Skip to content

Spear-Phishing Deep Dive Primer: Who’s Behind the Attack

2011-11-09

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As I write this, the Trojan that was sent to some of Solera Networks’ employees as part of a spear phishing attack continues to operate, trying to exfiltrate data from a locked-down testbed.

In the course of investigating the attack, I’ve assessed the social engineering aspect of the attack, and described the fundamental behavior of the initial infection and its subsequent payloads — I have to admit, I limited my description only to some of that behavior.

I’ve left out, until now, key pieces of the investigation: Where the attack originates; from where is it being controlled; and where the malware sends its stolen information. In today’s post, I plan to examine where the data is going, and who the recipients might be.

If you’ll recall from the second post in this series, after the Invoice malware (the initial infection) installed itself, the installer downloaded a file from deleted-host.zapto.org, a domain which resolves to 108.59.252.112.

As it turns out, at the time of the attacks, both the zapto subdomain and yesasia-invoices.com domain pointed to the same server, as did another suspicious-looking domain, athleta-support.info.


That was an interesting choice of a domain name, and it reveals something about the spear phisher(s)’ tradecraft in social engineering: Athleta, a women’s fitness clothing brand owned by retailer The Gap, has its own online store. If you’re not a female, outdoor-fitness enthusiast, and haven’t heard of this brand (I didn’t until I did this research), a cursory Google search would validate the existence of a company by this name if you were to, for instance, receive an order confirmation email linking back to something called Athleta. Oh man, it is real, I’d better click the link. Oh no you don’t!

The athleta-support.info domain was registered on September 30th, 11 days prior to the second Yesasia campaign’s arrival in our inbox. By the time we discovered it, the domain was inactive; At this time, it’s been blackholed and no longer points to 108.59.252.112.

EDIT: A commenter sent me a link to a VirusBulletin news story from September about a spam campaign involving the brand name Athleta, which several companies say was aided, in part, by the compromise of some email service providers, or ESPs. Interestingly, the news items were from a week prior to the registration of this Athleta-Support domain, so it may have been a part of a campaign that was halted in its tracks prematurely. While I never saw the earlier campaign, it certainly shares a lot in common with this newer, Yesasia one.

All the domains hosted on that 108.59.252.112 IP address share a single reverse-lookup: htcnet.us. The domain is privately owned, according to the domain WHOIS data, by one Markus Vogt of Landau, Germany.

…That is, if you believe the WHOIS data. It’s all too common for malicious domains to be registered using bogus data, or real information strip-mined at random from the Internet. But there’s something different about Markus Vogt. At least it’s consistent. HTCNET’s WHOIS matches up with the WHOIS records of…

…another domain, vogt.la. Checking that, we can see it’s also registered to Markus Vogt, as is…

…the domain Blackfiber.net, which provides DNS services for itself, HTCNET, vogt.la, and yesasia-invoices.com.

Wow, he even has his own Autonomous System number, AS197160, assigned to his network.

Well, I tried to contact “Markus” at his domain registration email address, but I haven’t heard back. As you might imagine, I have a few questions for whoever owns this domain. If he or she gets back to me, I’ll post an update, but this is probably a dead end. Blackfiber? Most likely.

Meanwhile, Back at the Malware Ranch

It only took a few minutes of idling before the malware kicks into action. Among its first act is a DNS lookup of more zapto.org subdomains. Zapto.org is part of a free dymanic DNS service operated by no-ip.com; You create your own subdomain, attach it to one of their domain names, and modify the DNS settings at will. Why the person behind the attack decided, out of the 21 domains available, to use Zapto.org — especially when he could have used servebeer.com — is just another of those mysteries which may forever elude our comprehension. What a lost opportunity that was!

In this case, the lookups used a sequential naming convention of one numeral followed by symantechantivirus.zapto.org. all of these domains resolve to one of two IP addresses: 69.65.19.116 and 69.65.19.117. These are “blackhole” IP addresses used by no-ip.com, used to signify that the domains don’t redirect anywhere. They’re either switched off at the moment, or don’t exist.

However, on the afternoon of 10/13, it was a different story. We were just getting started playing around with a new Validedge device and I decided to feed it the malware sample, just to see what the report looked like. The resulting log and the packet capture file tell another interesting tale.

A DNS lookup for 1symantechantivirus.zapto.org resolved somewhere different than No-IP’s blackhole address in the Validedge. The IP address of 110.116.105.118 falls within the network space assigned to AS9394, operated by CRNET, the China Railway Network — a large ISP.

But then:

Connection on port 1234! Data incoming. But where is 192.98.231.163? Finland. OK, this is officially weird.

symantechantivirus.zapto.org resolves to an IP address of 95.140.125.53 — an IP address that geolocates to Belgrade, Serbia. The malware seems to send periodic pings to port 1234 at whichever address happens to be live at any given moment. A few other oddball-looking Zapto.org domains — ronaldobrazil.zapto.org, ronaldomu.zapto.org and ya4c34.zapto.org — also point at 125.53, so it may be the botnet controller for a number of other ‘nets.

More food for thought: Why did the phisher create two domains referencing Ronaldo?

Payload Brings a Load of BSS

Some time later, the malware executable pulled down another payload named windefender.exe.jpg. This was, like the original invoice.exe and the newegg.exe payload, an executable that had originally been composed in Visual Basic. Also like the first two payloads, this application used what we’ve come to describe as Proper Name Salad values in the properties sheet. The program describes itself as Kepler Clemson ChippendaleParks ScotsmanMac Lexington. It also uses the internal name of hcri.exe.

But this one sends profiling information about the infected system to the domain play-support-email.com (173.231.2.194) as a long query string to that Web server. Included is a unique identifier for the infected system, the name of the currently logged-in user and the name of the PC, some sort of hardware ID, and the country locale of the infected system. And, oh look! A unique User-Agent string of Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) to identify you. Thanks, malware guy.

The appearance of this program coincides with nine new files appearing in the %temp% directory, all with .bss file extensions. The filenames seem to tell the story here as well, as these appear to be plugins designed to extract data from the caches of various applications. Opra for the Opera browser; iepw for Internet Explorer, and so on. These files also originated from play-support-email.com.

A command received from that server looks like this:

PWS<dm><dm>All<dm>All<br/>KLG<dm>admin<dm>All<dm>All<br/>

And look at what else it pulled down: A plain-text list of 71 Web sites targeted for credential theft by the malware, though they’re not all banks, as you’d expect.

Among the financial institutions targeted are the obvious Paypal, Bank of America, Chase, Fifth Third Bank, and Citibank, but also PNC Bank, Harris Bank, and TCF Bank. Also targeted are the passwords for online retailers, cloud storage providers, password managers, game sites (WoW? You betcha!), the Web sites of various US-based cellphone service providers, domain registrars, social networks, some blackhat SEO websites, some hacking forums, and even craigslist and DeviantArt.

These guys want all your passwords. HardCore.

When we passed the malware through our FireEye appliance, it said that the Trojan used the IP address of 46.183.217.234 for command-and-control. Eastern Europe is familiar territory for these guys.

A closer look at that IP address reveals that it is hosted in Latvia, on the dataclub.biz AS52048 network, and is used for hosting a domain named play-payment.com. Dataclub…that really rings a bell. Where have I heard that name before? Oh yeah, it’s those guys.

Oh ho, what have we here?

Exfiltrated data headed to play-payment.com? I could never have guessed that that would happen. That must be some Hard Core Software they’re using to steal my bogus Filezilla FTP credentials like that. In fact, look at the User-Agent string — HardCore Software For : Public — so it must be true. That won’t come in handy at all.

Nope, no way we could possibly use that to find traces of the infection.

Clearly, the files involved in this infection campaign were dangerous, if allowed to run at will on a victim’s computer, despite the relative lack of sophistication. In the end, the social engineering trick employed by this targeted spam message isn’t much different than fake IRS emails or shipping confirmation messages that have been floating around for years.

What’s clear here is that it’s also incredibly easy to defeat, as Alan and Joe demonstrated, by simply not clicking the link in the message. It’s amazing the trouble you can avoid by treating any email, such as this one, with suspicion.Solera blog stats

4 Comments
  1. 2011-11-09 8:38 am

    Hi Andrew,

    nice piece of research! Is it a coincidence that Athleta was also used in this attack http://www.virusbtn.com/news/2011/09_27a.xml (see links at the bottom of the post)? Or is it just because it is a popular brand?

  2. Andrew Brandt permalink*
    2011-11-10 12:10 pm

    Thanks! I can’t tell you for sure, but it looks awfully close to the current campaign, doesn’t it? I’m not a strong believer in coincidence.

    EDIT: I’ve added a note about the two blog posts which fed the story to this post. Looks like a continuation of the campaign from an earlier phase.

Trackbacks

  1. Thanks for Lazy, Repetitive Malware Scams, Mal-Slackers « Solera Networks | Threat Research Blog
  2. A Visit from Cyber Nicholas « Solera Networks | Threat Research Blog

Comments are closed.

%d bloggers like this: