MONSOON – ANALYSIS OF AN APT CAMPAIGN

Forcepoint Security Labs | Special Investigations
C&C Channels. BADNEWS is typically built with several hard-coded channels which it can use to obtain
commands or change its C&C. These C&C channels include RSS feeds, Github, forums, blogs and
Dynamic DNS hosts.
In the sample analysed, the malware had several hard-coded C&C channels although some were corrupted
and did not work correctly:
hxxp://feeds.rapidfeeds.com/81913/
hxxps://raw.githubusercontent.com/azeemkhan89/cartoon/master/cart.xml
hxxp://www.webrss.com/createfeed.phpfeedid=47448
hxxp://www.webrss.com/createfeed.phpfeedid=47449
hxxp://www.chinasmack.com/2016/digest/chinese-tourist-bit-by-snake-in-thailand.html
hxxp://www.travelhoneymoon.wordpress.com/2016/03/30/tips-to-how-to-feel-happy
hxxp://overthemontains.weebly.com/trekking-lovers
hxxp://tariqj.crabdance.com/tesla/ghsnls.php
hxxp://javedtar.chickenkiller.com/tesla/ghsnls.php
hxxp://asatar.ignorelist.com/tesla/ghsnls.php
The first 7 C&Cs are referred to by the malware as either a "blog" or a "feed". These channels are only
used to tell the malware where its real C&C is. The last 3 Dynamic DNS channels are back-up C&Cs in
case it is not able to obtain a C&C address from one of the blogs or feeds.
The Dynamic DNS back-up C&Cs typically use the same “ghsnls.php” filename but the directory name
changes for different builds of the malware. The directory may indicate a campaign identifier or a codeword
for the target victim of the malware. We have seen the following directories used:
tesla
Tussmal
Mussmal
quantum
yumhong
MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 23/57