Quantcast
Channel: Malware don't need Coffee
Viewing all 185 articles
Browse latest View live

Fox stealer: another Pony Fork

September 26, 2016, 4:12 am
$
0
0


Gift for SweetTail-Fox-mlp
 by Mad-N-Monstrous


Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.

Advert :
2016-08-11 - Sold underground by a user going with nickname "Cronbot"

--------
Стилер паролей и нетолько - Fox v1.0

Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.

О продукте : 
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.

Условия : 
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.

Аренда 250$ в месяц.
Исходники 2000$ разово.

---- Google Translated : ----

Stiller and passwords netolko - Fox v1.0

We produce a product to sell. Already passed the final stage of testing of the product.

About the product:
1. Able to all that he can pony. + Added new software.
2. is actual for 2016.
3. Written in C ++ without any additional libraries.
4. Admin on ponies.

Conditions :
1. Only the rent.
2. Provided as EXE and DLL.
3. Sources will not sell.

Rent $ 250 per month.
Sources $ 2,000 one-time fee.

--------

It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .

MISP taxonomy tags reflecting ScriptJS activity in the last months
(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )

2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13
Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2

Fox stealer (PonyForx) fingerprint in Cuckoo

Sample :
Associated C2:
blognetoo[.]com/find.php/hello
blognetoo[.]com/find.php/data
blognetoo[.]com|104.36.83.52
blognetoo[.]com|45.59.114.126
Caught by ET rule :
2821590 || ETPRO TROJAN Win32.Pony Variant Checkin

[1] ScriptJS's Pony :
master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS
​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJS

Read More : 
http://pastebin.com/raw/uKLhTbLs few bits about ScriptJS
Search

RIG evolves, Neutrino waves goodbye, Empire Pack appears

October 1, 2016, 8:57 pm
$
0
0

  Neutrino waves Goodbye


Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.



Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :
“we are closed. no new rents, no extends more”
This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.


Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523



Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

functionk2(k) {
var y = a(e + "." + e + "Request.5.1");
     y.setProxy(n);
     y.open("GET", k(1), n);
     y.Option(n) = k(2);
     y.send();
if (200 == y.status) return Rf(y.responseText, k(n))
 };
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel


Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
[Speculation]
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
[/Speculation]
RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG
  • api.php : historical RIG
  • api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
  • remote_api.php : RIG-v
But Empire Pack might be api3, remote_api, or a bit of both of them.

By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)

Conclusion

Let’s just conclude this post with statistics pages of two Neutrino threads

Picture 18: Neutrino stats - Aus focused thread - 2016-07-15

Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09


We will be known forever by the tracks we leave
Santee Sioux Tribe

Some IOCs

DateDomainIPComment
2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v
2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v
2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)
2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector
2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v
2016-09-28add.alislameyah[.]org193.124.117.13RIG-v
2016-09-28lovesdeals[.]ml198.199.124.116RIG-v
2016-09-27dns.helicopterdog[.]com195.133.201.23RIG
2016-09-26sv.flickscoop[.]net195.133.201.41RIG
2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v
2016-09-26oitutn.yellowcarry[.]top78.46.167.130Neutrino

Acknowledgements

Thanks Malc0de, Joseph C Chen(Trendmicro), Will Metcalf( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.

Edits

2016-10-03 :
Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.
https://twitter.com/kafeine/status/790482708870864896

RIG panel
The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)

RIG-E Behavioral

Read More

RIG’s Facelift - 2016-09-30 - SpiderLabs
Is it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits

January 6, 2017, 5:15 am
$
0
0



CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

On 2017-01-04 @theori_io released a POC

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

Sundown:
2017-01-06

Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06
No exploitation here though
Fiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)

Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)

Read More:
Three roads lead to Rome - Qihoo360 - 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

Bye Empire, Hello Nebula Exploit Kit.

March 2, 2017, 1:17 pm
$
0
0
Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - nebula-support@xmpp.jp


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 
This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Payload sent in clear (no rc4 encoding).

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload


Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here :  https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits (medium confidence - might be updated ):
CVE-2014-6332 + CVE-2015-0016
CVE-2016-0189 godmode
CVE-2014-8439
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.


Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (probably CVE-2014-8439)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (probably CVE-2014-8439)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (Probably CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (Probably CVE-2016-4117 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula
2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula
2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula
2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula
2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula
2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula
2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula
2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula
2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula
2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula
2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula
2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula
2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula
2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula
2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula
2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CoalaBot : http Ddos Bot

October 16, 2017, 2:01 am
$
0
0


CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot


A look inside :
CoalaBot: Login Screen
(August Stealer alike) 




CoalaBot: Statistics


CoalaBot: Bots


CoalaBot: Tasks
CoalaBot: Tasks


CoalaBot: New Taks (list)



CoalaBot: https get task details

CoalaBot: http post task details



CoalaBot: Settings
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
------------------------------------------
Coala Http Ddos Bot

The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.

Attack types:
• ICMP (PING) FLOOD
• UDP FLOOD
• TCP FLOOD
• HTTP ARME
• HTTP GET *
• HTTP POST *
• HTTP SLOWLORIS *
• HTTP PULSE WAVE *

* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.


Binary:
• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)
• ~100kb after obfuscation
• Auto Backup (optional)
• Low CPU load for efficient use
• Encryption of incoming/outgoing traffic
• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)
• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.
• Ability to link a build to more than one gate.

Panel:
• Detailed statistics on time online/architecture/etc.
• List of bots, detailed information
• Number count of requests per second (total/for each bot)
• Creation of groups for attacks
• Auto sorting of bots by groups
• Creation of tasks, the ability to choose by group/country
• Setting an optional time for bots success rate

Other:

• Providing macros for randomization of sent data
• Support of .onion gate
• Ability to install an additional layer (BOT => LAYER => MAIN GATE)


Requirements:

• PHP 5.6 or higher
• MySQL
• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions

Screenshots:

• Created tasks - http://i.imgur.com/RltiDhl.png


Price:

• $300 - build and panel. Up to 3 gates for one build.
• $20 - rebuild
The price can vary depending on updates.
Escrow service is welcome.

Help with installation is no charge.
------------------------------------------

Sample:

VT link
MD5f3862c311c67cb027a06d4272b680a3b
SHA10ff1584eec4fc5c72439d94e8cee922703c44049
SHA256fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531|| ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Viewing all 185 articles
Browse latest View live
Search