Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
This post is also available in: 日本語 (Japanese)
Executive SummaryIn early August 2022, Cyble Research Labs (a cybercrime monitoring service) uncovered a new crypto miner/stealer for hire that the malware author named Typhon Stealer. Shortly thereafter, they released an updated version called Typhon Reborn. Both versions have the ability to steal crypto wallets, monitor keystrokes in sensitive applications and evade antivirus products.…
Published On : 2022-11-10
Prestige Ransomware Analysis Executive SummaryCYFIRMA Research team has seen an uptick in threat actor-orchestrated ransomware campaigns. We have reasons to believe that Prestige Ransomware has been used with notable features that differentiate it from other ransomware campaigns targeting transportation and other logistics industries in Ukraine and Poland.…
Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.
Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular.…
Cyble Research and Intelligence Labs (CRIL) has continuously monitored malware campaigns that distribute different malware families, such as stealer, clipper, and ransomware.
Recently, CRIL observed a malware strain known as SmokeLoader, which carries popular malware family samples such as SystemBC and Raccoon Stealer 2.0, along with a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users.…
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.…
In the previous publication ‘Tracking down LODEINFO 2022, part I‘, we mentioned that the initial infection methods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with each infection vector. In this article, we discuss improvements made to the LODEINFO backdoor shellcode in 2022.…
2022年4月13日,360Netlab首次向社区披露了Fodcha僵尸网络,在我们的文章发表之后,Fodcha遭受到相关部门的打击,其作者迅速做出回应,在样本中留下Netlab pls leave me alone I surrender字样向我们投降。本以为Fodcha会就此淡出江湖,没想到这次投降只是一个不讲武德的假动作,Fodcha的作者在诈降之后并没有停下更新的脚步,很快就推出了新版本。
在新版本中,Fodcha的作者重新设计了通信协议,并开始使用xxtea和chacha20算法对敏感资源和网络通信进行加密,以躲避文件&流量层面的检测;同时引入了OpenNIC 域名做为主选C2,ICANN 域名做为后备C2的双C2方案。这种冗余机制,既能防止C2被接管,又有良好的健壮性,能够维持其主控网络的稳定。
依托于背后团队强大的N-day漏洞整合能力,卷土重来的Focha与之前对比可谓有过之而无不及。在我们的数据视野中,从规模来看,Fodcha再次发展成日活Bot节点数超过60K,C2域名绑定40+IP,可以轻松打出超过1Tbps流量的大规模僵尸网络;就活跃程度而言,Fodcha日均攻击目标100+,累计攻击目标2万多,在10月11日到达了攻击的巅峰,单日“丧心病狂”的攻击了1396个目标。
在极短的时间内重回巅峰,Fodcha的作者似乎忘了闷声发大财的道理,竟然又开始主动”招惹”我们,在某次扫描的脚本中使用N3t1@bG@Y字样的leetspeak,翻译过来就是”NETLABGAY“,这么明目张胆的黑Netlab,让我们觉得它多多少少有些“皮痒”了。
鉴于Fodcha的规模&活跃程度带来的巨大危险性,以及非常嚣张的挑衅,我们决定撰写本文向社区分享我们的发现,一起打击Fodcha的嚣张气焰,共同维护网络安全。
依托于360Netlab强大的BotMon和DDoSMon系统,我们对Fodcha的样本演变和DDoS攻击指令一直保持着良好跟踪,下面是我们看到的样本演变以及一些重要的DDoS攻击事件。(注:Fodcha样本本身没有特定的标志表明其版本,这是我们内部为了跟踪方便而定的版本号)
2022年1月12日,首次捕获到Fodcha僵尸网络样本。
2022年4月13日,首次向外披露Fodcha僵尸网络,包含版本V1,V2。
2022年4月19日,捕获版本V2.x,使用OpenNIC’s TLDs风格的C2(全文简称OpenNIC C2)。
2022年4月24日,捕获版本V3,使用xxtea算法加密配置信息,新增ICANN’s TLDs风格的C2(全文简称ICANN C2),和OpenNIC C2构成冗余机制;新增反沙箱&反调试机制。
2022年6月5日,捕获版本V4,使用结构化的配置信息,去除反沙箱&反调试机制。
2022年6月7&8日,监控到Fodcha对某国的某地的健康码机构进行了DDoS攻击。
2022年7月7日,捕获版本V4.x,额外新增一组ICANN C2。
2022年9月X日,在协助某国的某执法机构固定某公司语音业务被DDoS攻击的证据链过程中,发现攻击背后有Fodcha的影子。
2022年9月21日,某知名云服务商就一起流量超过1Tbps的攻击事件向我们咨询,经过数据的交叉比对,确定攻击方为Fodcha。
国外合作伙伴的数据表明Fodcha 4月份时全球日活Bot的数量为6W(参考我们另一篇文章),关于Fodcha僵尸网络的目前规模,我们没有确切的数字,但通过对比Fodcha 4月和10月在C2 IP数量上的差异,我们从技术上出发,有个未经验证的猜测:目前Fodcha的日活Bot数量超过6W。
推测过程如下:僵尸网络的规模与C2 IP的数量存在一个正向关系,最朴素的观点是:“僵尸网络规模越大,所需要的C2基础设施也越多”。在4月份,Fodcha被处置之前,其作者为维持6W的规模,投入了10个C2 IP;随后Fodcha开始了自己的复活之旅,我们观察到一个现象,随着Fodcha的复苏,其C2域名对应的IP在持续增加。时至今日,Fodcha的作者投入了多少C2 IP呢?使用dig命令查询最新的C2域名yellowchinks.dyn的绑定IP,可以看到数量是44。
可以说我们见证了Fodcha的C2 IP一步步从几个增长到今天的40+,可能的解释是作者人傻钱多无脑上资源,但结合其迅猛的传播以及历史上曾看到的万级规模,他们增加C2 IP更可能的原因是因为其僵尸网络规模太大,需要投入更多的IP资源,以使Bot与C2之间在数量上有一个合理比例,达到负载均衡。
综上,我们从C2 IP数量上大幅度的增长,推测目前Fodcha的规模大于4月份,日活Bot数量超过6W。当然再合理的推测也还是假设,欢迎有视野的社区伙伴不吝指正。
回到C2 IP 44这个数字本身,纵然我们和僵尸网络battle多年见多识广,但这个数字依然让我们感到惊讶。世上没有无缘故的爱,光是这些IP资源,就得花费不少的,Fodcha的作者为什么愿意花这个钱呢?答案是DDoS攻击让他赚到了钱。我们节选了2022年6月29至今的数据,其攻击趋势和目标区域分布如下:
可以看出:
无愧于DDoS狂魔的称号,攻击几乎没有停歇,几乎打遍全球,日均攻击事件1K+。
中美两国颜色较深,说明两国累计被攻击目标及次数较多,综合考虑到两国在互联网上业务的比重原本就比较大,这里的“看起来多”是一种正常状况。
攻击指令在7天内的时间分布如下所示,可以看出Fodcha发起的DDoS攻击遍及7 * 24小时,没有明显的时区性,我们倾向Fodcha是一个商业驱动的僵尸网络。
我们将捕获的样本分成了4个大版本,其中在上一篇blog中已经分析过V1V2,此处就不再赘述了,本文选取最新的V4系列样本为主要分析对象,它们的基本信息如下所示:
MD5: ea7945724837f019507fd613ba3e1da9 ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped LIB: uclibc PACKER: None version: V4MD5: 899047ddf6f62f07150837aef0c1ebfb ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped Lib: uclibc Packer: None Version: V4.X…While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.…
As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by cybercrime gangs.…
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.…
Minutes make the difference to defenders in responding to a ransomware attack on a victim’s network. BianLian ransomware raises the cybercriminal bar by encrypting files with exceptional speed.
Threat actors built the new BianLian ransomware in the Go programming language (aka Golang). Despite the large size of files created in Go, threat actors are turning to this “exotic” programming language more often for a variety of reasons, particularly its robust support for concurrency.…
ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.…
The prevalence of malware written in Go programming language has increased dramatically in recent years due to its flexibility, low antivirus detection rates and difficulty to reverse-engineer. Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed for both Windows and Linux, as well as a wide array of software architectures used in devices ranging from small office/home office (SOHO) routers to enterprise servers.…
DJVU ransomware arrives on the scene masquerading as legitimate services or applications, or bundled with decoy files, in order to appear benign. The malware group also partners with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.…
The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.
We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets.…
Back in August, researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Cyble Research and Intelligence Labs (CRIL) spotted a malicious domain being used in a spear-phishing email campaign targeting Office365 users to steal credentials. The same domain was observed hosting multiple other malware variants, for example, a new stealer called “Doenerium stealer.”…
A non-fungible token (NFT) is a record on a blockchain associated with a digital or physical asset—usually a digital file such as a photo, video, or audio. An NFT’s ownership is recorded in the blockchain, and it can be sold and traded. NFTs differ from cryptocurrencies, which are mostly fungible, in that NFTs are unique and non-substitutable.…