Ransomware - Part 2
Dr. Peter Stephenson
Welcome back to ransomware. This time we are focusing on TeslaCrypt 3.0 with the .mp3 extension. Files encrypted - for example .docx files - will show as document.docx.mp3. I started with a sample from our friends at PhishMe. I took the pcap from them and stuck it into Network Miner. Network Miner is my workhorse for quick and dirty pcap analysis. I use the free version but it, of course, has some limitations such as the size of the pcap that it will accept. They have a paid version, however. If Network Miner shows me something of interest I put the pcap into Wire Shark and do a deeper dive.
In this case we see a conversation between hpareyouhereqq.com and the cuckoo sandbox. The screen shot of that is in Figure 1.
Figure 1 - Network Miner view of pcap from PhishMe
I ran the domain name through OpenDNS Investigate and found four IP blocks associated with it:
That almost was consistent with the IP that Network Miner found: 220.127.116.11. Investigate tells us that it is part of the 18.104.22.168/22 net block. That includes 22.214.171.124 - 126.96.36.199 so our address is right in the middle of the block. I found that it hosted 90 domains, one of which was claimed to be malicious (malware) but we now know that at least one other - the one we started digging into - also serves up malware. If you wanted to - and it might be worth it to see what domains you should block - you could walk through each of the 90 domains to see which ones serve up malware. In my view it would be a good idea to block all of the .pw domains unless you have a particular reason not to.
So, a bit more digging to see what else I could find. Investigate gives you a wealth of information. First, the registrar of this domain claims to be in Germany although the address for the domain is in New Zealand. The IP, however, is hosted in Poland. Second, there are two name servers associated with it: ns1.lunchcope.pw and ns1.photohussy.pw. The pw domain - sometimes called the "professional web" is Palau. This registrar will sell domains to anyone, no questions asked. As a result it is a favorite of phishers. These two name servers each have a total of 21 domains associated with them of which 20 are malicious. Investigate thought this domain might be fast flux.
One of the known malware sites associated with our address is 91a196b50c241.greendata.pl. Running that through Investigate gives us some interesting information. This one has two different name servers: dns2.logout.pl and dns1.logout.pl. These are in Poland and so is the technical contact address. Does that mean that there are a bunch of bad guys who use this network for hosting malware? Maybe and maybe not. One of the challenges of attribution is the problem of redirects. The bad guy sets up a bunch of domains in different countries hosted by different ISPs and bounces around the, When you try to trace you can get tangled in an endless loop that brings you back to where you started. Fortunately there are some techniques that might help you out of the loop and we'll look at them in the future. Checking the name servers we find that they are not known to host malicious domains. So that leaves us with the original domain, its IP and what fell out of that. The data also suggests that our bad guy is in Poland, but let's not jump to conclusions just yet.
To learn a bit more, let's move on to another tool in the threat hunter's tool box. Actually, this is two tools, one free and the other commercial. The free one - although there is a paid version - is Maltego. I use the free community edition. The second is not free: Silobreaker. I have mentioned them in the past. They now have a set of Maltego transforms that connect Maltego to their huge database. I took our address and ran it through Maltego using the Silobreaker Malware transform. Lots of malware is associated with this address. Silobreaker is open source so using Google and other search tools you can get to the same conclusion. It just will take a bit longer and be more tedious.
The IP is associated with:
· AceDeceiver (iOS malware)
· EDA2 Ransomware
· Buhtrap Malware (targets Russian financial workers)
· Olympic Vision (keylogger spread by email)
· KeRanger Ransomware
Figure 2 shows the Maltego graph.
Figure 2 - Maltego/Silobreaker Graph Showing Malware Associated with 188.8.131.52
When we run the transform for related entities we get some interesting responses. Not all related entities are bad, of course. Some are victims that showed up in the media associated with the address. However, some that might bear looking into are:
· PKK Kurdistan Workers' Party
· IS Islamic State
· BJP Bharatiya Janata Party
· ANC African National Congress Party
Running the vulnerability transform we get a list of vulnerabilities known to be exploited by our IP. Knowing this is useful for ensuring that you are patched against these.
· Shellshock Bash Bug CVE-2014-6271
· Stagefright Bug
· Glibc Exploit (CVE-2015-7547)
· Stagefright 2.0
· LogJam CVE-2015-4000
· Heartbleed Bug CVE-2014-0160
Continuing, I found another address with which the malware was communicating: 184.108.40.206 that hosted eleven malicious domains including surrogacyandadoption.com. This domain was specifically the one our malware was communicating with. Running it through Investigate showed that it particularly is associated with TeslaCrypt. The registrant is Domains by Proxy, making it difficult to determine the owner.
That's it for this time... We've covered a good threat hunt given, essentially, a couple of IP addresses that we were able to extract quickly from a pcap. Next time we'll dive into TeslaCrypt's behavior. Now, here are you malware domains for this week.
Figure 3 - New Malware Domains for the Week
(Please click on the image below to see the complete file)
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on technical, all interesting stories and definitely on target.