Archive

Category Archives for "Arbor Threat Intelligence"

The Mad Max DGA

This post describes a domain generation algorithm (DGA) used by the “Mad Max” malware family. Mad Max is a targeted trojan, and we plan to post a follow-up article that documents our findings regarding the features of the Mad Max malware itself. But for now we will focus on the reversing of its DGA, since […]

The Lizard Brain of LizardStresser

LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends: The number of unique LizardStresser command-and-control (C2) […]

Communications of the Bolek Trojan

A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks […]

The Four Element Sword Engagement

Ongoing APT activity against Tibetans, Hong Kong and Taiwanese interests In “The Four Element Sword Engagement (Full Report)”, Arbor ASERT reveals recent ongoing APT activity likely associated with long-running threat campaigns against Tibetans, Hong Kong, Taiwanese interests and human rights workers. We presume the existence of associated malcode, dubbed the Four Element Sword Builder, which […]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]

Dumping Core: Analytical Findings on Trojan.Corebo

Download the full report here.

The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is nowhere close.

ASERT has been studying and monitoring Corebot since shortly after it was initially documented and an in-depth analysis of Corebot’s inner workings are provided in this threat intelligence report, including coverage of its cryptography, network behavior, and banking targets.

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here.

ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based network communications. A goal hypothesis is put forth – “The Big Bong Theory,” including some background on the South Korean banking infrastructure. This intelligence report will be of interest to security researchers, incident responders, and anyone interested in advanced malware analysis.

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here.

Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often include malicious attachments designed to bypass typical detection controls. In other cases, spear phish directs users to websites that would otherwise be trusted but actually have been compromised by threat actors seeking greater access to fulfill their actions and objectives.

In late 2015, ASERT began investigations into a Strategic Web Compromise (aka “Watering Hole”) involving websites operated by the government of Myanmar and associated with recent elections. All indicators suggest that the compromises were performed by an actor group known to collaborators at Cisco’s Talos Group as “Group 27”. These initial findings – focused around the PlugX malware – were released by ASERT in a report called “Defending the White Elephant.” Analysis of PlugX malware configuration suggested that Special Economic Zones (SEZs) in Myanmar were of interest.

Following the trail of emergent threat activity, ASERT has discovered a new Remote Access Trojan (RAT) in use Continue reading

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]

Amplifying Black Energy

Click here to download the full report.

The Black Energy malware family has a long and storied history dating back to 2007. Originally a monolithic DDoS platform, significant advancements were made in 2010 including support for an extensible plugin architecture that allowed Black Energy 2 to more easily expand beyond DDoS into other activities such as info-stealing, web-based banking attacks, spamming, etc.

This report examines, in-depth, a new Black Energy 2 plugin (ntp.dll) that allows “BE2” botnets to launch true distributed NTP reflection/amplification attacks. This is significant for a couple of reasons:

  • To the best of our knowledge, this may represent one of the first C&C-controlled (not standalone) Windows bots to correctly and effectively implement an NTP-based reflection/amplification attack.
  • Reflection/amplification attacks are already responsible for generating the largest of DDoS attacks. Integrating this attack method into traditional Windows botnets could increase the impact of these attacks even further.

In detailing the relatively impressive technical implementation of this new BE2 DDoS attack plugin, this report provides some excellent general networking insights, an understanding of what it takes to really pull off a reflection/amplification attack on the Windows platform, and a somewhat humorous look at some prior attempts by other malware Continue reading

Amplifying Black Energy

Click here to download the full report. The Black Energy malware family has a long and storied history dating back to 2007. Originally a monolithic DDoS platform, significant advancements were made in 2010 including support for an extensible plugin architecture that allowed Black Energy 2 to more easily expand beyond DDoS into other activities such […]

How to test and fix IPv6 fragmentation issues

In an earlier blog post, I discussed the issues associated with IPv6 packet fragmentation. Of particular significance, IPv6 fragmentation relies extensively on the computer sourcing packets being able to receive ICMPv6 “packet too big” message type 2 sent from any intermediate device in the route to the packet’s destination.

The capability to confirm that an end user in a network will correctly receive the packet-too-big ICMPv6 message has been added to the test-ipv6 mirrors, including http://test-ipv6.arbor.net. This new capability allows a user to identify if the packet-too-big message is being discarded between the user’s computer and the web site.

In the “Tests Run” tab of the main test-ipv6 mirror page, the “Test IPv6 large packet” test documents the IPv6 fragmentation behavior. If further information is desired, one can click on the “Technical Info” link.

If the “Test IPv6 large packet” test is failing, the packet-too-big ICMPv6 message is likely being dropped. This indicates issues within the user’s computer, enterprise network or elsewhere along the path to the test-ipv6 mirror.  The problematic device may be a router or firewall device, although it may even be the “firewall” software configured on the user’s computer.

Any device in the Continue reading

How to test and fix IPv6 fragmentation issues

In an earlier blog post, I discussed the issues associated with IPv6 packet fragmentation. Of particular significance, IPv6 fragmentation relies extensively on the computer sourcing packets being able to receive ICMPv6 “packet too big” message type 2 sent from any intermediate device in the route to the packet’s destination. The capability to confirm that an […]

Peeking at Pkybot

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware.

This post will take a peek at some of the bits and pieces of Pkybot and the campaign using it. The visibility provided can help organizations better understand, detect, and protect against this current threat.

Sample

One of the recent samples analyzed by ASERT has the following hashes:

MD5: 9028d9b64a226b750129b41fbc43ed5e

SHA256: 38eb7625caf209ca2eff3fa46b8528827b7289f1

At the time of this writing it has a VirusTotal detection ratio of 16/57 with just about all the detections being generic in nature. One positive for reverse engineers though is that this sample comes unpacked.

Pkybot

While there’s been some research into the malware already [1] [2], a review and fleshing out never hurts.

Encrypted Bits

Pkybot contains a number of interesting items that are encrypted with the XTEA encryption algorithm. The key used is generated at runtime from a hardcoded seed value (DWORD):

key_gen

It can also be generated using this Python code snippet. Along with the generated XTEA key, this IDA Continue reading

1 2 3 4 5 6