Dr. Peter Stephenson
Digging through blogs by other researchers I fund that the folks at Talos found a full command and control structure set up by a registrant named john[.]bruggink@yahoo[.]co[.]uk. I took that as a starting point (as they did) and did some digging. Talos ties this registrant to Angler, the Lurk banking Trojan and the Necurs botnet. Necurs distributes Dridex and Locky. While Necurs was supposed to be dead, we have found that announcements of its death may be premature.
Back around the start of 2016 there was a huge resurgence of Dridex delivered in spam emails. Then, after the Lurk crowd was arrested in Russia, things slowed a bit. Necurs began to re-enter the scene and with it Locky and Dridex. Dridex in a banking Trojan usually delivered via spam. It can be carried in an XML file embedded in a document of some sort. There are some good analyses of the malware. One that addresses the "old" version can be found here and analysis of the newer version can be seen here along with its predecessors. Another recent discussion is in a paper by buguroo.
Trend Micro has looked at the newest release in June of this year. I'd like to call your attention particularly to the appendix of their report which contains the IOCs associated with the latest campaign. Of course some of those may have changed. The appendix is here. Let's use that as a starting point to track this malware down.
We started with the first IP in the appendix: 22.214.171.124. The network owner is ASN-TELSTRA Telstra Pty Ltd, AU and the IP resolves to had1579309.lnk.telstra.net. The IP is associated with malware and the hash given, 0be18e930d16937c511533e28c26d55365c45a85, does not match any in the report. It does analyze as Dridex, however. Our sample - taken within the past month - is a08e252320256b6d7d2fc90acfd0954a and it reverses to Dridex as well so we'll stick that in a cuckoo sandbox and see what we get.
First, we see that there are two hosts associated with our sample: 126.96.36.199 and 188.8.131.52. 184.108.40.206 is being tracked by the Feodo Tracker (https://feodotracker.abuse.ch/). Feodo is a banking Trojan also known as cridex or bugat. It does not resolve so we can assume that it is not in the DNS. However, we do know that it uses a name server in Italy. It was most recently reported by Feodo Tracker on the 10th of July so we can hypothesize that it is active. Feodo uses its own botnet and has been known to use Necurs. Submitting this IP to the AlienVault OTX we get a huge (1,385) number of IOCs. The report is a little more than two months old - in May of this year - so it likely refers to the current version - likely our sample. All of the 1,385 IOCs here are IPv4 addresses - these are most likely spam addresses so they should go into your block list.
Checking 220.127.116.11, and that, not surprisingly, has been reported by malwr.com as malicious. However, the most current report is in January of this year. That suggests that the Dridex gang is using the same delivery channels as previously used in its current incarnation. The delivery method still largely is spam but now files other that MS documents are used as carriers. However, there is a bit more information on this one. This IP hosts a number of domains.
While many of these domains are not, themselves, malicious, they host large numbers of sites that themselves are mostly malicious. Block these domains. Both IPs are referenced in the code of our sample.
Continuing with the analysis of our sample, we see two http requests. These are domains that the malware goes to for payload. That is shown in Figure 1.
Figure 1 - http Requests from our Sample
If we look at www.download.windowsupdate.com in OpenDNS Investigate we find that it is very active. See Figure 2.
Figure 2 - OpenDNS Investigate View of www.download.windowsupdate.com
If we put this URL into CyMon we see that it hosts a very large number of domains - 1,250 to be exact - and many if not most are malicious and the analysis in CyMon and VirusTotal shows that they serve Trojan downloaders, often Dridex or Cridex depending upon how the AV tool names malware. As you can see from Figure 3 many of these addresses are quite current. When we checked these in our sinkhole we found that only one appeared in our blacklists.
Figure 3 - A Few of the IPs associated with www.download.windowsupdate.com
Our sample drops four files:
Figure 4 shows the analysis.
Figure 4 - Files Dropped by Our Sample
These files likely are not in themselves malicious except 94308059B57B3142E455B38A6EB92015 which shows up in the sandbox as a malicious cab file. Obviously you will want to put www.download.windowsupdate.com in your blocklist.
Returning to Necurs, we revisited vvslmanaelrws.de in Investigate - you'll recall that we addressed that in an earlier blog - and we found that it still is active but at a very small level; not enough to be concerned about. So we dug a bit deeper with the help of the OTX. We found that, even though the pulse report is only 27 days old (at the time of this blog) the IOCs mostly were inactive suggesting that the bot masters have changed the infrastructure, not uncommon at all. Additional details can be found at the Proofpoint site: https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-returns-with-updated-locky-ransomware-in-tow. As a sanity check we tracked down one of the reported domains, sonuh5glplozcs2m.tor2web.org. That turns out to be a Locky payment portal and is hosted on Tor. The URL includes a proxy - Tor2Web - that takes you to the payment portal which actually is sonuh5glplozcs2m.onion. The landing page is shown in Figure 5.
Figure 5 - Tor2Web Landing Page for Locky Payment Portal
Looking at 18.104.22.168 in Investigate we see that it hosts several versions of Locky. According to Proofpoint this is a hard-coded C&C for Locky. One of the hashes for malware observed at this address is an application called LoadMoney. This is an adware Trojan that leads, presumably, to a Russian site, loadmoney.ru. This site offers a "partnership" where you can add their URL to your site. When users click on it, your site downloads a toolbar onto the visitor's browser. This toolbar can be anything from simple adware to a malware dropper. A good description can be found at the Dr.Web site, http://vms.drweb.com/virus/?_is=1&i=4210171. Figure 6 shows the Russian site.
Figure 6 - Russian LoadMoney site
A visit to ThreatCrowd gives us a starting point for compiling a blocklist for Dridex, Necurs and Locky (https://www.threatcrowd.org/ip.php?ip=22.214.171.124). As you can see in Figure 7, ThreatCrowd shows a map of reported connections involving 126.96.36.199.
Figure 7 - Reported Connections Involving 188.8.131.52, Courtesy of ThreatCrowd.
I'm not going into tracking these down - I leave that to you. Suffice it to say that we've got a very good starting point for building a comprehensive blocklist for Dridex, Locky and the Necurs bot net. Now here is your malicious domain list for the past week.
Figure 8 - Malicious Domain List
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on the technical, all interesting stories and definitely on target.