Go Hunt for Malicious Activity!

What do security analysts when they aren’t on fire? They hunt for malicious activity on networks and servers! A few days ago, some suspicious traffic was detected. It was an HTTP GET request to a URL like hxxp://xxxxxx.xx/south/fragment/subdir/… Let’s try to access this site from a sandbox. Too bad, I landed on a login page which looked like a C&C. I tried some classic credentials, searched for the URL or some patterns on Google, in mailing lists and private groups, nothing! Too bad…

Then, you start some stupid tricks like moving to the previous directory in the path (like doing a “cd ..”) again and again to finally… find another (unprotected) page! This page was indexing screenshots sent by the malware from compromised computers. Let’s do a quick ‘wget -m’ to recursively collect the data. I came back a few hours later, pressed ‘F5’ and the number of screenshots increased. The malware was still in the wild. A few hours and some ‘F5’ later, again more screenshots! Unfortunately, the next day, the malicious content was removed from the server. Hopefully, I got copies of the screenshots. Just based on them, it is possible to get interesting info about the attack / malware:

  • People from many countries were infected (speaking Chinese, Russian, German, Arab, …)
  • It targeted mainly organizations
  • The malware was delivered via two files:
    • A “scan001.ace” archive containing a “scan001.exe” malicious PE file.
    • A “PR~Equipments-110 00012404.ace” file
  • The malicious file was opened on file servers and even a DC!
  • The malicious file was analyzed in sandboxes (easy to recognize them, Cuckoo & FireEye)

Here is a selection of interesting screenshots (anonymized). The original screenshots were named “<hostname>_<month>_<day>_<hour>_<min>_<sec>.jpg”. Based on the filename format, it seems that the malware is taking one screenshot per minute. I renamed all the files with their MD5 hash to prevent disclosure of sensitive info.

f7c75af9f6d84a761f979ebf490f921d
ee517028d9b1bfaf2aae8abf6176735f
e640309d8a27c14118906c3be7308363
e17d33f4f6969970d29f67063f416820
e6f74e098268b361261f26842fe05701
da5c267c26529951d914b1985b2b70df
beae96aee2e7977bdda886c130c0d769
c0c429c65a61d6ef039b33c0b52263a2
c1f0b66cea6740c74b55b27e5eff72b7
c8d73ddafc18e8f3ecb1c2c69091b0bb
d351e118cb3f9ce0e319ad9e527e650d
d0344809b6b32ddec99d98eb96ff5995
b78c32559c276048e028e8af2b06f1ed
b10b50a956d1dfd3952678161b9a8242
b1f39eaf121a3d7c9bb1093dc5e5e66b
af66c8924f1bb047f44f0d3be39247f7
9643b3c28fa9cf71df8fbc1568e7d82e
957dc126433c79c71383a37ee3da4a5f
0134fc9dda9c6ffd2d3a2ed48c000851
81d74df34b1e85bd326570726dd6eacb
018b6037b4fa2ae9790e3c6fb98fb1e7
9fda6c140a772b5069bd07b7ee898dba
9ed4787a1e215f341aff9b5099846bfe
09c5cfb440193b35017ae2a5552cd748
8c64f33d219f5cd0eadd90e1fcdc97ec
8c7c1fd9938e9cb78b0e649079a714df
6b76b6456af4a2ab54c4bd5935a5726a
6a4c19fb2a13121ee03577c9b37924a9
5aaf455193b2d4bfd13128a5c2502db8
4ba9db95f7bbeb58f73969f2262eea8b
2c48880ea3a8644985ffe038fe9a1260

[The post Go Hunt for Malicious Activity! has been first published on /dev/random]

from Xavier

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s