Dashboard Global

ASERT Security Intelligence

Summary: This week we examine the vDoS booter/stresser takedown, take a look at targeted RAT trends that show a high level of NJRat activity, discuss the RIG Exploit Kit distributing the CrypMIC ransomware, mention targeted threat activity in Libya with a malware family called "Book of Eli", banking trojan developments with Qadars which is taking aim at UK banks, and mention recent trends in ransomware threat activity.

Title: Qadars Banking Trojan Takes Aim at UK
Severity Level: Normal Severity
Published: Thu, 22 Sep 2016 21:07:53 +0000
The Qadars banking trojan has been around since 2013. Recent activity includes what appears to a version 3 of the malware, additional obfuscation for anti-analysis reasons and additional targeting towards the UK via 18 new banking injects. For further data please see https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/.
Source: Qadars Banking Trojan Takes Aim at UK

Title: RIG Exploit Kit Distributing CrypMIC Ransomware
Severity Level: Normal Severity
Published: Thu, 22 Sep 2016 21:07:53 +0000
The RIG exploit kit has been around for some years, however, it has become more popular lately with a spike in activity. Additionally, it was used most recently to distribute a ransomware threat called CrypMIC. The kit was recently exploiting Adobe Flash bugs, as well as the vulnerabilities CVE-2015-8651 (patched in December of 2015), CVE-2016-4117 (patched in May of 2016), and CVE-2016-0189, also patched in May of 2016.For further details, please see https://threatpost.com/rig-picks-up-where-neutrino-left-off-pushes-crypmic-ransomware/120735/ and the original research https://heimdalsecurity.com/blog/security-alert-rig-exploit-kit-crypmic-ransomware/.The CrypMIC ransomware was poorly detected at the time of writing. The CrypMIC ransomware, (sha-256: f368150dffb8cd2606ca9b401c40d35ffe142088bb885bd9fc753dda36b4afc2) was apparently derived from the CryptXXX ransomware and was distributed using the filename NirCmd.exe on or around 9-19-2016. The malware made an outbound connection to 65.49.8[.]96 which was analyzed by malware-traffic-analysis.net [http://malware-traffic-analysis.net/2016/09/16/index3.html] and described as "EITEST AND PSUEDODARKLEECH RIG EK, AFRAIDGATE NEUTRINO EK". Further analysis by broadanalysis.com [http://www.broadanalysis.com/2016/09/21/rig-exploit-kit-via-pseudodarkleech-from-delivers-crypmic-ransomware-new-cnc/] indicated that threat actors were using iframes (a very common technique), and the malware used plain-text over TCP/443 (should be easily detected as threat activity). It also indicated in the write-up (from September 21, 2016) that the C2 changed from 65.49.8[.]96 to 91.121.74[.].154.
Source: RIG Exploit Kit Distributing CrypMIC Ransomware

Title: Recent Targeted RAT Trends: NJRat on Top
Severity Level: Normal Severity
Published: Thu, 22 Sep 2016 21:07:53 +0000
Some Remote Access Trojans are used for commodity cybercrime operations, individual harassment, extortion, and script kiddy wars. Others are used by serious cybercrime groups as they execute targeted campaigns. Nation-state apparatus and contractors for nation-state apparatus also use RATs for various reasons and their use is widespread. The presence of a RAT on your network is typically a cause for substantial concern, and such threat activity needs to be evaluated in terms of the context of the intrusion and a determination of the goals of the threat actor(s) needs to be made. RATs are often used in targeted attack campaigns and serve as a pivot point into the internal network in accordance with the attack campaign objectives. A sense of the recent targeted RAT trends from the ATLAS Intelligence Feed (AIF) based on the most frequently observed RAT, NJRat, will be discussed.

Title: The vDoS Booter/Stresser Takedown - Overview and Initial Analysis
Severity Level: Normal Severity
Published: Thu, 22 Sep 2016 21:07:53 +0000
In early September 2016, the vDOS booter/stresser service was compromised, resulting in significant amounts of data related to the DDoS-on-demand service, including ‘customer’ records and attack details, being exfiltrated. Two of the alleged persons behind vDOS were arrested by the Israeli police in connection with an ongoing investigation by the FBI. The two suspects, both aged 18, had allegedly operated the service for the last four years and had accumulated more than $600,000.00USD in illicit profits during that timeframe.

[more]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 2465.78 +531.0 %
74.0%
POLICY Outbound TFTP Read Request 238.04 +1873.4 %
7.1%
SSH brute-force login attempts 224.50 +271.3 %
6.7%
ntpdx overflow attempt 98.40 +45.7 % CVE-2001-0414
3.0%
SNMP MS Windows getbulk request 90.93 +415.4 % CVE-2006-5583
2.7%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
POLICY Outbound TFTP Read Request 238.04 +1873.4 %
7.1%
VNC network scanning activity 2465.78 +531.0 %
74.0%
SNMP MS Windows getbulk request 90.93 +415.4 % CVE-2006-5583
2.7%
DNS named version attempt 10.59 +312.3 %
0.3%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/5900 766.46 kB +555.9 % CVE-2006-4309
23.1%
UDP/5060 (sip) 663.26 kB +193.7 % CVE-2006-0189
20.0%
TCP/23 (telnet) 555.10 kB +923.3 % CVE-2007-0956
16.8%
ICMP/8 230.43 kB +1092.6 %  
7.0%
UDP/53413 98.84 kB +255.5 %  
3.0%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5061 (sip-tls) 59.75 kB +inf %  
1.8%
UDP/5080 42.18 kB +inf %  
1.3%
UDP/161 (snmp) 30.90 kB +inf % CVE-2007-5381
0.9%
UDP/1000 (cadlock2) 23.29 kB +inf %  
0.7%
UDP/6537 14.50 kB +inf %  
0.4%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 1665 579.41 kB 3 13390 670
CN (China) 2 233 419.54 kB 1 91 82
DE (Germany) 3 2 225.55 kB 1 1013 66
CA (Canada) 4 14 193.23 kB 0 861 48
JP (Japan) 5 527 158.17 kB 1 0 23
RU (Russian Federation) 6 77 109.13 kB 0 963 13
VN (Viet Nam) 7 7 134.75 kB 0 48 8
NL (Netherlands) 8 142 117.29 kB 2 320 38
PL (Poland) 9 52 103.41 kB 0 349 0
FR (France) 10 52 80.71 kB 10 374 10
KR (South Korea) 11 9 73.79 kB 1 108 279
RO (Romania) 12 16 52.81 kB 0 274 103
GB (Great Britain) 13 32 27.27 kB 1 1088 29
BR (Brazil) 14 3 29.06 kB 0 327 261
TR (Turkey) 15 59 23.21 kB 0 516 0
TW (Taiwan) 16 1 37.60 kB 0 25 0
CH (Switzerland) 17 28 8.75 kB 0 43 366
EU (European Union) 18 38 15.40 kB 0 484 21
AU (Australia) 19 0 1.61 kB 0 808 67
HK (Hong Kong) 20 66 23.45 kB 0 112 11
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS4134 (CHINANET-BACKBONE) 1 119 204.20 kB 1 0 19
AS19994 (RACKSPACE) 2 444 133.54 kB 0 0 0
AS20773 (HOSTEUROPE-AS) 3 0 137.33 kB 0 0 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 4 0 0 B 0 3570 4
AS22773 (ASN-CXA-ALL-CCI-22773-RDC) 5 332 101.55 kB 0 0 0
AS6428 (CDM) 6 0 102.44 kB 0 0 0
AS4837 (CHINA169-BACKBONE) 7 62 86.81 kB 0 0 12
AS13301 (UNITEDCOLO-AS) 8 0 69.08 kB 0 0 0
AS29073 (QUASINETWORKS) 9 86 63.28 kB 1 67 0
AS36351 (SOFTLAYER) 10 25 3.11 kB 0 1566 0
AS6939 (HURRICANE) 11 273 51.28 kB 0 0 0
AS12322 (PROXAD) 12 16 54.68 kB 6 69 0
AS4569 (ASHTON-NET1) 13 0 56.00 kB 0 0 0
AS49981 (WORLDSTREAM) 14 0 42.95 kB 0 211 0
AS17184 (ATL-CBEYOND) 15 169 44.61 kB 0 0 0
AS30083 (SERVER4YOU) 16 0 42.90 kB 0 0 0
AS18403 (FPT-AS-AP) 17 0 40.15 kB 0 0 7
AS7552 (VIETEL-AS-AP) 18 0 33.44 kB 0 0 0
AS4766 (KIXS-AS-KR) 19 7 25.20 kB 0 96 33
AS46606 (UNIFIEDLAYER-AS-1) 20 0 0 B 0 810 0