ThreatSTOP's Security team is adding multiple new targets based on the cybercrime-tracker to our expert and standard lists. These lists will better help our customers against various sources of cybercrime.
As you may remember at the beginning of May we added new DGA Targets to our DNS Firewall. We are happy to announce these targets are now also available in an IP version and can be now used on both the DNS Firewall and on our IP Firewall products. The targets are available as single expert targets.
New threats included in today's release are:
Expert lists
- Agent Tesla – Agent Tesla is a keylogger that offers multiple language support, automatic payments (it’s provided as an SaaS system), support for Windows 2k-10 using.NET 2.0 or 4.0. It also comes with 24/7 support. The malware itself is a keylogger with clipboard and screenshot abilities, and returns logs via, SMTP, FTP or through a web panel. Additional benefits include private encryption, support for all file extensions and an automatic updates feature.
- Alina – First seen in late 2012, Alina is a POS RAM scraper specializing in bank card theft. After infiltrating a user’s computer it adds itself into the AutoStart keys, and checks for updates. Once installed Alina uses a series of Windows API calls to check for processes running in memory, and compares this list against a group of blacklisted files. This blacklist allows Alina to skip certain processes that are memory intensive but yield little useful data to the cybercriminals. Alina then scrapes the contents of the rest of the memory, and copies down any track data it finds. Once this completes, the malware hits the data with RegEx strings to try to sift out useful data. Any potentially positive results are then encoded and forwarded to the C&C via an HTTP POST command. More information about Alina can be found at: https://en.wikipedia.org/wiki/Alina_(malware) .The Alina Targets will also include the JackPOS and Katrina malware trackers -
- JackPOS – Point of sale (POS) malware specialized in gathering bank card information. This is another member of the Alina family. The software appears to be posing as a Java update for the attack vector. Once installed it performs a memory scrape, runs RegEx over the dump, and then POSTS the data to its C&C. It also does provide some limited ability to remotely execute commands.
- Katrina – Point of sale (POS) malware forked from Alina. There’s no significant difference between the two beyond modifications to User-Agent strings, and ignored processes. The main function of both is bank card theft. Katrina does also download the NewPoSThings malware which provides a memory scraper, keylogger, and VNC dump (among others).
- Athena – Part of the Vault 7 leaks, Athena is a RAT with two versions: Athena (or Athena-Alpha) which is targeted at Windows XP Pro SP3 (32-bit) to Windows 7 (32 and 64-bit) systems, and Hera (or Athena-Beta) targeted at Windows 8 to 10. Both bots work to establish persistence on target machines. Either through the WindowsRemote Access service (Athena) or, Dnscache (Hera). Both versions of the malware provide beaconing ability, recover data from specified targets, and can be used to load or unload other pieces of malware into memory. More information about Athena can be learned found from ZDNet (http://www.zdnet.com/article/cias-windows-xp-to-windows-10-malware-wikileaks-reveals-athena/).
- Atmos Botnet IPs & Atmos Botnet Domains - Atmos is a toolkit aimed at credential theft. To do this, the malware includes multiple utilities. These utilities include a case sensitive keylogger, video capture ability, anti-virus disabling abilities, CC validation, DNS Redirection, the ability to check account balances, file search, network scanning, and more. One potential use is as a RAT, but its pedigree comes from credential stealing malware, and C&C systems. Atmos is actually a combination of leaked code from Citadel, Carberp, ZeuS, KINS, and other C&C systems which were then stitched together with a few value adds to reinforce Atmos's capabilities and its own security.
- Betabot – Trojan that focuses on log-in credential and banking data theft. Has the interesting quirk of disabling antivirus and malware software, as well as preventing users from accessing security software sites. To do this it spoofs a Windows User Access Control (UAC) window and a “Critical Disk Error” message, this allows the bot to leverage user uncertainty to grant it elevated permissions. After which the bot is able to make all of the changes it needs and begin looking for its target data. Infiltration has been seen through false links sent in services like Skype and email. These links provide downloads to innocuous programs like video players, and instead loads the Trojan. It has also been seen gaining access via USB drives. More information about Betabot is available from Kaspersky (https://www.kaspersky.com/resource-center/definitions/beta-bot)
- Citadel – A massive distributed Trojan based on the ZeuS malware. While it shares a common goal with ZeuS (stealing banking credentials), it has taken a notable tack of targeting password managers. Particularly it has been seen targeting KeePass Password Safe, and Nexus Personal Security Client. In the past, it has been noted for targeting government organizations as well as corporations. Historically attacks have focused primarily in Europe, though more recently it has cropped up in Asia and the US. Multiple variants have been located, but all appear to follow the same paths to the same C&C servers.
- Cybercrime Tracker IPs & Cybercrime Tracker Domains - This feed adds traffic addresses provided by the Cybercrime Tracker, and focuses on C&C domains generated by ZeuS, ICEIX, and Citadel as provided by ZbotScanner.
- Diamond Fox (Also known as Gorynych) – The latest version of Diamond Fox is a Trojan dropped by the Nebula Exploit Kit. The software itself is a keylogger that sends data back to a C&C system. It’s also capable of being used in DDoS attacks and has a memory scraper that targets banking information and passwords. It should be noted that there are a few variants of Gorynch since the development team suffered a leak. The most recent version (Crystal) has been seen in the wild since the begining of 2017. You can also read about Diamond Fox malware distibution using the Nebula Exploit kit in our previous blog post here.
- Kronos – Banking Trojan, that aimed to take over ZeuS spot in the malware pantheon. Kronos, includes multiple tools, including a form grabber, webinjects (backwards compatible with ZeuS’s format), protection from other Trojans, VNC capability, anti-virus bypass, and rootkit abilities. But what makes it particularly potent is the ability to plug in additional modules. One of the most recent is a Point of Sale (POS) module that has been seen making the rounds. This allows Kronos to grab bank card information and upload it securely to its C&C system.
- KeyBase – Extremely inexpensive, dropped malware that piggybacks on other attacks. Its built-in keylogger allows the attackers to grab the contents of the clipboard, as well as screenshots, and login credentials, then send them to a C&C system for later recovery and use.
- Lokibot (or Loki Bot)– Considered a “Commodity malware” Lokibot is openly sold on underground websites. It recently came to light in a highly targeted phishing attack discovered by Phishme. After successfully hooking a victim, the bot works to steal private data – including login credentials, and cryptocurrency wallets – and sends the data to a C&C system using an HTTP POST command.
- Mazain – Android based malware, aimed at capturing and stealing banking credentials. Mazain disguises itself as a legitimate .apk (Android executable package), and then quietly executes in the background to monitor for communications with banks. The malware has proven sophisticated enough to scan for 2FA synchronization messages, which renders 2FA useless. More information is available from: http://blog.checkpoint.com/2017/05/16/the-mobile-banker-threat-from-end-to-end/ https://github.com/bemre/bankbot-mazain
- MegalodonHTTP – While not a particularly advanced malware, MegalodonHTTP is a relatively inexpensive web panel that grants access to a botnet, allows additional malware to be downloaded and installed on targets, presents multiple methods to generate a DDoS attack, and offers mining for cryptocurrencies on victim computers.
- Neutrino – Neutrino Exploit Kit (Neutrino EK) is the successor to the Blackhole Exploit Kit (BEK). Neutrino EK works through watering hole attacks. A visitor to a compromised website has malicious JavaScript loaded into an iFrame in their web browser. The browser is then redirected to the Neutrino EK landing page and loads the Adobe Flash Player. The SWF file specified by the player is loaded, and in turn triggers exploits for CVE-2013-2551, CVE-2014-6332, CVE-2015-2419 affecting Internet Explorer or CVE-2014-0569, CVE-2015-7645 affecting Adobe Flash Player. After the compromise happens, code is executed that downloads and installs the malware payload. You can read more about Neutrino EK from SANS.org (https://www.sans.org/reading-room/whitepapers/detection/neutrino-exploit-kit-analysis-threat-indicators-36892) and about Neutrino EK’s DGA in our paper from August 2016 (https://blog.threatstop.com/2016/08/30/security-report-neutrino-ek/).
- Pony Botnet IPs & Pony Botnet Domains - Pony is a botnet management interface. Cybercriminals purchase or lease time on a server hosting the Pony C&C, then distribute a Trojan to potential victims. This Trojan scans the victim's system for sensitive data, particularly digital wallets (think Bitcoins). This data is then siphoned off to the C&C where the criminals can abscond with the pilfered goods. While Trustwave's SpiderLabs® Blog revealed a precipitous drop in theft, between December 2013 and February of 2014, Pony is still known to be active.
- Quant Loader – Trojan downloader/dropper that gained notoriety for dropping Locky, it has also been seen distributing Pony. This is a fork of CPPGURU’s DDoS software, and may be picked up by anti-virus software as “Pliskal” or “Crugup.”
- Rig Exploit Kit (RIG EK) – A primary, though underdog, competitor to Neutrino Exploit Kit. RIG EK specializes in driveby download and malvertising attacks. Its primary attack vectors are through Java, Internet Explorer, Flash, and Silverlight.
- Stealer – This malware is the product of an Iranian hacking group. The malware has the ability keylog, screenshot, and searches for specific files on targeted systems. The attacks appear to be a combination of spearphishing and a malware dropper, though bundling with anti-censorship tools (specifically Psiphon) has also been seen. The malware itself downloads various modules after installation and deploys them to encrypt user data during exfiltration, as well as to grab account credentials, and implement itself during system startup. Exfiltration is conducted via FTP to a cluster of C&C systems. Overall the malware is simple and targets US based companies, and dissidents against the Iranian government, but it is still effective at gathering data due to its infiltration technique.
- WebInject – This is a class of attacks that operates by creating a Man In The Brower (MITB) attack. When malware that creates WebInjections are on a victim system, they monitor web traffic until they see the user attempting (or successfully logging into) a bank that the software is familiar with. When this happens, the malware will insert either a new form or a form element to an existing form asking for the user to provide their bank card details. Once the details are entered and the form submitted, the card details are ferreted off to the C&C system, while the user to moved on to conduct their normal transaction as if nothing has happened.
- Web Shell by Orb (or WSO) – is a file that is uploaded to a compromised server. After being loaded, the attacker accesses the .php file which produces a 404 Error page. This page actually has a hidden form that looks for a hard coded password. If that password is provided the attacker is able to gain access to various functions on the server including: file management (including the ability to upload and download files), code execution, the ability to perform database actions, and more. If the directory the file is uploaded to is also owned by the Apache user then even more damage can be performed, all without needing root privileges. An example video of what can be done is available on YouTube (https://youtu.be/ZWo3G7iXW8U).
- Win32:Mailer Bot – Establishes a remote access connection with the victim computer. The bot then begins following commands provided by the C&C system, which can direct the bot to search for login credentials, log frequented websites, and spread to other devices on the network. The goal of the bot appears to be the spread of spam, in lieu of more malicious activities.
Additionally, the following targets have been updated:
- The ZeuS, GameOverZeuS and Feodo Targets will now include more sources
- Botnets (Both Expert and Standard targets) - Will now include all the above mentioned botnets.
- Botnets 2 (Both Expert and Standard targets) - Will now include all the IP addresses relevant for the DGA feeds.
- The Banking Targets will now include the following families - Citadel, LokiBot, Diamond Fox, Webinject, Kronos, Mazain, BetaBot
- The Driveby (and also Driveby Paranoid and Driveby Super Paranoid) will now include Neutrino and RIG.
- The SSH Crackers Target now has additional sources.
Enabling any of these new targets to your user policy will add protection against the associated threat to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account
for a free trial.
If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our
team.