There have been quite a few reports by researchers over the past week or so that the Necurs botnet and the Angler exploit kit are dead and buried. That certainly would be nice given that these two are a couple of the most damaging malware/delivery systems around. But don’t hold your breath and don’t get rid of your Angler signatures just yet. While it certainly is true that activity went way down around the 8th of this month there is plenty of mischief to go around… more than one would expect from the corpses of Angler and Necurs. But, after all, we seem to be in the age of the Zombie Apocalypse so perhaps this is not so surprising. Let’s dig into the evidence.
Some great work on this has been (and is being) done by Kafeine from MalwareDontNeedCoffee. I am right with him when he quotes Jane Austin: “If a book is well written, I always find it too short.” So let’s dig a bit into the “book”. I used a little different approach from that taken by Kafeine. I manually searched out locations that were reported to be sources/C&Cs for Angler and Necurs. Then I looked at the activity levels from the locations. What I fund is that, yes, there is a significant reduction in activity but there still is some. Is it residual activity? Time and more ongoing research will tell us.
A clue to what’s going on is that prices for “competing” malware and botnets has skyrocketed since the 8th of the month, reputed to be the time of death. While that strictly is a hypothesis at the moment, it would explain several things, such as why activity level has shifted rather than stopping as it did during the last “vacation”. Another clue comes from Proofpoint, the outfit that twigged to this initially and published its findings. Its researchers point out that ”Data from a variety of sources show that Necurs bots are actively looking for a new command and control (C&C) system, but we have no evidence that the Necurs botmaster has been able to retake control of the botnet.”
I started with the AllienVault OTX to see what indicators had been shared by the community. From the outset I should be clear that what I am seeing is just a tiny bit of what was happening prior to the 8th. However, there may be some clues for us as threat hunters. A simple search in OTX for “Angler” brought us a fairly recent pulse (Sunday 5the 12th) and from that I took a random indicator: hiapi.t1arealize.top which resolves to 126.96.36.199. While that is listed by OpenDNS Investigate as malware, it does not specifically say Angler. A little more digging and we got to that, however.
Our next stop was Maltego. Again, I entered “Angler” and let the link analyzer find relationships for me. This was more fruitful. I got a handful of hashes and started to work through them. While they were interesting – more on that shortly – I needed something more definitive as a starting point. Next stop was mirror1 of malwaredomains.com (https://mirror1.malwaredomains.com/files/domains.txt). A quick search on that gave me a good chunk of domains that were specifically attributed to Angler so I started through those. Here’s the list:
Picking one at random I selected adsgo.com and put it into Investigate. Bingo! It is specifically associated with Angler and has shown a small level of activity – averaging 100 DNS queries per hour with peaks of around 200. Not a barn burner but the level of activity was consistent from at least 18 May through 13 June. No appreciable fall-off so this site is feeding Angler at a consistent rate, pretty much without interruption.
Figure 1 – adsgo.com Activity
Next I started looking for a site that showed an uptick around the 8th. Using the same list I tried several and noticed that agisupport.com looked promising. This site has been relatively quiet until the 10th when it had a spike of activity – 400+ DNS queries per hour – that started abruptly and ended abruptly on the 12th.
Figure 2 – agisupport.com Activity
Next I took agisupport.com and plugged it into ThreatCrowd (https://www.threatcrowd.org) to see what if anything connected to it.
Figure 3 – agisupport.com in ThreatCrowd Showing Link Analysis
As you can see from the link analysis the domain resolves to 188.8.131.52. Also on the ThreatCrowd analysis you’ll find a very useful Pastebin link (https://pastebin.com/vk42J7k1) that lists a lot of malicious sites that the writer claims are landing pages that send emails to Angler making them Angler gateways most likely. There are a lot of domains here for you to chase down and, at least, to make sure that they are in your blocklists.
I think that we can conclude that Angler is not completely dead. So on to the Necurs botnet. It is true that a couple of other botnets have stepped up to fill in the void left by Necurs. There is a wrinkle, here though… the price for using these other botnets has skyrocketed. It makes one think of supply controls in legitimate industries. Again, this is just a hypothesis that it remains to disprove.
I started on the Necurs piece of this hunt by going back to malwaredomains.com. I selected the most recent report of Necurs - vvslmanaelrws.de - and entered it into Investigate. Investigate confirmed a botnet. Bambenek Consulting on its master feed of known, active and non-sinkholed C&C domains confirms that it is a Necurs botnet. Looking at Investigate, we see that the domain was updated on 6 June and it shows no particular activity prior to that date although Investigate tells us that from 26 May it has been tagged as a botnet domain. It is very active from the 8th to the 11th, starting and stopping abruptly. Activity is between about 1,500 and 4,200 DNS queries per hour at OpenDNS.
Figure 4 – vvslmanaelrws.de Activity
However, checking on the 14th I found that a new host was up: jousaviineypoip.pw which resolves to 184.108.40.206. There is no obvious connection between these two hosts – they’re in different ASNs as one would expect. Also, neither one of these has been sinkholed that I know of. But the point, of course, is that we seem to have a pattern of hosts going off line and new ones popping up to take their places… not an unusual situation… in fact, pretty much business as usual. Interestingly, on the 14th – when this one appeared – there were over 4,000 DNS queries per hour to OpenDNS. For a dead botnet that’s pretty lively, or so it would seem. But let’s take a little closer look at what may really be happening.
An nmap scan of this IP tells us that it is up and running but fails to identify any open ports that are not filtered. Very well… so what? Well, according to Bambenek we’re looking at a C&C server. This is the server that the bots try to contact to get instructions from the bot herder. It’s up and running but it’s not responding. We know that there are a lot of DNS requests but we don’t know if they are going unanswered. If we take both of these example hosts together, we have a host that is doing a moderate business and then it goes dark. Almost immediately, another one pops up and starts getting DNS queries about it. It begins to appear that the botnet still is up but has gone inactive. Why? At the moment we don’t know but there has been some speculation, both in the press and by credible researchers.
One possibility is a price war among bot herders of competing botnets – Necurs and Nuclear, for example. We know that Necurs was known for spreading spam and that is a pretty lucrative business so it is not likely that Necurs’ bot herder(s) just decided to pack it in one day because they’d made enough money. And, if the C&C infrastructure still is in place, should we look for it to return?
We also know that Necurs was beginning to spread ransomware. That is really profitable if the hit rate is high enough. So now other botnets have picked up that slack as well. Finally, there has been speculation that a huge Russian raid on the bunch that brought us the Lurk Trojan may have silenced the Necurs botnet that was known to spread that malware. Russia, of course denies that but it certainly is a reasonable outlier.
When we look at Necurs, though, we see that it is associated with lots of different malware. Maltego, doing a link analysis on Necurs Botnet shows associations with ransomware, malspam, rootkits, SQL Injection, Dyreza, Conficker, Lurk and Neutrino, to name a few. These still are around – even Angler to some degree as we saw – so not all of the slack is being picked up by other botnets it would seem.
The bottom line? Kafeine – and several others who have jumped on the bandwagon – though most others are just sitting around scratching their heads – are absolutely right: the last chapter in this book has not been written. If you’re a threat hunting researcher, this is about as good as it gets… lots of questions but few – at the moment – answers. Just what we need to keep our interest.
Here are your malicious domains for this week.
Figure 5 – Malicious Domain List
Click on the image below to view the complete chart.
So… until next time….
If you use Flipboard, you can find my pages at https://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on the technical, all interesting stories and definitely on target.