This time we are going to take what we discussed in my last posting and apply it to the Fluxer fast flux botnet. I am beholden to Paul Burbage (https://twitter.com/hexlax) and our friends at PhishMe for the raw samples that enabled our analysis. For space constraints I have simplified the analysis considerably. This will show you how we create a campaign profile in STIX. We will look at the STIX top level view of the Fluxer campaign and then break that view down for you with some details. Figure 1 shows the StixViz display of the Fluxer campaign.
Figure 1: STIX Top Level View of the Fluxer Campaign
This view shows that we have collected indicators, observables, an actor and TTPs. Details are in the xml view. For example, the overall XML picture of the campaign is shown in Figure 2 in a “prettyfied” format.
Figure 2: Pretty HTML Top Level Fluxer Campaign
(Click on image below to see the full chart.)
We still show the campaign, TTPs, threat actor, observables and indicators, but now we get some more detail. For example, if we opened up the observables bubble on our tree view we would get a rather confusing, but still useful, detail. However, when we expand that into and HTML rendition of the XML and then pull that into a spreadsheet we see very clearly that the observables comprise mutexes, domain names and an IP address. We can expand that further and see what each of the mutexes and other observables actually are as in the mutex snippet in Figure 3, the IP snippet in Figure 4 and the domain name snippet in figure 5.
Figure 3: Fluxer Mutex Example From STIX Profile
Figure 4: Fluxer IP Address Example from the STIX profile
Figure 5: Fluxer Domain Name Example from the STIX Profile
You can see that these examples are for command and control servers – C2 – so they are important observables.
TTPs are equally important. In this case we have 4 TTPs: HTTP Requests, Execution Step 1, Execution Step 2 and reverse shell. We have simplified this but, as you can see if you dig a bit into Paul Burbage's blog (Phishme) from 4 February 2016, there is a lot more detail to be had. Figure 6 shows one of the TTPs.
Figure 6: TTP - Fluxer Execution Step 2
If we expand the entire profile, then, we have a very complete description of the Fluxer campaign, complete with indicators that we can use to configure defensive tools. Some tool, as I have pointed out before, consume – or soon will – STIX data directly. We could add some additional detail by looking at the actor, Tahoma. That information needs to be extracted using other tools such as the Tor browser. In this case we might go to the Russian cybercrime forum exploit.in as shown in Figure 7. The trouble with that is that we would need to be a member of the site in order to search. That is a topic for a future posting.
Figure 7: Russian Cybercrime Forum exploit.in - Sometimes Home of the Hacker Tahoma
This should give you an idea about using STIX to characterize a campaign. While the example is, of necessity, truncated, it will give you a good start and there are resources available for collecting the raw data you need to characterize just about any campaign you want to. Fair warning, though: all of the raw data you need will not be in one place. As you search for the bits that will go together, focus on what is important to you. If you are an analyst and you want to collect a portfolio of background information – as I do – on TTPs, actors and observables you'll select one type of resource. If you are involved directly in the defense of your enterprise you'll select other sources, probably focusing more on TTPs and observables.
That closes up this Threat Hunter posting. Next time, a new threat.
Here is your Malware Domain List for this week.
Malware Domain Updates
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on technical, all interesting stories and definitely on target.