During investigating ELF malware I met this Windows PE binary, it contains an important infrastructure information used by Mr. Black actor (the one who loves attacking our MIPS routers), so I decided to check and post a bit here.
Win32/Zegost.rfn [link] (according to Microsoft)
The malware is sitting in the panel waiting to be distributed by the time I spotted:
The actor who put the PE binary in the picture was attacking my "router" with the other ELF binary one, a MIPS architecture of Linux/Mr.Black, a family of Linux/AES.DDoS, a China ELF backdoor and DDoS'er variant, with the source IP of attacker and CNC lead to that panel's address.
#ELF #Linux/Mr.Black #malware:
1. Move2 S.Korea, #BLOCK: 210.92.18.118
2. ATTK graph attached
http://t.co/juaN5YucV2 pic.twitter.com/047s0xBrmU
— ☩MalwareMustDie (@MalwareMustDie) September 4, 2015The PE is a Win32/Zegost variant, the dropper/backdoor type, I uploaded it in VT here --> [link], It drops, self deleted, auto-start set in registry, starting service (also set in registry..as many of the other boring stuff, and the point of interest of I am writing here is contacting mother hosts as backdoor.Below are some reversing snips I did during ID-ing the threat..
The infrastructure
The PE has the CNC hostname permutated DGA function and I managed to extract some of them:
conf.f.360.cn 'qi89.f3322.org' qup.f.360.cn u.qurl.f.360.cn qurl.f.360.cn qurl.qh-lb.com qup.qh-lb.com sdupm.360.cn sdup.360.cn sdup.qh-lb.com
Noted: The callback hostnames increased after we allow several CNC downloads. The malware DGA is generating many other fake domains.. For the botnet dissection, please focus is with the actual CNC established IP addresses only.
And each domains I checked as per snipped picture below:
I use the Kelihos fast flux milking script to milk IP addresses of the above domains:
$ cat domains.txt | bash flux.sh Kelihos FLUX check script by @unixfreaxjp Sun Sep 6 01:04:57 JST 2015 >>> conf.f.360.cn qup.f.360.cn. qup.qh-lb.com. 106.120.167.25 106.120.167.13 qup.f.360.cn. qup.qh-lb.com. 106.120.167.15 106.120.167.10 qup.f.360.cn. qup.qh-lb.com. 106.120.167.15 106.120.167.10 >>> qi89.f3322.org 210.92.18.118 210.92.18.118 210.92.18.118 >>> qup.f.360.cn qup.qh-lb.com. 106.120.162.175 106.120.167.14 qup.qh-lb.com. 106.120.167.13 106.120.167.25 qup.qh-lb.com. 106.120.167.13 106.120.167.25 >>> u.qurl.f.360.cn qurl.qh-lb.com. 106.38.187.100 106.38.187.103 qurl.qh-lb.com. 106.120.167.100 106.38.187.106 qurl.qh-lb.com. 106.120.167.102 106.38.187.113 >>> qurl.f.360.cn qurl.qh-lb.com. 106.38.187.105 106.38.187.113 qurl.qh-lb.com. 106.38.187.105 106.38.187.113 qurl.qh-lb.com. 106.38.187.118 101.199.109.151 >>> qurl.qh-lb.com 106.38.187.103 106.38.187.106 106.38.187.100 106.38.187.103 106.38.187.103 106.38.187.100 >>> qup.qh-lb.com 106.120.162.174 106.120.167.10 106.120.162.174 106.120.167.10 106.120.162.178 106.120.162.175 [...]
The result of the IP milking is some of static legit IDC IP addresses in Beijing, China :-) as per listed below... At the first sight I thought these are CNC, but later on I found it very weird :-)
106.120.167.15|15.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.8|8.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.162.176|176.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.101||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.103||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.104||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.105||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.9|9.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.162.174|174.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.115||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.38.187.116||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 101.199.109.144||23724 | 101.199.108.0/22 | CHINANET-IDC-BJ | CN | 360.cn | Beijing Qihu Technology Company Limited 106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.29|29.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.162.178|178.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.92|92.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.90|90.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network 106.120.167.86|86.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network [...]I investigated to find the IP addresses listed above IDC are belong to 360.cn, a legit service in PRC/China.
But there's only one IP address that shows different network, this leads us into a malicious utilized host in South Korea, and this is the malware panel's IP address itself..
210.92.18.118||4766 | 210.92.0.0/18 | KIXS-AS | KR | dshw.co.kr | SudokwonseobubonbuThe GeoIP confirmed:
{"dma_code":"0"
"ip":"210.92.18.118"
"latitude":37.57
"longitude":126.98
"country_code":"KR"
"offset":"9"
"continent_code":"AS"
"country":"Korea Republic of"
"asn":"AS4766"
"isp":"Korea Telecom"
"timezone":"Asia\/Seoul"
"area_code":"0"
"country_code":"KOR/KR"}
Shortly, that IP address 210.92.18.118 (port 8086) is the only IP communicated with the malware via hostname: qi89.f3322.org. Law enforcement may prefer to have this PCAP traffic as PoC/evidence. The callback traffic was replied by the CNC and was sent in encrypted form as per recorded in traffic below, I am sorry, I didn't have energy to crack this further..
..and get the ID :-)
So..I have collected the first three (3) DGA generated basis domains from malware sample which are:
360.cn 'f3322.org' qh-lb.combut the #1 and #3 are legit services.
There is only one domain that is really being used as CNC (see the PCAP), the other domains are just being used as decoys to confuse the investigation. And the real CNC hostname is :
"f3322.org" w/Registrant email: "ppyy@astpbx.com"So now we learn more about the nature of Zegost in generating DGA and faking CNC domains.
Malware is served under domain f3322.org which is having a super bad reputation in being used by Mr.Black ELF attacks and many more ELF attacks, for example:
@MalwareMustDie attacker was http://t.co/xRvhDugAz4 (222.186.34.220), posted details I have at http://t.co/AjZj2eay0z
Hope it’s useful.
— jquinby (@jquinby) 2015, 9月 4Thanks to reddit folks to inform that the f3322.org is a part of a Chinese dynamic hostname/DNS (DDNS) service provider.
We didn't know this detail until now. So it looks like that their services is used by the malware activities. It means the actor can be traced via contacting the f3322.org abuse accordingly. We're on it for we have long list of malicious subdomains used now.
#MalwareMustDie!
