Fast Flux Bot Nets and Fluxer - Part 2

Peter Stephenson, technology editor, SC Magazine
Peter Stephenson, technology editor, SC Magazine

This time we are going to take what we discussed in my last posting and apply it to the Fluxer fast flux botnet.  I am beholden to Paul Burbage (https://twitter.com/hexlax) and our friends at PhishMe for the raw samples that enabled our analysis.  For space constraints I have simplified the analysis considerably. This will show you how we create a campaign profile in STIX. We will look at the STIX top level view of the Fluxer campaign and then break that view down for you with some details. Figure 1 shows the StixViz display of the Fluxer campaign.

Figure 1: STIX Top Level View of the Fluxer Campaign


 

This view shows that we have collected indicators, observables, an actor and TTPs.  Details are in the xml view.  For example, the overall XML picture of the campaign is shown in Figure 2 in a “prettyfied” format.

Figure 2: Pretty HTML Top Level Fluxer Campaign
(Click on image below to see the full chart.)

 

We still show the campaign, TTPs, threat actor, observables and indicators, but now we get some more detail.  For example, if we opened up the observables bubble on our tree view we would get a rather confusing, but still useful, detail.  However, when we expand that into and HTML rendition of the XML and then pull that into a spreadsheet we see very clearly that the observables comprise mutexes, domain names and an IP address.  We can expand that further and see what each of the mutexes and other observables actually are as in the mutex snippet in Figure 3, the IP snippet in Figure 4 and the domain name snippet in figure 5.

Figure 3: Fluxer Mutex Example From STIX Profile

 

Figure 4: Fluxer IP Address Example from the STIX profile

 

Figure 5: Fluxer Domain Name Example from the STIX Profile

 

You can see that these examples are for command and control servers – C2 – so they are important observables.

TTPs are equally important.  In this case we have 4 TTPs: HTTP Requests, Execution Step 1, Execution Step 2 and reverse shell. We have simplified this but, as you can see if you dig a bit into Paul Burbage's blog (Phishme)  from 4 February 2016, there is a lot more detail to be had. Figure 6 shows one of the TTPs.

Figure 6: TTP - Fluxer Execution Step 2


 If we expand the entire profile, then, we have a very complete description of the Fluxer campaign, complete with indicators that we can use to configure defensive tools.  Some tool, as I have pointed out before, consume – or soon will – STIX data directly.  We could add some additional detail by looking at the actor, Tahoma. That information needs to be extracted using other tools such as the Tor browser. In this case we might go to the Russian cybercrime forum exploit.in as shown in Figure 7. The trouble with that is that we would need to be a member of the site in order to search. That is a topic for a future posting.

Figure 7: Russian Cybercrime Forum exploit.in - Sometimes Home of the Hacker Tahoma


This should give you an idea about using STIX to characterize a campaign.  While the example is, of necessity, truncated, it will give you a good start and there are resources available for collecting the raw data you need to characterize just about any campaign you want to. Fair warning, though: all of the raw data you need will not be in one place.  As you search for the bits that will go together, focus on what is important to you.  If you are an analyst and you want to collect a portfolio of background information – as I do – on TTPs, actors and observables you'll select one type of resource.  If you are involved directly in the defense of your enterprise you'll select other sources, probably focusing more on TTPs and observables.

That closes up this Threat Hunter posting.  Next time, a new threat.

Here is your Malware Domain List for this week.

Malware Domain Updates

Domain IP Reverse Lookup Description
kolman.flatitleandescrow.com/wp-contents/scripts/tools.js?link=aHR0cDovL3d3dy5zZW1hbmEuZXMv 82.146.36.115 tilida.com. leads to exploit kit
dilas.edarbipatients.com/wp/linkimg/getImage.asp 89.40.181.60 0 leads to exploit kit
www.pieiron.co.uk/ 146.185.29.100 www6.grakka.net. compromised site leads to EK
deleondeos.com/img/script.php?tup3.jpg 176.104.18.152 s-176-104-18-152.under.net.ua. trojan
deleondeos.com/img/script.php?tup2.jpg 176.106.31.227 0 trojan
deleondeos.com/img/script.php?tup1.jpg 95.105.27.11 95.105.27.11.dynamic.oktgs.ufanet.ru. trojan
sicuxp.sinerjimspor.com/servicelogin/accedi.php 213.138.109.61 ttcltd.default.ttc.uk0.bigv.io. Banking phishing
adserv.sklice.com/ads/www/images/getImage.asp 89.40.181.34 0 leads to exploit kit
gosciniec-paproc.pl/lib/excel/kamp.php 85.128.248.56 aon56.rev.netart.pl. Phishing
wonchangvacuum.com.my/libraries/pear/mandate.htm 103.6.196.156 datousaurus.mschosting.com. Phishing
jktdc.in/images/klb/azxvas.gif 72.55.186.8 s005.panelboxmanager.com. Trojan.Banload
www.proascolcolombia.com/portal/modules/mod_banners/Imprimir_IntimacaoCTI2015-03698541.rar?cli=Cliente&/yRpBKPujKU/nNqRc6QsuO.php 190.8.176.235 bartolome.colombiahosting.com.co. Trojan.Banload
jktdc.in/images/klb/azxvas.gif 72.55.186.8 s005.panelboxmanager.com. Trojan.Banload
www.proascolcolombia.com/portal/modules/mod_banners/Imprimir_IntimacaoCTI2015-03698541.rar?cli=Cliente&/yRpBKPujKU/nNqRc6QsuO.php 190.8.176.235 bartolome.colombiahosting.com.co. Trojan.Banload
 
So… until next time….

--Dr.S

If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on technical, all interesting stories and definitely on target.

You must be a registered member of SC Magazine to post a comment.
close

Next Article in The Threat Hunter Blog

RECENT COMMENTS

Sign up to our newsletters

FOLLOW US