2017年7月22日土曜日

Seamless Campaign Dropping Ramnit Continuously 1

Please read the previous blog about malware in May and June.
http://www.nao-sec.org/2017/07/malware-dropped-by-rig2017-may-june.html

The addresses of the known C2 servers that are introduced in some blogs are as follows

  • 142.4.204.195
  • 34.194.213.50 - aofmfaoc.com
  • 87.106.190.153
  • 62.173.141.41 – gssbjwhoose.com
  • 185.118.65.143 - hdyejdn638ir8.com

Refer to the following

Domain name is changed immediately. IP address is used several times. I'll report  malware C2 related to Ramnit that connect with these C2.

Network Based IOCs

  • 162.255.119.204 - onaxjbfinflx.com
  • 162.255.119.206 - lwqmgevnftflytvbgs.com
  • 162.255.119.18 - sinjydtrv.com
  • 162.255.119.193 - mrthpcokvjc.com
  • 185.118.66.222 - xomeommdilsq.com
  • 166.78.144.80 - ydchosmhwljjrq.com
  • 185.20.225.124 - g283yr84iri4i.com
  • 62.173.141.42 - ypfptjsuthmaaebx.com

Malware Correlation





2017年7月12日水曜日

Malware dropped by RIG(2017 May-June)

These are malware that I drop on RIG which I observed between May and June. If you have additional information please contact Twitter(@nao_sec).

2017年7月5日水曜日

Seamless localized to Japan

An article published by malwarebreakdown two days ago was very interesting.
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/

I supplement that article. This is an article for that.

---

In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.

First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.



It looks like a general code, but there is an obfuscated code. It's decoded as follows.



This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".



It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.

This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.



Please see the malwarebreakdown article after this :)

---

Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.


Surprisingly, "japan.php" exists on the same server!

"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.



"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".

The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/

---

P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396


Localization other than Japan may also exist.
If you knew, please let me know ;)