Tag Archives: bugat

Goodbye Feodo, Hello Geodo!

As a response to a flood of fake e-invoices hitting Germany and Switzerland in January 2014, I’ve introduced Feodo Tracker, aimed to help Internet users protecting themselves from a sophisticated ebanking Trojan called Feodo (also known as Cridex/Bugat). Just a day after I published Feodo Tracker, the daily spam runs of fake invoices hitting German and Swiss internet users suddenly disappeared. Apparently, the distribution of new Feodo binaries stopped completely. After publishing Feodo Tracker, I have not seen any new Feodo infection binaries, neither for Version A nor Version B. In fact I haven’t managed to find any traces of Feodo ever since.

I don’t know what happened, nor do I know whether Feodo Tracker was the reason for the disappearance of Feodo. However, a few weeks ago – more than 3 months after Feodo disappeared – I started seeing a completely new malware popping up that I had never seen before. Investigating the new threat revealed botnet C&C traffic to obviously compromised hosts on port 8080 TCP which immediately reminded me of Feodo (Version A). The new threat is being distributed since late May 2014 through fake e-invoices, using compromised SMTP credentials. Below are a few screenshots of recent spam runs distributing this new threat.

Geodo Telekom Spam

Fake Deutsche Telekom invoices distributing Geodo (click to enlarge)


Geodo O2 Spam
Fake O2 invoices distributing Geodo (click to enlarge)


Geodo Vodafone spam
Fake Vodafone invoices distributing Geodo (click to enlarge)

The botnet infrastructure used by this new threat as well as the way the malware is being distributed raised my suspicion that it might be a successor of Feodo. Talking to other security experts in the community strengthened my suspicions: The new malware is built on completely different code than Feodo, but the crypto code used for the botnet C&C communication seems to be almost the same as that one used by Feodo. In addition, Geodo uses the same botnet C&C infrastructure and distribution mechanism as Feodo. More over, the new malware is aimed to commit ebanking fraud – just like Feodo. Hence I do believe that this new threat can be considered a direct successor of Feodo. Some security experts started to call this new threat Geodo. What is new with Geodo is the fact that it is not only using port 8080 TCP to communicate with the botnet C&C server but also port 7779 TCP.

As a response to this new development, I’ve extended Feodo Tracker’s capabilities so that it now keeps track of Geodo botnet C&C servers as well. Geodo botnet C&C servers detected by Feodo Tracker will be labelled as Version C:

Feodo Tracker tracking Geodo (Version C)

Feodo Tracker tracking Geodo (Version C)

Recent Geodo malware distribution URLs (spammed out though compromised SMTP credentials, all hijacked websites):

hXXp://gulik.biz/zakaz/2014_06_03rechnung_pdf_telekom
hXXp://autumnfeast.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://ptel148.org/tmp/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://webtasarim-tr.com/vlive/emoticons/2014_06_03rechnung_pdf_telekom
hXXp://fresnedaweb.com/plugins/2014_06_03rechnung_pdf_telekom
hXXp://mauriziokoch.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://neurochamps.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://fleischundwurstfreunde.de/2014_06_03rechnung_pdf_telekom
hXXp://chuyenthietkeweb.net/test/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://pharmacyforme.org/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://vkrasnodar.com/tmp/install_4e1da2c196e62/telekomag
hXXp://polikarbonatcati.com/t3-assets/telekomag
hXXp://schoomity.com/ltd/telekomag
hXXp://hospitalreferralservices.com/tmp/telekomag
hXXp://aqua-term.com/tmp/telekomag
hXXp://ilendcomp.com/plugins/ltd/telekomag
hXXp://litelboss.com/ltd/telekomag
hXXp://thonglorcondo.com/wp-content/uploads/t-online
hXXp://seakayak-krabi.com/mail_info/t-online
hXXp://galilao.net/wp-content/uploads/t-online
hXXp://cddmaejai.com/modules/mod_araticlhess/t-online
hXXp://wangmun.go.th/modules/mod_araticlhess/t-online
hXXp://homeeco.pkru.ac.th/wp-content/uploads/t-online
hXXp://crit.occmednop.com/mail_info/t-online
hXXp://human.sru.ac.th/modules/mod_araticlhess/t-online
hXXp://baby.sanita.me/mail_info/t-online
hXXp://edltv.rvc.ac.th/images/t-online
hXXp://grey-ray.com/wp-content/uploads/t-online

Some recent Geodo malware samples (MD5 hash):

89366e485a798763e2b280baa49c0d21
53d327c9b7b977599a3f7da8113aaad4
ee1814e69b8f0197c8ef7cf8f1eab495
76851f69a99e848976f02571df947b12
1bb9db20d591bbdf599060f2b5a9e193
04d43b8735765b51a07fa8b7c3623803
febf73517923c933f9fc08f55235d70a
1a0e69d123d9a8a02caf7990a84b7008
f0459819bb9308ef504caa024be5858d
378a5183a7983bc4576314e28755ee02

Sample Geodo botnet C&C traffic (all HTTP POST to port 8080):

hXXp://94.76.218.166:8080/
hXXp://103.28.148.51:8080/
hXXp://122.155.3.6:8080/
hXXp://204.93.183.196:8080/
hXXp://192.154.110.228:8080/
hXXp://202.143.185.107:8080/

Introducing: Feodo Tracker

In the past week I’ve received multiple reports about wide-spread spam campaigns hitting German speaking countries. The spam emails are multi-themed and pretend to come from either Volksbank, Deutsche Telekom, Vodafon D2 or NTT. There are already various blog posts about the latest spam campaign for example on G Data SecurityBlog (German) or Cisco Blog (English). Deutsche Telekom has also already published a blog post on their website warning its customers about fake invoices (German) pretending to come from Deutsche Telekom. While the fake invoices that are being sent out by the cybercriminals vary, they usually point to a malicious website that always serves the same malware to its visitors: Feodo.

Feodo (also known as Cridex and Bugat) is yet another ebanking Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or user credentials. The trojan itself isn’t really new, in fact its already been around for over two years now – it was first spotted in January 2012. Feodo is not only hitting Germany, its also hitting financial institutions in several other countries.

Feodo Modus Operandi
Currently, there are two versions of Feodo known: Let’s call them version A and version B. The spam- and malware-campaign we have seen recently hitting Germany can be attributed to version B. One of the biggest differences between those two versions is the way an infected computer (bot) communicates with its C&C servers. While version A is communicating over HTTP to hijacked servers running a nginx daemon on port 8080 TCP (which are in fact just acting as proxy node forwarding all botnet traffic to a tier 2 proxy server), version B communicates with its botnet C&C infrastructure using HTTP on port 80 TCP. For version B, the botnet C&C infrastructure (domain names + hosting) is set up by cybercriminals for the exclusive purpose of hosting a Feodo botnet C&C server.

Mitigating the Feodo threat

As mentioned earlier, Feodo isn’t a new threat but it seems to be emerging these days. Hence, I’ve decided to put Feodo in the spotlight by launching yet another tracker. Introducing: Feodo Tracker. Similar to the existing trackers for ZeuS, SpyEye and Palevo, Feodo Tracker provides an overview over existing Feodo botnet C&C servers and serves a blocklist in different formats, allowing system- and network administrators to spot and stop Feodo C&C traffic in their network as well as identifying infected computers in the local network (LAN). Currently, Feodo Tracker offers plain text blocklists for both Feodo C&C IP addresses and Feodo C&C domains but also IDS/IPs rules for Snort and Suricata.

Feodo Malware Distribution
Looking at the modus operandi of this Feodo gang (which is running version B) and how they operate to recruit new bots shows that they are using both compromised websites as well as domain names registered for the exclusive purpose of infecting new computers (spam landing pages). Sample URLs/Domains are:

hXXp://clownjohh.ru/vodafone_online/ (malicious domain)
hXXp://clownjohh.ru/telekom_deutschland/ (malicious domain)
hXXp://sencert.ru/volksbank_eg/ (malicious domain)
hXXp://mmc-tt.ru/telekom/ (malicious domain)
hXXp://frtyui.ru/telekom_deutschland/ (malicious domain)
hXXp://1pfkc1.happykid.ch/vodafon/ (compromised/hijacked)
hXXp://xs9imj.tenebro.us/telekom/ (compromised/hijacked)
etc…

Those URLs are embedded / advertised in the spam mails which are being sent out by the criminals using stolen SMTP credentials. By taking advantage of stolen SMTP credentials the criminals bypass usual DNSBL-driven spam filters. Most of the advertised .ru URLs (which are, as said, usually registered by the cybercriminals themselves for the exclusive purpose of hosting a Feodo malware distribution site) are registered through the Russian based domain registrar REG.RU.

Feodo Botnet C&C Infrastructure
Looking at the Feodo botnet C&C Infrastructure for this Feodo campaign (version B) shows that all botnet C&C domains are within ccTLD .ru and, again, registered through the Russian based domain registrar REG.RU:

Feodo C&C domains

It’s not the first time criminals are using REG.RU to register malicious domain names. In this case the criminals also decided to host their DNS at REG.RU’s DNS infrastructure. All Feodo botnet C&C domains I’ve seen so far are using REG.RU’s DNS infrastructure as delegated DNS servers:

ns1.reg.ru. 345600 IN A 31.31.205.39
ns1.reg.ru. 345600 IN A 31.31.205.55
ns1.reg.ru. 345600 IN A 31.31.205.73
ns1.reg.ru. 345600 IN A 31.31.204.25
ns1.reg.ru. 345600 IN A 31.31.204.37
ns1.reg.ru. 345600 IN A 31.31.204.52
ns1.reg.ru. 345600 IN AAAA 2a00:f940::25
ns2.reg.ru. 345600 IN A 31.31.205.56
ns2.reg.ru. 345600 IN A 31.31.205.74
ns2.reg.ru. 345600 IN A 88.212.207.122
ns2.reg.ru. 345600 IN A 198.100.149.22
ns2.reg.ru. 345600 IN AAAA 2a00:f940::37

Hence, you may want to block any DNS query going to REG.RU’s DNS infrastructure to prevent further abuse. But please keep in mind that there are also thousands of legit domain names using REG.RU’s DNS infrastructure, so blocking those DNS servers will cause collateral damage.

Conclusion
My goal is to provide system- and network administrators – as well as Internet Service Providers (ISPs) – the possibility to mitigate the recent Feodo attacks by blocking known bad Feodo C&C botnet traffic at their network edge (such as Router, Firewalls, Web-Proxy and DNS-servers). I hope Feodo Tracker will help to support these efforts. If you have feedback on Feodo Tracker or any other project please feel free to drop me a line using the contact form.

Follow me on Twitter: https://twitter.com/abuse_ch

Further readings