Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Malware’ Category

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.

Written by Krypt3ia

2017/07/03 at 16:38

Nyetya, Being Downrange, and Active Measure Campaigns in Ukraine

with 2 comments

 

While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.

The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?

Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;

  • Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.
  • Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people
  • Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space

The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get  the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.

So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.

….Or that’s exactly what the counted on…

Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?

Did I miss it?

Damn.

EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…

Wednesday June 28 Constitution Day Marks the signing of the Constitution of Ukraine in 1996

K.

Written by Krypt3ia

2017/06/30 at 14:13

WANNACRY: PATIENT ZERO AND MALWARE EPIDEMIOLOGY

leave a comment »

Continuing on the hot topic of the month I had some thoughts about WannaCry’s infection vector and heat maps that I have been seeing all over the place. I wanted to see who patient zero may be and having played many a game of Pandemic, I thought maybe this approach might yield something of use. In looking online I found only two heat maps that give a timeline that shows what may be patient zero’s location(s) but in doing this research I cam to the conclusion that this may be impossible without the help of all of the AV vendors out there. When trying to ascertain who may be patient and country zero for this malware it becomes apparent that you have to rely on various vendors who may or may not have seen the malware with their products. So far I have Malwarebytes timeline and Symantec. Now, given that Symantec has a larger market share I will go with them for the base assessment of patient zero on Wannacry but if the other vendors want to kick on and give a timeline for each of their products seeing infections I would welcome the data.

Since Wannacry traversed the net via SMB attacks (ETERNALBLUE and DOUBLE PULSAR) it may be possible to see just who was infected first and just maybe, get a lock on where that SMB connection came from. This might help the investigations into who did this at least nominally because one would assume the adversary used a proxy box or some other obfuscation to launch the initial attack… Unless, they are inept n00bs that is, so maybe something could come of this line of investigation. Anyway, the best timeline(s) I saw were Malwarebytes and Symantec as I said above. Here are the findings of those two companies telemetry;

Malwarebytes has the first infection in Russia.

Symantec see’s the first infection vector in Thailand.

Which is correct? Are either of them right? I am not able to be sure but, given at least the market share of Symantec both legally and illegally, I would be looking to Thailand as the potential patient zero here. Now, in talking to people on Twitter about this someone (@Tinkersec) notes that there is IP space in Thailand that starts with 1.0.128.0-1.0.255.255 1.1.128.0-1.1.255.255 so there is the possibility according to his theory, that a scripted scan looking for 445 open on the internet could have just hit on those addresses because the script started scanning at say 1.1.1.1 (or 0.0.0.0) to 255.255.255.255 which I can grok. Either way, if Thailand was patient Zero, and that IP space for Thailand Chiang Rai Tot Public Company Limited, an telco in Thailand.

This line of thought is quite possible and I like it (thanks Tink!) it would explain the rando Thailand hit as the first infections started to show up. Now, how though would this work if not for some scripted mass-scan? Well, someone would either have to be phished on a very small targeted scale to start this or the malware was physically implanted in a network and set free. So far I am not seeing too much talk about how this thing all started so I would like to put all this out there as a possible explanation as to the how. I am not aiming at the who because right now it is a festival of attribution out there and my opinion of that is low. The how is more important and in fact could lead to the who if the gumshoe work is done properly.

Still, I would like more data… Anyone from said AV vendors care to speak up?

K.

EDIT: Someone just mentioned passive DNS too on the killswitch site. Say, anyone in the DNS world wanna stop talking about Trumps servers and weigh in on Wannacry telemetry?

Written by Krypt3ia

2017/05/24 at 12:48

Posted in EPIDEMIOLOGY, Malware

WannaCrypt0r Roundup

leave a comment »

So last weekend and this week have been fun times in INFOSEC am I right or am I right? When Wannacry started making the rounds on Twitter I knew pretty much then and there I just likely lost my weekend to the derp of yet another ransomware distro. Luckily for me though, I forced my org to “do the things” on patching etc where the Shadowbrokers dump was concerned. So at the end of the day we came through the weekend unscathed by WannaCry yay me! However, in looking at the Twitter feed and Hyrbid/VT pages I began to worry that soon enough this malware would come at us all not just by worming through the net but also from phish waves. Today was the first day I have seen someone trying to at least possibly send a phish wave using a popped box in Egypt with the WannaCry.exe for download so hang on kids, you may well be seeing this as well and if you have not patched your shit and have old 2003/Xp your days may get to be like the end times that others around the globe have had since last Friday.

In the meantime though, I began looking at all the malware C2’s and exploits and notice a couple things. First off I kept seeing two IP addresses tied to the IPC$ in the binary/memory of the malware. I began to look for these addresses and while I surmised the 192.168 address was a off the shelf home router, the other maybe was something else. After some searches I came to the conclusion that this was another non routable address but that it may belong to an org or another off the shelf router of some kind.

With a little more looking I had thought that I had come up with the answer. It was some default IP scheme for a GSM gateway or some internal network somewhere in the world like China (found an F-5 with that scheme) but then I hit upon one last hit that suddenly appeared from a blog post by ZeroSum0X0. The post on Github was 6 days ago and that places it before the malware started to make the rounds. One day before the malware started burning through NHS I think if the reports are right from the news. Now this really has piqued my interest because if this IP and system belong to the blog poster or who they work with, then maybe the exploit was cribbed by the malware cabal to use EternalBlue. The poster (ZeroSum) seems to work for Rapid7 and Rapid7 was working on deploying the code for EternalBlue for Metasploit.

I reached out to ZeroSum on Twitter but nothing back so far. Coincidentally the code for the EternalBlue exploit was deployed this afternoon (as of this writing about an hour ago) to Metasploit. Now, the question I have is about this IP/System call that is in all the malware out there. Was this IP/system in the original binary that was pulled apart by ZeroSum from EternalBlue or was this an internal system that was being used to make the code work in some way? That it is directly in the post and that is a day before the great conflagration, I have to wonder. I would love for someone at R7 or Zero to let me know what the deal is with this. I mean, did someone steal the exploit code from you guys and deploy it after you got it working or, was this in the binary already? This is kind of a keystone to many questions concerning who may have created and deployed this malware as I see it.

The argument goes like this….

  1. The WannaCry campaign was carried out by criminals looking to score big money
  2. The WannaCry campaign was carried out by nation state actors (Lazarus Group/DPRK? Russia?)
  • Well, if it was just a criminal gang then did they reverse the binary and make this thing work? If they did then is that an internal IP that they used and forgot to sanitize from the code?
  • Well, if the nation state actors who potentially stole the exploits in the first place had to steal the actual working exploit from R7 then just how good are these guys anyway? It seems that there have been some other mistakes in coding as well that lead to snafoo’s with the bitcoin wallets as well so…

You see where I am going with this right?

Now, I had said from the beginning that this attack did not feel like it was about the money and the low numbers in the wallets kind of bears that out in my mind. However, there are some inconsistencies here and that IP/System in there makes me wonder some more especially when I see the same string in the code tied to R7’s work that was released today. If the code did in fact get cribbed from ZeroSum and by proxy R7 that does not bode well in the PR department for companies that do this kind of work (metasploit etc pentest tool vendors and creators) does it? It is kind of akin to leaving that hand grenade in front of the toddler right?

So, if R7/ZeroSum could respond to this little factoid it would be great. All of this also may bear some significance on the attempts at attribution that are flying about the news and Twittersphere right now where this attack is concerned. Frankly this all could have been much much worse had the coders thought to make domains that could not possibly be on the internet as kill switches. Kinda like this one I think (see below) that has been making the rounds in Hybrid and VT.

No kill switch and no way to sinkhole it would be a lot more devastating right? Of course the whole thing about the killswitch being there in the first place has a lot of people wondering. Then, there is the whole shadowbrokers foolery with the post last night they made. They are now claiming to have much more and will parse it all out in coming months…

Interesting times…

Ok.. Off to the deck for sun.

K.

UPDATE!

Well, I made some connections and had a chance to DM with someone from R7. For the record ZeroSum does not work for R7 he works for another company but is a contributor to Metasploit. R7 as of yesterday was trying to get a hold of ZeroSum to ask how that IP with IPC$ got in there and where it came from in the first place. As of this writing I have not heard back from them.

Tuesday when I posted this I connected with ZeroSum and he said someone else would email me….

I have no email.

In the interim the page that I located the IPC$ code snippet is no longer there. The page has been redacted. It also turns out that Malware Unicorn made a comment about the malware seeming to have been using Metasploit framework code for deployment of the exploit (DoublePulsar) and has since redacted that page as well…

Screenshot from 2017-05-18 16-00-52

So here’s my thing… Was the code snippet taken before the malware was launched and kluged into the wannacry malware to make it work? Was that code taken from the Zerosum git page on the day before or before that and then implemented by the wannacry authors? This would seem to be something logical given the hints I have seen with regard to that IPC$ and non route-able IP address. Was this an IP inside the networks where this code was being tested and perfected?

In essence, did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild?

I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief. No one is saying much of anything other than R7 saying they are looking into it (which I know they are in reality) so I believe them.

So, it’s either this code and the telemetry from it were in an original sample of the malware that maybe ZeroSum had BEFORE the outbreak and was reversing to use to make the git posts and get the metasploit deployment working or this code maybe was cribbed by the malware creators and used to global effect.

Which is it?

Of course all of this also paints a new picture on attribution right? If LAZARUS is the culprit (a theory I do not ascribe to) then why  would they hang around this git to grab code? These guys should have had the time to fully reverse this stuff and make it workable for them. It is my opinion either there is EPIC obfuscation going on here to make it look as though it is LAZARUS or that LAZARUS is deliberately trying to look inept and throw investigators off the trail. This information though, if true and can be verified might lead to some more breadcrumbs.

I look forward to some more light on this.

K.

UPDATE II: Response from RiskSense

Response:

The Metasploit module for the EternalBlue vulnerability was developed by community contributors, zerosum0x0 and JennaMagius, security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the video from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

Here’s a summary of context and the technical details:

–          On April 27th, JennaMagius created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. That recording was subsequently posted at https://github.com/rapid7/metasploit-framework/issues/8269#issuecomment-297862571. The recording included an IP that was used as a lab target of the original exploits.

–          Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using “2048” for the tree and user IDs, and the server has no idea what the client is talking about.

–          On April 30th, JennaMagius published a script that slightly enhanced that replay by substituting in the server provided TreeIDs and UserIDs. This code was subsequently posted at https://github.com/RiskSense-Ops/MS17-010/commit/9ddfe7e79256a9d386f0b488c38f5048a2dfd083

–          Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Written by Krypt3ia

2017/05/16 at 18:23

Posted in Malware

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

Trump Hotels Dot Com: Malware C2 In 2014

leave a comment »

Credit CNN

TURNIP HACKED!

Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?

Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.

Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.

(scroll down but don’t be drinking anything hot FAIR WARNING)

Maltego of psmtp server at Turnip Hotels

 

Trumphotels.com Domain ThreatCrowd

Trumphotels.com.s9a1.psmtp.com ThreatCrowd

Money shot of the malware that has trumphotels in the C2 list

Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.

The Malware:

So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE

BAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAAH!

SHEMALE_MOVIE_83.MPEG.EXE

I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?

 

As I write I have this grin on my face…

Enjoy the schadenfreude kids!

K.

IOC’s

https://www.threatcrowd.org/searchTwo.php?data=trump

https://www.threatcrowd.org/domain.php?domain=trumphotels.com.s9a1.psmtp.com

https://www.threatcrowd.org/malware.php?md5=833009a54c295a72ad64ab0941f482fe

https://virustotal.com/en/file/e11f563e084bf435ba59ab74bf13aba88f382fa1cadc6186ddca2b63209c9b3b/analysis/

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

4/25/2014

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

https://www.threatcrowd.org/ip.php?ip=202.71.129.187

https://www.threatcrowd.org/domain.php?domain=email.cz

https://www.threatcrowd.org/ip.php?ip=72.29.227.205

https://www.threatcrowd.org/domain.php?domain=trumphotels.com

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

Written by Krypt3ia

2017/04/06 at 19:12

You See What Happens When I Get Bored? china.org.cn –> media.president.ir –> rodong.rep.kp —> TURLA?

leave a comment »

So yeah, I was bored earlier and when I am bored my brain likes to take a walk down the darker hallways of the intertubes. Today I was plinking around with ThreatCrowd as is my wont, and I decided to start messing about with .gov.kp addresses. So I did a search for just .gov.kp which netted me nada. So I went back to the drawing board and looked up all the .kp addresses out there. I messed around a bit and hit rodong.rep.kp which had the nugget of the day I was looking for.

See that big purple thing? Yeaaaaaahhhh that is malware activity and a has all the hallmarks for nation state malware kids! Upon looking closer at this closer at this you can see that this piece of malware is talking to other interesting places like Iran and China! This really piqued my interest because just look at those addresses huh? Iranian mil sites, the presidents site, their news service (FARS) and china! Now what could be happening here kids? Was this malware or something else? Is the anticipation killing you yet?

Right! So I then started to circle out to the other sites on TC and of course clicked on the malware hash itself to see what the deal was here and when this all came about. To my surprise this malware and the activity happened last year in June. The malware was run privately on Hybrid on June 22nd 2016 but if you look closely at the image at the top of this piece, you see that the post is listed as December 3rd 2016? How does that work one wonders? Is this a post to the site after the original piece was uploaded? Was there something going on here that made the dates all messed up? In any case, the fact that this was posted privately to Hybrid in June shows that someone was either testing their malware or someone just found this and decided to post it privately to not trip up they had found it.

The sample itself is the php on the site (http://forum.china.org.cn/viewthread.php?tid=175697) which is not around at the moment to attempt to gather a sample directly. I also checked The Wayback Machine too and alas they did not have the site cached on the date or after where I would need to get the sample. At the time of testing this malware injected an exe (FP_AX_CAB_INSTALLER64.3×3) in temp and begins the work of pwning the system. It drops some files on the system and within the process is an IP address (210.72.21.87) which is in China.

Ok, so I pivot over to the malware 866fd7c29b0b6082c9295897d5db9e67 and whoa, look at all the malware traffic! It’s a festival out there man! Looks like someone is using a flash update to pwn all the things in Iran, China, and DPRK maybe huh? When you look at the malware C2 call outs it makes in the Hybrid analysis you can see them all. But when i start looking at the sites in the binary it is then I start to see where the other sites have bad histories and the files that seem to have been a part of the arcology.

Pattern match: “http://forum.china.org.cn/archiver/”
Pattern match: “http://www.china.org.cn/node_7077424.htm”
Pattern match: “http://forum.china.org.cn/main.php”
Pattern match: “http://210.72.21.87/uc/en_uc_admin/avatar.php?uid=248308&size=middle”
Pattern match: “http://forum.china.org.cn/viewthread.php?tid=175697&page=1#pid261371″
Pattern match: “http://www.b14643.de/Spacerockets_1/Rest_World/Simorgh-IRILV/Gallery/Simorgh.htm”
Pattern match: “http://www.jajusibo.com/imgdata/jajuilbo_com/201505/2015051137439063.jpg”
Pattern match: “http://www.jajusibo.com/serial_read.html?uid=20376&section=sc38”
Pattern match: “http://media.president.ir/uploads/org/144022966897383700.jpg”
Pattern match: “http://media.farsnews.com/media/Uploaded/Files/Images/1394/05/31/13940531000590_PhotoI.jpg”
Pattern match: “http://static2.bornanews.ir/thumbnail/ttNMJfA47E4M/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/SQ8qder1eiAx/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/WoR50ZKvbOvU/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://www.president.ir/en/88795”
Pattern match: “http://i.imgur.com/0ayxQnW.png?1”

Other hits for the hash:

Threat Miner: https://www.threatminer.org/sample.php?q=866fd7c29b0b6082c9295897d5db9e67

Hybrid: https://www.hybrid-analysis.com/sample/940aefe52f2f5d95535cbb536c53655971d803336a208d4066683c3ddbb9959d?environmentId=100

Threat Miner: https://www.threatminer.org/host.php?q=178.22.79.3

Threat Miner: https://www.threatminer.org/host.php?q=203.130.61.92

It gets stranger with the sites that this thing attempts to connect with as well. All of the connections are GET’s on port 80 so is this just polling sites or are some of these carriers of malware second stage? I have yet to go through all of them but one stood out already in the odd department (in red) this site came up dirty on more than one occasion and also the site resides in the US but has a guy from Iran ostensibly as owner who has a Yahoo account for an email. When you look at the site it seems to be a pro Iran mil site that kind of mirrors many of the others in Iran (think Geoshitties from hell) but why is an official site like this being hosted in the US huh?

media.president.ir 80.191.69.176 Iran (ISLAMIC Republic Of)
media.farsnews.com 178.22.79.3 Iran (ISLAMIC Republic Of)
i.imgur.com 185.31.19.193 European Union
weather.china.org.cn 210.72.21.12 China
http://www.military.ir 63.141.224.83 United States
fpdownload2.macromedia.com 2.16.106.177 European Union
r18.imgfast.net 87.98.180.46 France
images.china.cn 106.48.12.36 China
ipic.su 104.28.23.43 United States
imgs.xici.net 203.130.61.92 China
static2.bornanews.ir 46.209.99.141 Iran (ISLAMIC Republic Of)
news.xinhuanet.com 106.48.12.33 China
gallery.military.ir 63.141.224.83 United States
rodong.rep.kp 175.45.176.78 Korea Democratic People’s Republic of
fpdownload.macromedia.com 72.246.168.194 United States
my.china.org.cn 210.72.21.87 China
http://www.jajusibo.com 121.78.144.175 Korea Republic of
http://www.china.org.cn 106.48.12.35 China

An address inn memory though there was this little hit: bzip.org When looking at this site it has been rather naughty over time and has a high hit ratio for malware: This site also seems to be tied to APT activity.

This site has a lot of trojan activity over time so this may be the hit we are looking for. When I dug into this site I located the key piece of information that I believe nails this as Turla activity. When you look up the domain for bzip.org you get an email address attached; donna@kestrel.ws which then turns up in the ThreatMiner report as being a C2 for Turla. So, it looks like my boredom has maybe led me to RU APT activities against CN/IR/DPRK in June of last year.

Whaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaat?

Is this in fact the case? Has anyone else seen this? I will keep plinking along but do take a look you malware mavens and see what you think.

K.

Written by Krypt3ia

2017/04/04 at 18:23

Posted in Malware