As I pointed out last time I had the benefit of working with two malware samples, one from our friends at PhishMe and one from the quarantine at Logix Federal Credit Union. We'll start with the one from Logix. We were fortunate enough to extract the executable and the MD5 is 8038c81f2ed467bbee0a006c144a9cc0. This particular sample was seen in the following files:
We observed it attempting to contact several domains associated with 18.104.22.168 and 22.214.171.124. Many, such as kjsdfuo9ndskj4.flueymari.com, may have been created using a domain generation algorithm - DGA. This often - but not always - indicates that the domain is part of a fast flux network. That is interesting because this is one of the domains that the victim is supposed to go to for instructions - "your personal home page". That suggests that rather than being a fast flux it might simply be a domain that is generated on the fly as the malware takes over. When we tried to identify the IP we got nothing - "host doesn't exist".
A little more digging though using Sam Spade ( a suite of IP-related tools - Google sam spade version 1.14 since it is not being supported anymore) we find that the domain has two name servers, DNS1.CHOUSCARR.IN and DNS2.CHOUSCARR.IN. Further inspection, using dig with one of these name servers as the DNS gives us a primary name server of a.gtld-servers.net.
Now we start seeing some curious anomalies. flueymari.com is registered in New South Wales and the registrant is Lillian Goodchap. The email address is email@example.com. Checking on this email address we get circled back to flueymari.com. Considering that this might be on the TOR network - after all, the total URL was, we go to our TOR browser and try to connect. No luck. Taking the entire URL we still get nothing. Probably the site has come and gone, typical for this type of site.
So what good is all of this to either our threat hunting or protecting our network? We actually have a lot of information available to us. Let's start with a threat hunt. To do that we need such things as MD5 hashes, filenames and domain names. The domain names are the easy ones. After our analysis we have a whole fist full of domains that we can search our logs for. If you have a SIEM that will be one easy way to do that. If you are running a next generation tool such as Packetsled or Protectwise you can use that as well. What this will give you is who in your organization connected to the domain and when.
To make the best use of MD5 and filenames you need a bit more horsepower, especially on a large enterprise. I won't go into a lot of detail - however, a free tool such as FireEye/Mandiant RedLine can be a big help. Any tool that will look for indicators of compromise (IOC) will work, though. The MD5 and the filename are IOCs as are the IPs, Domains and URLs. The trick is to tie all of the pieces together so that you will know what you are seeking and then figure out what tools you'll need for the hunt. In future blogs we'll go through a bunch of threat hunting tools in much the same way we do reviews but with more threat hunting focus.
To be proactive, you can do a lot of things. First, there are lots of good articles on the Web that can give you hints about preventing malware/ransomware in general and TeslaCrypt in particular. Also, you need good, multi-generation backups (multi-generation so that you won't simply restore the infection along with the encrypted files). Blocking domains can help but most of the domains you see as indicators are transient. However, go to the AlienVault OTX and read about the malware. There you will find collections of indicators. Don't bother blocking addresses. They are even more transient than the domains.
You can, though, do a bit of blocking of domains effectively. First, go through all of the domains and URLs in the IOCs from the OTX. Some are going to stay around longer than the others and some just are the domains on TOR where you go to get "rescued". Those aren't much use. If a domain actually will resolve using public DNS it is worth examining. Remember, you are blocking outbound. That prevents malware from phoning home and it prevents your users clicking on something or going somewhere they shouldn't. But, unfortunately, there are some trusted sites that are as dangerous as untrusted ones due to the proliferation of adware.
Next time we'll look at Locky. However, unfortunately I must leave you with bad news relative to TeslaCrypt. TeslaCrypt 3.0.1, occasionally referred to as 4.0, has some major changes. The most visible is that it does not add an easily identifiable file extension to encrypted files.
Now, here are you malware domains this week.
Figure 1 - Malicious Domains for the Week Ending 5 April 2016
To view the complete chart please click here or the image above.
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on the technical, all interesting stories and definitely on target.