After my blog post about Trickbot using fake ips in its config I got some hints about other samples that also use this fake ips (thanks @sisoma2).
- 7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9 [VT]
- 5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334 [VT]
- 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3 [Bazaar]
I looked into all of them and it turned out that every sample is using fake C2 IPs mixed together with real C2 IPs
in its config (all IPs inside the <srva>
tag are fake).
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
<mcconf>
<ver>2000017</ver>
<gtag>tot12</gtag>
<servs>
<srv>81.91.234.196:443</srv>
<srv>2.179.73.140:443</srv>
<srv>185.160.60.26:443</srv>
<srv>188.133.138.240:443</srv>
<srv>181.211.128.49:443</srv>
<srv>190.107.93.172:443</srv>
<srv>103.194.88.2:443</srv>
<srva>61.212.246.190:9072</srva>
<srva>223.249.170.141:21198</srva>
<srva>215.83.98.226:12302</srva>
<srva>36.54.154.199:44293</srva>
<srva>255.154.152.192:988</srva>
<srva>61.212.246.190:9072</srva>
<srva>223.249.170.141:21198</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>
5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
<mcconf>
<ver>100003</ver>
<gtag>rob6</gtag>
<servs>
<srv>102.164.206.129:449</srv>
<srv>103.131.156.21:449</srv>
<srv>103.131.157.102:449</srv>
<srv>103.131.157.161:449</srv>
<srva>24.122.127.151:1190</srva>
<srva>201.210.174.234:32166</srva>
<srva>109.226.10.116:59814</srva>
<srva>177.75.214.131:40102</srva>
<srva>104.27.15.32:5542</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
<mcconf>
<ver>100003</ver>
<gtag>tar3</gtag>
<servs>
<srv>102.164.206.129:449</srv>
<srv>103.131.156.21:449</srv>
<srv>103.131.157.102:449</srv>
<srv>103.131.157.161:449</srv>
<srva>24.122.127.151:1190</srva>
<srva>201.210.174.234:32166</srva>
<srva>109.226.10.116:59814</srva>
<srva>177.75.214.131:40102</srva>
<srva>104.27.15.32:5542</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>
Additionally the algorithm for converting fake IP into real IP is using different parameters for each sample.
For 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3 [Bazaar] I reimplemented the algorithm again but I’m slowly getting the feeling that a more generic approach is needed and I need to parse the conversion function and extract the parameters.
def convert_to_real_ip_update(ip_str):
octets = ip_str.split(".")
o1 = int(octets[0])
o2 = int(octets[1])
o3 = int(octets[2])
o4 = int(octets[3])
new_o1 = (~o3 & 0xFF & 0x9 | o3 & 0xf6) ^ (~o1 & 0xFF & 0x9 | o1 & 0xf6)
new_o2 = (~o4 & 0xff & 0x85 | o4 & 0x7a) ^ (~o3 & 0xff & 0x85 | o3 & 0x7a)
new_o3 = o3 & ~o2 & 0xff | o2 & ~o3 & 0xff
new_o4 = ~o2 & 0xff & new_o2 | o2 & ~new_o2 & 0xff
result = str(new_o1) + "."
result += str(new_o4) + "."
result += str(new_o2) + "."
result += str(new_o3) + ":449"
return result
The next question is if the params for the conversion algorithm change with each sample or if they are tied to the specific gtag or (gtag & version).
So again I’m looking for samples using fake IPs, ideally for the group tags tar3
, rob6
, rob3
, tot12
to
find out if the conversion algorithm looks the same or is using different params. If anyone knows some,
I would appreciate a hint.
IOCs:
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
81.91.234.196:443
2.179.73.140:443
185.160.60.26:443
188.133.138.240:443
181.211.128.49:443
190.107.93.172:443
103.194.88.2:443
5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
Article Link: https://github.com/lazydaemon/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html