExecDeviceMediaService /y
stop BackupExecJobEngine /y
stop BackupExecManagementService /y
stop BackupExecRPCService /y
stop BackupExecVSSProvider /y
stop EhttpSrv /y
stop EPSecurityService /y
stop EPUpdateService /y
stop MBAMService /y
stop McAfeeEngineService /y
stop McAfeeFramework /y
stop McAfeeFrameworkMcAfeeFramework /y
stop MSSQL$BKUPEXEC /y
stop MSSQLServerOLAPService /y
stop ntrtscan /y
stop PDVFSService /y
stop ReportServer /y
stop ReportServer$SQL_2008 /y
stop ReportServer$SYSTEM_BGC /y
stop ReportServer$TPS /y
stop ReportServer$TPSAMA /y
stop SAVAdminService /y
stop SAVService /y
stop SepMasterService /y
stop Smcinst /y
stop SmcService /y
stop SMTPSvc /y
stop SntpService /y
stop SQLAgent$BKUPEXEC /y
stop SQLAgent$CITRIX_METAFRAME /y
stop SQLSafeOLRService /y
stop swi_service /y
stop tmlisten /y
stop TrueKey /y
stop TrueKeyScheduler /y
stop TrueKeyServiceHelper /y
stop VeeamDeploymentService /y
stop VeeamTransportSvc /y
TerminateProcess
Currently a high number of A/V client engines now see the Ryuk malware by hashes. It is assumed that the actor may in fact re-pack the malware to avoid such detection’s if not upgrade functionality to have a wider ability to succeed and avoid HIDS/NIDS detection as well.
The malware also requires ADMIN to perform all it’s functions. This need for ADMIN is the reason that Ryuk is a second stage and not a one and done attack. EMOTET infections attain the ADMIN level access and allow the actors to recon the enterprise and determine where to attack as well as what they can access to load Ryuk and encrypt files.
IP(s) / Hostname(s)
-
104.199.153[.]189
-
104.239.157[.]210
-
187.17.111[.]103
-
195.20.45[.]185
-
200.98.255[.]192
-
23.253.126[.]58
-
68.168.222[.]206
-
89.119.67[.]154
URLs
-
bedava-chat[.]com
-
bestinfo[.]vv[.]si
-
digiturk[.]adsl[.]com[.]tr
-
freshmirza[.]tk
-
ibrahimreb[.]com
-
infocommsystems[.]com
-
jaragroup[.]com[.]ar
-
klkjwre9fqwieluoi[.]info
-
kukutrustnet777[.]info
-
kukutrustnet777888[.]info
-
kukutrustnet888[.]info
-
kukutrustnet987[.]info
-
lavanyacreation[.]com
-
natufarma[.]net
-
radiantjewelcraft[.]com
-
sets-hm[.]tk
-
veddagroup[.]twomini[.]com
Associated-file-path:
-
C:\Users\Public\cjoZX[.]exe
-
C:\Users\Public\window[.]bat
Associated-email-addresses:
-
WayneEvenson@tutanota[.]com
-
WayneEvenson@protonmail[.]com
-
stevkramer@protonmail.com
-
johnfraz@protonmail.com
-
stevkramer@tutanota.com
-
johnfraz@tutanota.com
-
kurtschweickardt@protonmail.com
-
kurtschweickardt@tutanota.com
-
wayneevenson@protonmail.com
-
wayneevenson@tutanota.com
-
steveedelman@protonmail.com
-
steveedelman@tutanota.com
-
andymitton@protonmail.com
-
andymitton@tutanota.com
-
kaykienzler@protonmail.com
-
bennidiez@protonmail.com
-
kaykienzler@tutanota.com
-
bennidiez@tutanota.com
-
dustinloose@protonmail.com
-
dustinloose@tutanota.com
-
AdamasVorms@tutanota.com
-
AdamasVorms@protonmail.com
-
RcsonanaGemmaran@tutanota.com
-
RcsonanaGemmaran@protonmail.com
-
dfvdc@protonmail.com
-
khgvkh@tutanota.com
-
yu66MarsellBlan@protonmail.com
-
yu66MafrsellBlan@tutanota.com
-
BruceSmithh@protonmail.com
-
BruceSmithh@tutanota.com
-
vejoydyLunde@tutanota.com
-
vejoydyLunde@protonmail.com
-
RichardsonStan@tutanota.com
-
RichardsonStan@protonmail.com
-
WillysFranks@tutanota.com
-
WillysFrank@protonmail.com
-
KangCheonSoo@tutanota.com
-
KangCheonSo@protonmail.com
-
RaulDrake@protonmail.com
-
kaidrake@tutanota.com
-
fgbfs@protonmail.com
-
fgbf@tutanota.com
-
ElaineDeaVille@tutanota.com
-
ElaineDeaVille@protonmail.com
-
TinaHahn@tutanota.com
-
TinaHahn@protonmail.com
-
ChrisJohnes@protonmail.com
-
ChrisJohnes@tutanota.com
-
DeborahPATINO@tutanota.com
-
DeborahPATINO@protonmail.com
-
CristopherBrandstrom@protonmail.com
-
CristopherBrandstrom@tutanota.com
-
DANIELEdEBLOIS@tutanota.com
-
DANIELEdEBLOIS@protonmail.com
-
petterSpurier@protonmail.com
-
petterSpurier@tutanota.com
-
arWalagnCuad@tutanota.com
-
arWalanCuad@protonmail.com
-
degrv@tutanota.com
-
fhnf@protonmail.com
-
taigrizalsec1973@protonmail.com
-
arturDale@tutanota.com
-
CamdenScott@protonmail.com
-
eliasmarco@tutanota.com
-
MelisaPeterman@protonmail.com
-
MelisaPeterman@tutanota.com
Associated-bitcoin-address:
-
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
-
1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ
-
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ
-
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
-
1LKULheYnNtJXgQNWMo24MeLrBBCouECH7
-
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp
-
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
-
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4
-
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz
-
1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH
-
1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt
-
1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu
-
162DVnddxsbXeVgdCy66RxEPADPETBGVBR
-
12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau
-
1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs
-
18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G
-
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op
-
1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS
-
12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx3
-
1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr
-
13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi
-
1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY
-
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL
-
1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw
-
1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt
-
1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY
Malware Hash (MD5/SHA1/SH256)
-
c0202cf6aeab8437c638533d14563d35
-
d348f536e214a47655af387408b4fca5
-
958c594909933d4c82e93c22850194aa
-
86c314bc2dc37ba84f7364acd5108c2b
-
29340643ca2e6677c19e1d3bf351d654
-
cb0c1248d3899358a375888bb4e8f3fe
-
1354ac0d5be0c8d03f4e3aba78d2223e
-
5ac0f050f93f86e69026faea1fbb4450
-
1b465c0e12523747f892b48fa92a30f82e5027199a2aff06587c5269bd99f69a
-
3c8531fc54eca31a79a23bf16d4f528067c89a5e58e1e745a2c5b1b05140f5a8
-
95b228b664dca2e18935444c67c7c7dbda9da7450a18d429cb04f7e311af5fe9
-
46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e
-
8d50d9fe17eb36edc9945a2673c1594f58a6e653f5a794058ee42e46d24d83d7
-
f21f222d8f62f2223faec375e834efb76f96b73ef70e0ef09024586cf9eef638
-
b7e945a8dafc91ebe8c8717ee3107498afc1ad5461599611d2fb07aaa7700aa1
-
88d491bb73d509aacca103919d3a7418f9c6b611ce7dc453e1cacffed9c0f0d5
-
5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28
-
aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83
-
235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac
-
7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20
-
9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17
-
695a716f2c43a69bdd03e74058fa23fb77e596bb4f1f3a021d529c85e9564f7d
-
6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619
-
965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26
-
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
-
3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4
-
b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8
-
9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2
-
113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec
-
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56
-
c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e
Dropped Files:
details
“gimap.jar” has type “data”
“org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar” has type “data”
“Download_on_the_App_Store_Badge_fr_135x40.svg” has type “data”
“PIXEL.INF” has type “data”
“close.svg” has type “data”
“com.jrockit.mc.components.ui.ja_5.5.1.172852.jar” has type “data”
“org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar” has type “data”
“javaws.jar” has type “data”
“org-netbeans-modules-options-api.jar” has type “8086 relocatable (Microsoft)”
“org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar” has type “data”
“ADEBASE.MSI” has type “data”
“org-netbeans-core-io-ui_zh_CN.jar” has type “data”
“org.eclipse.help.ui_4.0.100.v20140401-0608.jar” has type “data”
“VeriSign_Class_3_Code_Signing_2001-4_CA.cer” has type “data”
“org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar” has type “data”
“org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar” has type “data”
“com.jrockit.mc.browser.ja_5.5.1.172852.jar” has type “data”
“org-openide-loaders_zh_CN.jar” has type “data”
“com-sun-tools-visualvm-host-remote_zh_CN.jar” has type “data”
“org-netbeans-modules-queries.jar” has type “data”
source: Extracted File
Virus Total Assessments:
-
https://www.virustotal.com/#/file/1b465c0e12523747f892b48fa92a30f82e5027199a2aff06587c5269bd99f69a/detection
-
https://www.virustotal.com/#/file/3c8531fc54eca31a79a23bf16d4f528067c89a5e58e1e745a2c5b1b05140f5a8/detection
-
https://www.virustotal.com/#/file/95b228b664dca2e18935444c67c7c7dbda9da7450a18d429cb04f7e311af5fe9/detection
-
https://www.virustotal.com/#/file/46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e/detection
-
https://www.virustotal.com/#/file/f21f222d8f62f2223faec375e834efb76f96b73ef70e0ef09024586cf9eef638/detection
-
https://www.virustotal.com/#/file/b7e945a8dafc91ebe8c8717ee3107498afc1ad5461599611d2fb07aaa7700aa1/detection
-
https://www.virustotal.com/#/file/88d491bb73d509aacca103919d3a7418f9c6b611ce7dc453e1cacffed9c0f0d5/detection
-
https://www.virustotal.com/#/file/5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28/detection
-
https://www.virustotal.com/#/file/aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83/detection
-
https://www.virustotal.com/#/file/235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac/detection
-
https://www.virustotal.com/#/file/7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20/detection
-
https://www.virustotal.com/#/file/9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17/detection
-
https://www.virustotal.com/#/file/695a716f2c43a69bdd03e74058fa23fb77e596bb4f1f3a021d529c85e9564f7d/detection
-
https://www.virustotal.com/#/file/6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619/detection
-
https://www.virustotal.com/#/file/965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26/detection
-
https://www.virustotal.com/#/file/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b/detection
-
https://www.virustotal.com/#/file/3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4/detection
-
https://www.virustotal.com/#/file/b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8/detection
-
https://www.virustotal.com/#/file/9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2/detection
-
https://www.virustotal.com/#/file/113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec/detection
-
https://www.virustotal.com/#/file/1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56/detection
-
https://www.virustotal.com/#/file/c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e/detection
-
https://www.hybrid-analysis.com/sample/1b465c0e12523747f892b48fa92a30f82e5027199a2aff06587c5269bd99f69a?environmentId=120
-
https://www.hybrid-analysis.com/sample/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b?environmentId=120
-
https://www.hybrid-analysis.com/sample/3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4?environmentId=120
URL’s:
https://niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Aug_2018_Edition_2.0.pdf
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf
https://resources.malwarebytes.com/files/2018/12/Malwarebytes-Labs-Under-The-Radar-APAC-1.pdf
https://research.checkpoint.com/wp-content/uploads/2018/08/Threat_Intelligence_News_2018-08-27.pdf
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/ryuk
https://www.maltiverse.com/sample/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
Create NEW Ransomware: Darknet Site Ransomware Scheme
Surfing the darknet as I do, I came across this little gem of a site today. The idea here is that you can share in the bitcoin ransom by entering your wallet address and then getting a download of the malware to deploy wherever you like. This seems like a ponzi scheme to me where you offer a great reward for a little action and in the end you get ripped off but ok, let’s run with it. The site is in the darknet and I am not sure if or how they are publishing this site elsewhere so people can find it and use it. I must say though that the site is more complete than I thought it would be once you start to dig and the ransomware is new to me as well as it seems to be to VT and Hybrid.
So yeah, I decided to play along and I used someone’s wallet to start the process here. Who’s wallet you ask? Well this guy’s wallet will do since he has never had anything in it. So it’s fairly simple, you put in the wallet address then solve the captcha and lo and behold you download the ransomware. I also decided to see if I put in an alternate wallet address would I get another hashed file, and yes, yes I did. I only changed the wallet address by one letter (a) and got a new file that I uploaded to VT after the first one.
Upon upload to VT and Hybrid I get hits on the major players and the designation of the malware is of course ransomware but you choose the name you like because there are too many per the AV firms (please stop this)…
So yeah, the ransomware is not so stealth and likely anyone with current AV will have some intervention one hopes …But how many really keep their AV up to date and working?
*sigh*
Anyway, I uploaded it to Hybrid and got the following report and the second with the second sample here …
The malware reaches out to the darknet via .casa online bridge to the darknets. Once you plug in that address you get the Qrypter site frontend. This site is your C&C ostensibly to track your malware and your bitcoin “donations” from the poor sods who get the malware. The unfortunate bit is that when you go to the url that is in the malware you get the following sad news:
OH NOES! Are you smelling a scam? Cuz I am kinda smelling a scam here now…
Anywho, the interesting bit for the site itself is that it has a display on how many AV vendors are seeing the malware and as of today it’s… Wrong?
Mmmmmmyeaahhhh no, I see 14 vendors seeing this as malware and I have just added to the hash pile by uploading my samples here so that is likely to get even more detected as the day passes on. So, this is an interesting turn in malware as a service, or in this case Ransomware As A Service (RAAS) as I have seen out there on the net. I have captured the whole site in the darknet and I will be spending some more cycles on the malware later on so updates will likely follow on this post. For now though, just enjoy the novelty and the derp.
Cheers,
K.
UPDATE: This is evidently a new replay of something seen in 2017
Halloware Ransomware On Sale Now
I was paging through the new sites on the darknet from the spider and this page popped up. Upon opening it I saw the evil clown and thought RED ROOM but instead it’s a site offering a new-ish ransomware package by a person(s) calling themselves TNCYBERSQUAD or as I later found out a Turk with the handle of LUC1F3R. So the site says you can buy this new and undetected malware for a mere 40 bucks lifetime! They even give a scan on nodistribute that shows the executable not being detected by any of the AV vendors out there now. I poked around the site and checked the page listed in the clown image and found that their landing page for collection on their ransom is not fully operational. I could not get the link to their bitcoin system to work nor would the site render all the images either.
I expanded my search to see if I could use the hash from the nodistribute session and got no love at all on this. Of course the exe and the hash are brand new with the actual dates on the testing and the offerings for this malware being from 11/30 to today. The only problem I have with this is that I cannot verify the sample as something that would not be seen as clean because the hash, when searched turns up absolutely nothing and the executable is not on offer unless you pay them as well as email them. So, this file could be just a lot of nothing in an attempt to scam people into dropping 40 bucks and getting nada.
MD5 HASH: b01230be6e42bf7210ce244ca493a697
I actually put a cutout address into the email on the page and hit send and as yet I have nothing back from luc1f3r at all. In the interim though, I started looking outside the darknet for more and I found some interesting tidbits. First of which is that when you start looking for Halloware you come up with some YouTube videos and links to a site that this seems to have first been posted as a free download. The file downloaded is not the same as the one offered in the darknet and when run in VT comes up as a trojan.
This site is pretty open to just giving up contacts and the malware so I think this is just proof of concept and now they have moved on to application and monetization. I may go down the rabbit hole more on the email addresses and other details there but for now I don’t see this ransomware as a real threat to much of anybody unless the sample gets out and is then used by the masses. When I began looking at the code of the darknet site and links in other places I came up with another site outside the darknet that mirrors the hidden site but has some interesting code.
These guys are collecting IP addresses too
Aanyway, I watched all the YouTube videos and basically Luc1fer shows how you can hide the malware as a file etc in broken english on a text pad. He show’s an IP address too and generally has crappy OPSEC.
All of this stuff seems predicated on a python script and some manipulation so I am not sure how they claim there is no programming knowledge needed to create the malware but ok dude. I know that ransomware is all the rage but honestly this one seems kinda weak and maybe just a scam. I will keep an eye out for another sample though. Until then you may all want to take that hashes from VT I pasted in above and add it to your systems to detect it. Luc1fer made the rounds today offering the malware and the darknet link on a bunch of shops so maybe people will take em up on it and send out a blast.
I will update if I see more.
Have fun!
K.
Trump Domains Hacked and Shadow Subdomains
Well now, the worm is turning on our old friend trunip ain’t it? It seems that something I was playing with back last April should have dug deeper I guess because today Mother Jones put up a post on how Donny’s domains had shadow subdomains that all pointed to Russia! Of course in the interim since the post went public two things happened. One, Donny and his people said “We ain’t been hacked! We have the BEST security! Nothing to see here!” and then rather rapidly. some of the domains started to go down and be unreachable on the tubes today! Well, I did some more digging after reading this Mother Jones post and while I was not seeing the same IP addresses used in the stuff that was posted today, the malware I was seeing back in April still had some commonalities to ranges in the same region of the world.
Back in 2014 Trump was hacked and credit cards were stolen by the attackers. It seems though that perhaps it wasn’t only credit cards that were hacked but also a persistence to the network may have occurred as well as access to the Trump domains registrar as well. In the Mother Jones piece they show how sub domains or “shadow” domains had been created with interesting domain names that usually involved random letters. These domains, once you start looking at them show a couple of things. First off, that these domains were all created under the Trump umbrella’s account and second the IP’s that these pointed to resided in Russia. In looking at these domains myself I noted a few other interesting factoids that I will share here for context.
First off, the hackers used the same registrar as Donny did (more likely his minions) using the “Trump General Counsel” moniker as the owner of the domains;
These domains were registered with Godaddy and then pointed to other IP addresses later on. Also, the sample I just pulled randomly show both being created in 2009 on 5/22/2009 to be precise. So the question for me is this, were these created by the trump org themselves as a means of stopping domain squatting or were they owned (Trump networks) earlier than we assumed from the article by Mother Jones? It is kinda of hard for me to think that Trump and his org would have been creating such domains as donaldtrumppyramidscheme.com to prevent squatting. Trump ain’t the sharpest marble on the internets and certainly Barron wasn’t an uber hacker back then right? Curiouser and Curiouser, but maybe they were being overly litigious and decided to take up all the permutations right?
So, looking at the IP addresses that the domains were pointing to also adds some interesting context here…
When the domains were created they sat on Godaddy from 2009 to 2013 when the IP changes. In the case of both of these domains on GoDaddy, the IP has a long storied history of having bad actors attached to it.
…But that is GoDaddy for ya right? They aren’t the cleanest of the orgs out there so meh. However, in 2013 the IP was redirected as Mother Jones showed to another IP; 184.168.221.41 which is also a GoDaddy IP. Now, looking at this IP in VT and in ThreatCrowd, you can see it also has a pretty dirty history as well.
So was the change made by Trump or Godaddy? Or was this change made by the actors in 2013 to a host they owned in Godaddy? Now historically I am not able to see the malware history for the IP or the domain name for 2013, which would be a nice feature for VT and Threatcrowd to offer right? Anyway, the point is not all of the addresses were pointed to the Russian addresses in the Mother Jones piece. Over the whole of the domain space it is likely that the IP’s used by the actors who had access to the Trump registrar account were not only focused on the Russia space as C2’s go. In fact the second sample I pulled also was changed to another GoDaddy IP as well that has some dirty history as well.
So maybe these were moves by the trump org or maybe it was the attackers moving these around per their needs for each campaign? Inasmuch as I can tell many of these domains never had sites attached to them and were in fact just parked domains. However, in the case of donaldtrumprealty.com I see a lot of action moving this around the globe for IP pointers over the years. So what is the deal with that? Looking at the Wayback Machine for this domain shows the following activity over the years.
It’s been parked since inception but that parked page has some redirects and popups to potential scams. What does this all mean? Well, that Trump has not been paying attention to his domains and that what has been laid out is exactly the case. The only thing I can maybe say is that the activities have been going on longer than we are led to believe in the Mother Jones piece from the samples of IP changes I have seen in Domain Tools. If that is the case what else has been going on with Trump domains and perhaps their internal networks?
See, this is the question that the Trump admin will not want to touch with a very long poll but it may also lend credence to the DNS stuff that was happening with the Alpha servers as well. If there was traffic going on that was amiss, and it was perhaps as others suggest, spam traffic, then maybe it was indeed the same actor using their domains and network systems to route traffic and not a secret plot against America huh? We do know that Trump Hotels had been popped back in 2014/2015 as they have admitted it. What we really don’t have any idea of was the level of compromise that occurred and just whether or not they were able to get them out of the network. What I am seeing here is that maybe they did not and in fact the adversaries used them for even more things.. And it may still be going on.
Imagine that kids… Trumps networks owned and he may still be using them for things while in the White House?
*shudder*
Just remember that Ivanka and Jarred were using that secret email server on that personal domain too!
Anyway, there are over 3k domains and I am not spending all that time on all of them to track the IP changes over the years. Others can do all that leg work if they want to. For me, this just shows that there may be much more that has happened with Trump networks and domains than we are aware of. Russian IP space does not imply KGB or GRU access but let’s just spin it this way; We know that the Russians use the criminal hacker groups to do their work as well as the actual operators from KGB and GRU so there is that. If the actors using these shadow domains for malware deployment, they may also have used them for other activities right? Maybe propaganda spam? Other stuff? Who really knows right?
As for the malware involved with the cited IP’s and urls we see .zip files that only are seen by one or two vendors on VT (Kaspersky being the one continually) I am told that the files were in fact not zip files but jar files and java infrastructure to deploy malware. Which malware? Well, no one really knows at the present time that I am ware of. I could not get a sample of the alleged zip files and all the domains were non responsive and not in Wayback Machine to gather so there is that. It could be that these guys were using this infrastructure for Locky or they could have been passing out RAT’s so until we have some solid telemetry and samples it is once again, hard to say what went down. The interesting bit is that most of the RU I space I looked at all had stuff going on last August.
Just in the middle of the election huh?
Hmmmm….
Welp, I am done looking at this for now. You kids have a look and lemme know what you all see. Just remember to ask this one question; “Just how compromised are Donny’s networks today?”
K.
Eugene and the DoD
Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…
Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…
Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?
Fuck you.
FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.
Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?
Imagine that Eugene’s software is clean as a whistle.
Now imagine that it is sitting on many USGOV and MIL systems.
Now imagine that all that telemetry from those systems is going to RUSSIA.
Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”
Think about that hacker kids.
Think about that you spies too.
You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?
So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….
So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?
Yeah neither do I.
K.
Nyetya, Being Downrange, and Active Measure Campaigns in Ukraine
While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.
The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?
Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;
- Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.
- Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people
- Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space
The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.
So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.
….Or that’s exactly what the counted on…
Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?
Did I miss it?
Damn.
EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…
| Wednesday | June 28 | Constitution Day | Marks the signing of the Constitution of Ukraine in 1996 |
K.
WANNACRY: PATIENT ZERO AND MALWARE EPIDEMIOLOGY
Continuing on the hot topic of the month I had some thoughts about WannaCry’s infection vector and heat maps that I have been seeing all over the place. I wanted to see who patient zero may be and having played many a game of Pandemic, I thought maybe this approach might yield something of use. In looking online I found only two heat maps that give a timeline that shows what may be patient zero’s location(s) but in doing this research I cam to the conclusion that this may be impossible without the help of all of the AV vendors out there. When trying to ascertain who may be patient and country zero for this malware it becomes apparent that you have to rely on various vendors who may or may not have seen the malware with their products. So far I have Malwarebytes timeline and Symantec. Now, given that Symantec has a larger market share I will go with them for the base assessment of patient zero on Wannacry but if the other vendors want to kick on and give a timeline for each of their products seeing infections I would welcome the data.
Since Wannacry traversed the net via SMB attacks (ETERNALBLUE and DOUBLE PULSAR) it may be possible to see just who was infected first and just maybe, get a lock on where that SMB connection came from. This might help the investigations into who did this at least nominally because one would assume the adversary used a proxy box or some other obfuscation to launch the initial attack… Unless, they are inept n00bs that is, so maybe something could come of this line of investigation. Anyway, the best timeline(s) I saw were Malwarebytes and Symantec as I said above. Here are the findings of those two companies telemetry;
Malwarebytes has the first infection in Russia.
Symantec see’s the first infection vector in Thailand.
Which is correct? Are either of them right? I am not able to be sure but, given at least the market share of Symantec both legally and illegally, I would be looking to Thailand as the potential patient zero here. Now, in talking to people on Twitter about this someone (@Tinkersec) notes that there is IP space in Thailand that starts with 1.0.128.0-1.0.255.255 1.1.128.0-1.1.255.255 so there is the possibility according to his theory, that a scripted scan looking for 445 open on the internet could have just hit on those addresses because the script started scanning at say 1.1.1.1 (or 0.0.0.0) to 255.255.255.255 which I can grok. Either way, if Thailand was patient Zero, and that IP space for Thailand Chiang Rai Tot Public Company Limited, an telco in Thailand.
This line of thought is quite possible and I like it (thanks Tink!) it would explain the rando Thailand hit as the first infections started to show up. Now, how though would this work if not for some scripted mass-scan? Well, someone would either have to be phished on a very small targeted scale to start this or the malware was physically implanted in a network and set free. So far I am not seeing too much talk about how this thing all started so I would like to put all this out there as a possible explanation as to the how. I am not aiming at the who because right now it is a festival of attribution out there and my opinion of that is low. The how is more important and in fact could lead to the who if the gumshoe work is done properly.
Still, I would like more data… Anyone from said AV vendors care to speak up?
K.
EDIT: Someone just mentioned passive DNS too on the killswitch site. Say, anyone in the DNS world wanna stop talking about Trumps servers and weigh in on Wannacry telemetry?
WannaCrypt0r Roundup
So last weekend and this week have been fun times in INFOSEC am I right or am I right? When Wannacry started making the rounds on Twitter I knew pretty much then and there I just likely lost my weekend to the derp of yet another ransomware distro. Luckily for me though, I forced my org to “do the things” on patching etc where the Shadowbrokers dump was concerned. So at the end of the day we came through the weekend unscathed by WannaCry yay me! However, in looking at the Twitter feed and Hyrbid/VT pages I began to worry that soon enough this malware would come at us all not just by worming through the net but also from phish waves. Today was the first day I have seen someone trying to at least possibly send a phish wave using a popped box in Egypt with the WannaCry.exe for download so hang on kids, you may well be seeing this as well and if you have not patched your shit and have old 2003/Xp your days may get to be like the end times that others around the globe have had since last Friday.
In the meantime though, I began looking at all the malware C2’s and exploits and notice a couple things. First off I kept seeing two IP addresses tied to the IPC$ in the binary/memory of the malware. I began to look for these addresses and while I surmised the 192.168 address was a off the shelf home router, the other maybe was something else. After some searches I came to the conclusion that this was another non routable address but that it may belong to an org or another off the shelf router of some kind.
With a little more looking I had thought that I had come up with the answer. It was some default IP scheme for a GSM gateway or some internal network somewhere in the world like China (found an F-5 with that scheme) but then I hit upon one last hit that suddenly appeared from a blog post by ZeroSum0X0. The post on Github was 6 days ago and that places it before the malware started to make the rounds. One day before the malware started burning through NHS I think if the reports are right from the news. Now this really has piqued my interest because if this IP and system belong to the blog poster or who they work with, then maybe the exploit was cribbed by the malware cabal to use EternalBlue. The poster (ZeroSum) seems to work for Rapid7 and Rapid7 was working on deploying the code for EternalBlue for Metasploit.
I reached out to ZeroSum on Twitter but nothing back so far. Coincidentally the code for the EternalBlue exploit was deployed this afternoon (as of this writing about an hour ago) to Metasploit. Now, the question I have is about this IP/System call that is in all the malware out there. Was this IP/system in the original binary that was pulled apart by ZeroSum from EternalBlue or was this an internal system that was being used to make the code work in some way? That it is directly in the post and that is a day before the great conflagration, I have to wonder. I would love for someone at R7 or Zero to let me know what the deal is with this. I mean, did someone steal the exploit code from you guys and deploy it after you got it working or, was this in the binary already? This is kind of a keystone to many questions concerning who may have created and deployed this malware as I see it.
The argument goes like this….
- The WannaCry campaign was carried out by criminals looking to score big money
- The WannaCry campaign was carried out by nation state actors (Lazarus Group/DPRK? Russia?)
- Well, if it was just a criminal gang then did they reverse the binary and make this thing work? If they did then is that an internal IP that they used and forgot to sanitize from the code?
- Well, if the nation state actors who potentially stole the exploits in the first place had to steal the actual working exploit from R7 then just how good are these guys anyway? It seems that there have been some other mistakes in coding as well that lead to snafoo’s with the bitcoin wallets as well so…
You see where I am going with this right?
Now, I had said from the beginning that this attack did not feel like it was about the money and the low numbers in the wallets kind of bears that out in my mind. However, there are some inconsistencies here and that IP/System in there makes me wonder some more especially when I see the same string in the code tied to R7’s work that was released today. If the code did in fact get cribbed from ZeroSum and by proxy R7 that does not bode well in the PR department for companies that do this kind of work (metasploit etc pentest tool vendors and creators) does it? It is kind of akin to leaving that hand grenade in front of the toddler right?
So, if R7/ZeroSum could respond to this little factoid it would be great. All of this also may bear some significance on the attempts at attribution that are flying about the news and Twittersphere right now where this attack is concerned. Frankly this all could have been much much worse had the coders thought to make domains that could not possibly be on the internet as kill switches. Kinda like this one I think (see below) that has been making the rounds in Hybrid and VT.
No kill switch and no way to sinkhole it would be a lot more devastating right? Of course the whole thing about the killswitch being there in the first place has a lot of people wondering. Then, there is the whole shadowbrokers foolery with the post last night they made. They are now claiming to have much more and will parse it all out in coming months…
Interesting times…
Ok.. Off to the deck for sun.
K.
UPDATE!
Well, I made some connections and had a chance to DM with someone from R7. For the record ZeroSum does not work for R7 he works for another company but is a contributor to Metasploit. R7 as of yesterday was trying to get a hold of ZeroSum to ask how that IP with IPC$ got in there and where it came from in the first place. As of this writing I have not heard back from them.
Tuesday when I posted this I connected with ZeroSum and he said someone else would email me….
I have no email.
In the interim the page that I located the IPC$ code snippet is no longer there. The page has been redacted. It also turns out that Malware Unicorn made a comment about the malware seeming to have been using Metasploit framework code for deployment of the exploit (DoublePulsar) and has since redacted that page as well…
So here’s my thing… Was the code snippet taken before the malware was launched and kluged into the wannacry malware to make it work? Was that code taken from the Zerosum git page on the day before or before that and then implemented by the wannacry authors? This would seem to be something logical given the hints I have seen with regard to that IPC$ and non route-able IP address. Was this an IP inside the networks where this code was being tested and perfected?
In essence, did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild?
I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief. No one is saying much of anything other than R7 saying they are looking into it (which I know they are in reality) so I believe them.
So, it’s either this code and the telemetry from it were in an original sample of the malware that maybe ZeroSum had BEFORE the outbreak and was reversing to use to make the git posts and get the metasploit deployment working or this code maybe was cribbed by the malware creators and used to global effect.
Which is it?
Of course all of this also paints a new picture on attribution right? If LAZARUS is the culprit (a theory I do not ascribe to) then why would they hang around this git to grab code? These guys should have had the time to fully reverse this stuff and make it workable for them. It is my opinion either there is EPIC obfuscation going on here to make it look as though it is LAZARUS or that LAZARUS is deliberately trying to look inept and throw investigators off the trail. This information though, if true and can be verified might lead to some more breadcrumbs.
I look forward to some more light on this.
K.
UPDATE II: Response from RiskSense
Response:
The Metasploit module for the EternalBlue vulnerability was developed by community contributors, zerosum0x0 and JennaMagius, security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the video from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.
Here’s a summary of context and the technical details:
– On April 27th, JennaMagius created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. That recording was subsequently posted at https://github.com/rapid7/metasploit-framework/issues/8269#issuecomment-297862571. The recording included an IP that was used as a lab target of the original exploits.
– Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using “2048” for the tree and user IDs, and the server has no idea what the client is talking about.
– On April 30th, JennaMagius published a script that slightly enhanced that replay by substituting in the server provided TreeIDs and UserIDs. This code was subsequently posted at https://github.com/RiskSense-Ops/MS17-010/commit/9ddfe7e79256a9d386f0b488c38f5048a2dfd083
– Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.
Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.
To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.
KONNI: Malware Campaign Inside Pyongyang
So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.
- The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
- The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
- One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
- The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
- The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
- All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
- HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
- The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
- MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file
Conclusions:
What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.
When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.
I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.
All of these questions beg another question….
Do we know for sure these were aimed at DPRK embassies/personnel?
Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.
Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?
Come on, you can tell uncle Krypt3ia!
SAMPLES:
Ask for them and we will work out a transfer method
LINKS:
Trump Hotels Dot Com: Malware C2 In 2014
Credit CNN
TURNIP HACKED!
Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?
Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.
Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.
(scroll down but don’t be drinking anything hot FAIR WARNING)
Maltego of psmtp server at Turnip Hotels
Trumphotels.com Domain ThreatCrowd
Trumphotels.com.s9a1.psmtp.com ThreatCrowd
Money shot of the malware that has trumphotels in the C2 list
Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.
The Malware:
So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE
BAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAAH!
SHEMALE_MOVIE_83.MPEG.EXE
I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?
As I write I have this grin on my face…
Enjoy the schadenfreude kids!
K.
IOC’s
https://www.threatcrowd.org/searchTwo.php?data=trump
https://www.threatcrowd.org/domain.php?domain=trumphotels.com.s9a1.psmtp.com
https://www.threatcrowd.org/malware.php?md5=833009a54c295a72ad64ab0941f482fe
https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/
4/25/2014
https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498
https://www.threatcrowd.org/ip.php?ip=202.71.129.187
https://www.threatcrowd.org/domain.php?domain=email.cz
https://www.threatcrowd.org/ip.php?ip=72.29.227.205
https://www.threatcrowd.org/domain.php?domain=trumphotels.com
https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/
https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498
Krypt3ia 