Archive for the 'Malware & Virus Analysing' Category

Cridex, Feodo, Geodo, Dridex, whats next?

In June 2014 I blogged about some new development on the Feodo / Cridex front. While Feodo was pretty active in Germany in January 2014, it suddenly disappeared. In June 2014 Feodo reappeared with a new program code – Geodo was born. For me it was not clear whether the disappearance of Feodo was a direct response to the launch of Feodo Tracker. However, a few days after I announced that I extended Feodo Tracker in order to track Geodo, Geodo suddenly disappeared as well.

Roughly a month later, my friends over S21sec reported the appearance of another new Feodo variant: Dridex.

Together with friends from the infosec community I started to investigate Dridex. One of the most interesting things is that while Feodo and Geodo has been spammed out massively in Germany and were targeting financial institutions there, Dridex obviously has a different focus. Looking into one of the recent Dridex configuration files reveals different botnets that are targeting financial institutions in the US, UK and CH.

While the attackers have abused well known German brands such as Deutsche Telekom, O2 and Vodafone for their spam runs to spread Geodo in Germany, they are now abusing UK based brands such as British Telecommunications (BT) to spread Dridex in the UK.

Overall it seems that the modus operandi didn’t change much with Dridex: The attackers are still using spam emails to spread Dridex, abusing stolen SMTP credentials. Dridex botnet controllers are still hosted on compromised boxes and are running an nginx daemon that is usually listening on port 8080 TCP. What has changed is the URL structure of Dridex botnet C&C communication. The URL structure and code varies between each variant.

Taking a look at one of the recent Dridex configuration files reveals additional botnet C&C IPs used for Dridex backconnect, VNC module and webinjects (“redirects”) that vary for each Dridex botnet:

<bconnect>5.135.28.113:443</bconnect>
    <vncconnect>5.135.28.109:9955</vncconnect>
   <redirects>
      <redirect name="1st" vnc="0" socks="0" uri="http://62.76.44.174:8080/injectgate" timeout="20">twister5.js</redirect>
      <redirect name="2nd" vnc="1" socks="1" uri="http://50.56.34.20:8080/tokengate" timeout="20">mainsc5.js</redirect>
      <redirect name="vbv1" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/ukvbvg/js.php" timeout="20">/logs/ukvbvg/js.php</redirect>
      <redirect name="vbv2" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/ukvbvg/in.php" timeout="20">/logs/ukvbvg/in.php</redirect>
      <redirect name="logs1" vnc="0" socks="0" uri="http://37.139.47.177:8080/logs/in.php" timeout="20">/logs/in.php</redirect>
   </redirects>

Like the GameOver ZeuS Botnet (GOZ), it appears that Dridex is based on a Malware-As-Service (MSA) model as well. Different botnets targeting different financial institutions and countries, but using the same malware.

In mid August 2014, I’ve started to list Dridex botnet C&Cs on Feodo Tracker as well. These are labelled as Version D on Feodo Tracker and are getting pushed into the Feodo Tracker Blocklists.

Malware Feodo Tracker naming
Feodo Version A / Version B
Geodo Version C
Dridex Version D

Now, let’s see if this gang abandon Dridex as fast as they abandoned Feodo and Geodo.

Some recent Dridex C&Cs:

108.166.70.44:8080
202.124.205.84:8080
85.214.26.248:8080
178.208.81.204:8080

Some recent Dridex malware samples (MD5):

532e7924f759aab014dedca651398ce6
818bb82d1845eacedabdd5d0a5de310c
fab100a415254de5c8af70eb1c7eb2d0
95d4a587ac1a128db890035793483885
f8edaacbfc88a8f045bf2bbbd75c435b

Follow abuse.ch on Twitter:
https://twitter.com/abuse_ch

Goodbye Feodo, Hello Geodo!

As a response to a flood of fake e-invoices hitting Germany and Switzerland in January 2014, I’ve introduced Feodo Tracker, aimed to help Internet users protecting themselves from a sophisticated ebanking Trojan called Feodo (also known as Cridex/Bugat). Just a day after I published Feodo Tracker, the daily spam runs of fake invoices hitting German and Swiss internet users suddenly disappeared. Apparently, the distribution of new Feodo binaries stopped completely. After publishing Feodo Tracker, I have not seen any new Feodo infection binaries, neither for Version A nor Version B. In fact I haven’t managed to find any traces of Feodo ever since.

I don’t know what happened, nor do I know whether Feodo Tracker was the reason for the disappearance of Feodo. However, a few weeks ago – more than 3 months after Feodo disappeared – I started seeing a completely new malware popping up that I had never seen before. Investigating the new threat revealed botnet C&C traffic to obviously compromised hosts on port 8080 TCP which immediately reminded me of Feodo (Version A). The new threat is being distributed since late May 2014 through fake e-invoices, using compromised SMTP credentials. Below are a few screenshots of recent spam runs distributing this new threat.

Geodo Telekom Spam

Fake Deutsche Telekom invoices distributing Geodo (click to enlarge)


Geodo O2 Spam
Fake O2 invoices distributing Geodo (click to enlarge)


Geodo Vodafone spam
Fake Vodafone invoices distributing Geodo (click to enlarge)

The botnet infrastructure used by this new threat as well as the way the malware is being distributed raised my suspicion that it might be a successor of Feodo. Talking to other security experts in the community strengthened my suspicions: The new malware is built on completely different code than Feodo, but the crypto code used for the botnet C&C communication seems to be almost the same as that one used by Feodo. In addition, Geodo uses the same botnet C&C infrastructure and distribution mechanism as Feodo. More over, the new malware is aimed to commit ebanking fraud – just like Feodo. Hence I do believe that this new threat can be considered a direct successor of Feodo. Some security experts started to call this new threat Geodo. What is new with Geodo is the fact that it is not only using port 8080 TCP to communicate with the botnet C&C server but also port 7779 TCP.

As a response to this new development, I’ve extended Feodo Tracker’s capabilities so that it now keeps track of Geodo botnet C&C servers as well. Geodo botnet C&C servers detected by Feodo Tracker will be labelled as Version C:

Feodo Tracker tracking Geodo (Version C)

Feodo Tracker tracking Geodo (Version C)

Recent Geodo malware distribution URLs (spammed out though compromised SMTP credentials, all hijacked websites):

hXXp://gulik.biz/zakaz/2014_06_03rechnung_pdf_telekom
hXXp://autumnfeast.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://ptel148.org/tmp/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://webtasarim-tr.com/vlive/emoticons/2014_06_03rechnung_pdf_telekom
hXXp://fresnedaweb.com/plugins/2014_06_03rechnung_pdf_telekom
hXXp://mauriziokoch.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://neurochamps.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://fleischundwurstfreunde.de/2014_06_03rechnung_pdf_telekom
hXXp://chuyenthietkeweb.net/test/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://pharmacyforme.org/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://vkrasnodar.com/tmp/install_4e1da2c196e62/telekomag
hXXp://polikarbonatcati.com/t3-assets/telekomag
hXXp://schoomity.com/ltd/telekomag
hXXp://hospitalreferralservices.com/tmp/telekomag
hXXp://aqua-term.com/tmp/telekomag
hXXp://ilendcomp.com/plugins/ltd/telekomag
hXXp://litelboss.com/ltd/telekomag
hXXp://thonglorcondo.com/wp-content/uploads/t-online
hXXp://seakayak-krabi.com/mail_info/t-online
hXXp://galilao.net/wp-content/uploads/t-online
hXXp://cddmaejai.com/modules/mod_araticlhess/t-online
hXXp://wangmun.go.th/modules/mod_araticlhess/t-online
hXXp://homeeco.pkru.ac.th/wp-content/uploads/t-online
hXXp://crit.occmednop.com/mail_info/t-online
hXXp://human.sru.ac.th/modules/mod_araticlhess/t-online
hXXp://baby.sanita.me/mail_info/t-online
hXXp://edltv.rvc.ac.th/images/t-online
hXXp://grey-ray.com/wp-content/uploads/t-online

Some recent Geodo malware samples (MD5 hash):

89366e485a798763e2b280baa49c0d21
53d327c9b7b977599a3f7da8113aaad4
ee1814e69b8f0197c8ef7cf8f1eab495
76851f69a99e848976f02571df947b12
1bb9db20d591bbdf599060f2b5a9e193
04d43b8735765b51a07fa8b7c3623803
febf73517923c933f9fc08f55235d70a
1a0e69d123d9a8a02caf7990a84b7008
f0459819bb9308ef504caa024be5858d
378a5183a7983bc4576314e28755ee02

Sample Geodo botnet C&C traffic (all HTTP POST to port 8080):

hXXp://94.76.218.166:8080/
hXXp://103.28.148.51:8080/
hXXp://122.155.3.6:8080/
hXXp://204.93.183.196:8080/
hXXp://192.154.110.228:8080/
hXXp://202.143.185.107:8080/



economics-recluse
Scene
Urgent!