Tuesday, March 25, 2014

Walkthrough of a Recent Zbot Infection and associated CnC Server

During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to it's CnC and exfiltrating data via POST requests.
  • MD5: 0b43d6a65f67ef48f4da3a1cc09335a1
  • Size: 442368 bytes
  • Detected as PWS:Win32/Zbot by Microsoft (VT 43/49)
[POST DATA]


iTpRAQWetIVVzRx502Gqds3DKmG80ru/P1ggedWTJAgrue/EVaoL95bMH6K0It8I9/wGHEIKbkXhcoxGOKgJOxGFYkvfoWsUM/NWAUQ+wdjlZOpD0Ke77Sob6rQT0WToRF9lWkhx514Es9wGHNKTn5xrTY7pJeqxGiTNMsB3fsCFfjZZKabmhwDzKTP/0W6FFEJb


What separated this discovery from your average CnC server? The attackers were kind enough to leave the CnC server largely exposed (directory browsing enabled, many files not password protected) to provide a rare behind the scenes look at a live botnet operation. Let's walk through what we observed.  

The above mentioned Zbot variant was responsible for dropping the following malicious files:
  • 6ca1690720b3726bc76ef0e7310c9ee7 - Win32/Stoberox.B (VT 26 / 50)
  • d2c6a0e888d66882d7dc29667c4c9ec0 - TrojanDownloader:Win32/Cutwail (VT 38/50)
We also noted that it started a server listening on ports 1548 and 3492 and sends some data via POST requests to hxxp://vodrasit.su/admin/gate.php
(see malwr sandbox report).

Domains contacted:
  • shivammehta.com [ IP: 181.224.129.14]
  • merdekapalace.com [IP: 202.71.103.21]
  • vodrasit.su [IP: 37.115.13.224]
IPs contacted:

Malicious IP Virus total links
99.42.33.76 https://www.virustotal.com/en/ip-address/99.42.33.76/information/
115.126.143.176 https://www.virustotal.com/en/ip-address/115.126.143.176/information/
50.179.168.36 https://www.virustotal.com/en/ip-address/50.179.168.36/information/
158.58.230.200 https://www.virustotal.com/en/ip-address/158.58.230.200/information/
212.186.32.8 https://www.virustotal.com/en/ip-address/212.186.32.8/information/
61.27.49.175 https://www.virustotal.com/en/ip-address/61.27.49.175/information/
86.133.91.153 https://www.virustotal.com/en/ip-address/86.133.91.153/information/
206.205.226.130 https://www.virustotal.com/en/ip-address/206.205.226.130/information/
172.245.217.122 https://www.virustotal.com/en/ip-address/172.245.217.122/information/
80.213.146.163 https://www.virustotal.com/en/ip-address/80.213.146.163/information/
81.206.227.11 https://www.virustotal.com/en/ip-address/81.206.227.11/information/
91.21.200.217 https://www.virustotal.com/en/ip-address/91.21.200.217/information/
1.240.64.211 https://www.virustotal.com/en/ip-address/1.240.64.211/information/
24.184.76.143 https://www.virustotal.com/en/ip-address/24.184.76.143/information/
97.104.63.159 https://www.virustotal.com/en/ip-address/97.104.63.159/information/
172.11.217.35 https://www.virustotal.com/en/ip-address/172.11.217.35/information/
87.1.90.206 https://www.virustotal.com/en/ip-address/87.1.90.206/information/
81.149.88.233 https://www.virustotal.com/en/ip-address/81.149.88.233/information/
203.110.94.69 https://www.virustotal.com/en/ip-address/203.110.94.69/information/
50.11.239.126 https://www.virustotal.com/en/ip-address/50.11.239.126/information/
181.224.129.14 https://www.virustotal.com/en/ip-address/181.224.129.14/information/
108.162.199.119 https://www.virustotal.com/en/ip-address/108.162.199.119/information/
202.71.103.21 https://www.virustotal.com/en/ip-address/202.71.103.21/information/
65.55.172.254 https://www.virustotal.com/en/ip-address/65.55.172.254/information/
120.150.210.249 https://www.virustotal.com/en/ip-address/120.150.210.249/information/

While looking at the POST data submitted to hxxp://vodrasit.su/admin/gate.php, we explored this site and found that it is currently hosting two malicious files and a password protected admin console.

Below are the files which are hosted on hxxp://vodrasit.su/, which can be observed thanks to the fact that the attackers left directory browsing enabled:

[   ]  admin.zip 03-Mar-2014 09:49 12M  
[DIR] admin/ 21-Aug-2013 23:44  
[   ]  all.exe 21-Mar-2014 17:36 457K
[   ]  rok.exe 21-Mar-2014 06:23 75K


 
all.exe attempted to communicate to the followings DGA generated Domains:
  • aulbbiwslxpvvphxnjij.biz
  • kvdmkndexomrceqydtgepr.net
  • gadmxsmfeqrscmfytvksirnyxm.com
  • xgkzhahdqsxgusireqxdqkzsk.ru
  • aemfyldumrlithbaayzhib.com
  • jbqswspnseqsqwmrnzxodivuciv.net
  • ijfifyhydeydxwdnrkuwsovofm.org
  • lrtofahqzlvrsxsscdaykzuqs.info
  • dgmeulrobvsfaskdrknkfswyt.biz
  • cqdwgydskztyluwhjzcmmjlfqs.ru
  • hiciqglzaqwopnzdmtkdro.com
  • xgadhizdspnditwhdaxcjae.info
  • bypjgqusdmeanbylqghtvcqkead.org
  • civmvcibuhjzuoijxrozaegmfi.biz
  • ijrtkzdjbztgattccytojrswsd.com
  • igaytdmoqkmfauzdbmrwrceapf.ru
  • jbtkscmfuuygmdmdrorodfmp.com
  • sougwcinroivgtpvjzijuocagqau.net
  • hiufeamaqsyxmntswooronrnvz.biz
  • bymncecukrcusxvctsduxceu.info
  • prdmzrmreylvkqqodj.com
  • sbusxwswayizfepfydtoovvbqhm.ru
  • yhayxjzmbpscaypizlnftofl.com
  • tkytijfhiaqbymnxkxcwxg.biz

Admin Console

Although we weren't able to access the live admin console as it was password protected, we were able to replicate the setup from the exposed source files (hxxp://vodrasit.su/admin.zipand it would appear as shown below:



Another directory with browsing enabled exists at hxxp://vodrasit.su/admin/db/. Here the data from infected machines connecting back to the CnC server can be observed:


Before being transmitted from a victim machine, the data is encrypted using RC4 encryption, base64 encoded and then sent via the POST method to the CnC.

Here is the code for first decoding the data using base64 decoding and then RC4 decryption:




After decoding and decrypting, a record is created in the aforementioned directory hxxp://vodrasit.su/admin/db/.

The following a sample of the information stored from an infected victim:



What does this data represent?


This particular record includes the following:
  • OS: WINDOWS 7
  • Bits: 0 means OS is 32 BIT 
  • Country: SOUTH KOREA
We are continuing to track these malicious Domains and IP addresses and advise you to block them too.

- rubin

3 comments:

Z said...

I wonder why malware researchers still use MD-5 hash functions. For more information why this is a really bad idea, check www.stopusingmd5now.com

chirag2407 said...

great post mate :)

Anonymous said...

Hello,
The IP 65.55.172.254 belongs to Microsoft. Is it really problematic ? (No sarcasm related to Microsoft please:-)