Hackin9

CSO Online

Which certifications matter most for those new to security
CSO Online
I like classes. If I could be a professional student, I would. I was a teacher, so book learning has great value to me as does learning in a classroom. Take that for what it's worth as it doesn't necessarily apply to the information security industry ...

 

Introduction

Since August 2015, actors using Angler exploit kit (EK) to send ransomware have occasionally switched back and forth between Angler EK and Neutrino EK.

Sometime in mid-August 2015, actors using Angler EK to send ransomware switched to Neutrino EK [1]. The next week, those actors were back to using Angler EK [2, 3] and weve seen the occasional switching back and forth since then.

I hadnt seen much Neutrino EK at all in November and December of 2015, but these actors switched back to Neutrino EK by the first week of January [4]. This occasional switch between the two EKs can be confusing. Ive seen this EK switch initially confuse more than one security professional [5].

As of Tuesday 2016-01-12, these actors are back to Angler EK. And as always, we continue to see malicious spam (malspam) as another vector for ransomware.

Ive already noted how malspam has been used as a vector for CryptoWall, and weve seem different methods used by the malspam to deliver the malware, whether its through links [6] or attachments [7].

In todays diary, I look at the two examples of CryptoWall from the same day. The first example is through Angler EK. The second example is from malspam with zipped .js attachments. All examples of CryptoWall I see now are version 4.0 first reported by BleepingComputer in November 2015 [8].

CryptoWall from Angler EK

On Tuesday 2016-01-22, I generated a CryptoWall infection after viewing a compromised website that led to Angler EK." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: The infected Windows desktop after the CryptoWall infection.

ompromise (IOCs) for this EK-based CryptoWall infection:

  • 194.1.238.187 port 80 - waddent-scarcediscerned.miloongles.com - Angler EK
  • 104.238.83.242 port 80 - rosebenthomas.in - CryptoWall post-infection check-in
  • 195.248.234.41 port 80 - chackpoint.ua - CryptoWall post-infection check-in

CryptoWall from malspam

On Monday 2016-01-11, someone submitted a malspam example to the ISC. (Thanks, Roland! You know who you are!) The malspam had a zipped .js attachment. One of the other handlers answered the submitter, saying the .js attachment was a file downloader, and CryptoWall was one of the files downloaded.

I checked my organization" />
Shown above:" />
Shown above: List of the malspam seen on 2016-01-12.

am all had zipped .js files designed to download and install malware on a users computer. Weve seen malspam with zipped .js attachments before [9, 10, 11]." />
Shown above:" />
Shown above: however, these were both malware." />
Shown above:" />
Shown above: Initial- and post-infection traffic after running the malware on an unprotected Windows host.

ptoWall, that I recognize the post-infection traffic from the CryptoWall ransomware. HTTP POST requests caused by the other malware triggered the following alerts for Zeus and Fareit/Pony:

  • [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
  • ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
  • ETPRO TROJAN Fareit/Pony Downloader CnC response (sid:2805976)

Below are IOCs for this malspam-based CryptoWall infection:

  • 188.126.44.139 port 80 - esrioterf.com - GET /img/script.php?dcm1.jpg [malware downloaded by the .js file]
  • 188.126.44.139 port 80 - esrioterf.com - GET /img/script.php?dcm2.jpg [malware downloaded by the .js file]
  • 184.168.47.225 port 80 - houstonpuryear.com - POST /wp-admin/images/images.php [Fareit/Pony traffic]
  • 184.168.16.1 port 80 - mikeladeroute.com - POST /wp-content/themes/themes.php [Fareit/Ponytraffic]
  • 97.74.141.128 port 80 - mbuildersny.com - POST /wp-content/upgrade/upgrade.php [Fareit/Ponytraffic]
  • 184.168.186.1 port 80 - soulflix.com - POST /wp-includes/Text/Text.php [Fareit/Ponytraffic]
  • 184.168.49.1 port 80 - smoothmovin.com - POST /wp-content/uploads/uploads.php [Fareit/Ponytraffic]
  • 50.63.184.249 port 80 - post409.org - CryptoWall post-infection check-in

Final words

This really isnt a new development for CryptoWall-related traffic. I posted a diary about CryptoWall being sent through both Angler EK and malspam back in May 2015 [7], and Im sure it was happening well before then. But the details are slightly different this time around, and its always useful to confirm this type of activity is still happening.

Traffic and malware samples for this diary can be found here.

If you find any traffic or malware samples you think are interesting, use our contact form and upload a sample to us. We may not have time to examine every sample that comes our way (most of us are volunteers doing this as time allows), but well do our best. If anyone has any recent stories of CryptoWall or zipped .js malspam, please leave a comment below.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[2] https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
[3] https://isc.sans.edu/forums/diary/Whats+the+situation+this+week+for+Neutrino+and+Angler+EK/20101/
[4] http://malware-traffic-analysis.net/2016/01/04/index.html
[5] https://www.bluecoat.com/security-blog/2016-01-04/new-year-new-angler
[6] https://isc.sans.edu/forums/diary/Malicious+spam+with+links+to+CryptoWall+30+Subject+Domain+name+Suspension+Notice/20333/
[7] https://isc.sans.edu/forums/diary/Increase+in+CryptoWall+30+from+malicious+spam+and+Angler+exploit+kit/19785/
[8] http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/
[9] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[10] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[11] https://isc.sans.edu/forums/diary/TeslaCrypt+ransomware+sent+using+malicious+spam/20507/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Director of National Intelligence James Clapper (far right) with CIA Director John Brennan (center) and FBI Director James Comey (left) before Congress last year. Clapper and Brennan have both now been targeted by hackers calling themselves "Crackas With Attitude". (Photo by Chip Somodevilla/Getty Images)

The same individual or group claiming to be behind a recent breach of the personal e-mail account of CIA Director John Brennan now claims to be behind the hijacking of the accounts of Director of National Intelligence James Clapper. The Office of the Director of National Intelligence confirmed to Motherboard that Clapper was targeted and that the case has been forwarded to law enforcement.

Someone going by the moniker "Cracka," claiming to be with a group of "teenage hackers" called "Crackas With Attitude," told Motherboard's Lorenzo Franceschi-Bicchiarai that he had gained access to Clapper's Verizon FiOS account and changed the settings for his phone service to forward all calls to the Free Palestine Movement. Cracka also claimed to have gained access to Clapper's personal e-mail account and his wife's Yahoo account.

In October, Crackas With Attitude claimed responsibility for hacking CIA Director Brennan's personal e-mail account and gaining access to a number of work-related documents he had sent through it—including his application for a security clearance and credentials. The group also apparently gained access to a number of government Web portals and applications, including the Joint Automated Booking System (a portal that provides law enforcement with data on any person's arrest records, regardless of whether the cases are ordered sealed by courts) and government employee personnel records. The group published a spreadsheet of personal contact details for over 2,000 government officials. The Twitter account used to post the information was suspended shortly afterward.

Read 2 remaining paragraphs | Comments

 

[Guest Diary by Pasquale Stirparo]

Few weeks ago we witnessed a quite significant wave of email carrying with them a zip file containing an executable.

The only common thing among all the emails was that the sender name (not the sender email address) appeared to be Whatsapp or Facebook all the times, while the subject was always referring, in different languages (and sometimes terms), that You got a new audio (or video) message. Some of the subjects I saw are:

  • Subject: Sie haben einen Videohinweis erhalten!
  • Subject: Ein Hrbeleg ist versumt worden!
  • Subject: Di recente, hai raccolto un avviso video
  • Subject: Du hast eine Hrakte.
  • Subject: You recently got an audible message!
  • Subject: Ein akustisches Dokument wurde blo bergetragen
  • ">
    • It then tries to resolve about 40/50 domain names (on average), ">
      • Do not get fooled by the eventual 404">Incidentally this very same response, as well as the server IP to contact, appears also in the report of f0xy malware, a CPU miner uncovered last year by WebSense [3]. However, the two samples are completely different.
        • The malware will later upload some information about the files dropped and the email address of the victim, again base64 encoded.

        In case any of you may want to try to analyze the sample, be aware that the binary will also implement some anti-debugging techniques as detected also by running Yara against the Yara Rules from the official repository [4]

        Im not sharing MD5 of the samples collected since all of them are different and would not be a much actionable information. However, you can find below a list of C2 domains which the samples tried to contact. Looking at them one may think that Nivdort does not use any DGA, instead it does use a particular DGA based on a dictionary, which makes the domains not looking random and able to bypass many DGA checks used by some filters. If you are interested to know more about it, there is a nice write up by NeutralizeThreat [5] who reverse engineered the sample and described its functionalities in details.

        Happy Hunting,

        Pasquale

        ">againstangry.net">againstarticle.net">againstdried.net">againstfifteen.net">betterbehind.net">betterbroad.net">betterbutter.net">betterunderstand.net">breadbehind.net">breadbroad.net">breadbutter.net">breadunderstand.net">captainangry.net">captainarticle.net">captainbehind.net">captaindried.net">captainfifteen.net">decideangry.net">decidearticle.net">decidedried.net">decidefifteen.net">doubtangry.net">doubtarticle.net">doubtdried.net">doubtfifteen.net">electricbehind.net">electricbroad.net">electricbutter.net">electricdried.net">electricunderstand.net">flierbehind.net">flierbroad.net">flierbutter.net">flierunderstand.net">gatherbehind.net">gatherbroad.net">gatherbutter.net">gatherunderstand.net">largeangry.net">largearticle.net">largebutter.net">largedried.net">largefifteen.net">nightangry.net">nightarticle.net">nightdried.net">nightfifteen.net">quietbehind.net">quietbroad.net">quietbutter.net">quietunderstand.net">recordbehind.net">recordbroad.net">recordbutter.net">recorddried.net">recordunderstand.net">seasonbehind.net">seasonbroad.net">seasonbutter.net">seasondried.net">seasonunderstand.net">streetbehind.net">streetbroad.net">streetbutter.net">streetunderstand.net">tradebehind.net">tradebroad.net">tradebutter.netReference:[1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Nivdort.AL#tab-link-3 [2] https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:Win32/Nivdort.A[3] http://community.websense.com/blogs/securitylabs/archive/2015/01/30/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx[4] https://github.com/Yara-Rules/rules/[5] http://www.neutralizethreat.com/2015/12/nivdort-code-obfuscation-and-dga.html

        --
        Alex Stanford - GIAC GWEB GSEC,
        Research Operations Manager,
        SANS Internet Storm Center
        /in/alexstanford

        (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status