16. How to Drain Your Dragons
Here are a few highlights from each article we discussed:
- A big part of what the botnet seems to be doing is just building itself up. That is, it’s taking these RDP servers it finds and when it can brute-force itself into them, it sets them up to go recruit more open RDP servers and hand that info up to a C2 server.
- Basically, in classic botnet fashion, the infrastructure is primarily composed of innocent machines that have been compromised. Granted, I’m gonna put “innocent” in quotes here, because you could say that having RDP openly exposed to the Internet is really a bad enough idea that you’re not entirely innocent if you do it.
- However, if you’re using strong username/password combos, then you’re probably not at super high risk from this botnet.
- This is a fairly automated campaign that doesn’t use phishing or any other human-mediated attack technique. Unless/until it is taken down, it’ll just keep running on its own.
- I looked into the C2 infrastructure a bit. There are two ranges that are called out in the analysis by Morphus; one of them is an individual address on a US provider; the other one is a large range (12 Class C’s) in Taiwan. For the size of that address space, there actually aren’t a ton of domains that we found there—only a few hundred at the most. But I didn’t look into the particular domains. This malware seems to actually hard-code IP addresses for C2, rather than domain names, but I’m guessing that there’s a process by which each instance of the malcode probably gets a different IP (otherwise, it’s really easy to kill the malware).
- Morphus did a test where they ran the code for 6 hours and got about 2.1 million IP addresses, of which about 1.5M were unique. So there’s a lot of compromised RDP out there. DON’T DO IT! DON’T PUT YOUR RDP ON THE INTERNET, PEOPLE!!
- HAWKBALL is a backdoor that attackers can use to siphon information and deliver additional malware.
- It is capable of surveying the host, executing native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.
- The decoy file (referenced by FireEye) looks to be in Cyrillic, and is called doc.rtf. It contains an OLE object that uses Equation Editor (a Microsoft program) to drop the embedded shellcode, which is then decrypted in memory.
- Translation is “Collection of the Guiding Composition of Anti-Terroristic Security Units and Special Services of the CIS States Parties”.
- Commonwealth of Independent States include: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan.
- The decoy document is delivered via phishing email. After decrypting, it stores information in a log file saved in app data/temp (pretty traditional) and sends it out via a single, hard-coded IP to the C2 server.
- Overall, this doesn’t actually seem to be a super sophisticated attack. It has a single, hard-coded C2 server for sending out the log file. The IP is owned by Choopa, which means there’s little intel there because it’s a dedicated hosting provider.
- Komodo, a cryptocurrency project and creator of the Agama wallet, went above and beyond to protect its customers.
- In summary, the company hacked its customers, and without authorization transferred the funds to a new address owned by the company.
- Long story short, Komodo was in a race against hackers, and used the exploit to help protect their customers.
This Week’s Hoodie Scale
XYZ Your RDP
[Tim]: 1/10 Hoodies
[Emily]: 2/10 Hoodies
Shut the Backdoor!
[Tim]: 1/10 Hoodies
[Emily]: 3/10 Hoodies
Opening the Komodo on Cryptocurrency
[Tim]: 7/10 Hoodies
[Emily]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!