A question that we regularly receive at PhishMe is “How do the higher skilled cyber criminals get into major networks?” – The answer is botnets, APTs and malicious emails in most cases.
The way Advanced Persistent Threat-style actors are described by the media often leaves the average reader believing that these intrusions are performed by Mission: Impossible’s Ethan Hunt! But the truth is that even the APT-level hackers often gain their initial foothold into your network through the most common and trustworthy means of infection — a malicious email.
But surely these are highly crafted, customized and targeted spear-phishing emails, right? Sometimes. But more often than not, the initial foothold into the network comes from common malware that is broadly distributed through spam.
Most of the major botnets in circulation today are known for a primary activity, such as the Financial Crimes aspects of Zeus, Cridex, and Dyre. Whether it is those Financial Crimes botnets, or ClickFraud botnets such as Bamitol, ZeroAccess, or MeVade or spamming botnets such as Cutwail and Kelihos, the criminals often include additional functionality to “remote control” the infected computers to allow them to drop ADDITIONAL malware on the same systems.
Security journalist (and now New York Times Best Seller) Brian Krebs has been making this point for quite some time. In his article The Scrap Value of a Hacked PC he points out that one use of a compromised PC is to use that PC to access Corporate E-mail accounts. Later in 2012, he also explored the variety of additional uses of a hacked PC in his article Exploring the Market for Stolen Passwords. More recently his article One-Stop Bot Chop-Shops pointed out some of the many additional ways that criminals monetize their bots, including selling the raw botnet logs – “huge text files that document notable daily activities of the botted systems.”
Fox-IT / Group-IB and Anunak
Netherlands-based Fox-IT and Moscow-based Group-IB have just released a report called “Anunak: APT Against Financial Institutions” (PDF) which they describe as a new group of cyber criminals who have stolen tens of millions of dollars, credit cards, and intellectual property. In the report, the team documents one of the main methods the criminals were able to penetrate more than fifty financial institutions, as well as oil and gas companies, and government agencies:
“To find such malicious programs the criminal group keeps in touch with several owners of large botnets that massively distributes their malware. The attackers buy from these botnet owners the information about IP addresses of computers where the botnet owners have installed malware and then check whether the IP address belongs to the financial and government institutions. If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware. Such partner relations were established with [several botnet owners] including Zeus.” (p. 5 of the Anunak report)
The report goes on to actually provide Python source code used by the Anunak actors to scan large collections of log data for networks that may be of high value.
Once the malware actors identify a desirable bot, they pay the large botnet owner to install software that provides remote control to the Anunak group instead, and then proceed with their attack. At this point, the criminal can fully control the machine that has been identified in a desirable target network, and will often read the victim’s emails in order to find people within the target organization who would be appropriate targets to try to gain higher levels of access to desirable systems. Because they now have access to previous communications, it becomes easier for them to provide a compelling social engineering email based on prior communications, and being sent FROM WITHIN THE TARGET NETWORK by a known associate of the email recipient! These are the highly-customized spear-phishing emails that give APT actors their reputation — but in this case, the FIRST STEP in the criminals’ version of the Cyber Kill Chain is to take advantage of a large botnet that has by coincidence, rather than by design, been installed on a machine of interest to the Anunak criminals.
One of the botnets known to be used by these criminals is Andromeda. In the example detailed on page 10 of the Anunak report, combined with indicators from the appendix of the report, we find that malware named “001.photo.exe” that used as its Command & Control domains the addresses ddnservice10.ru and ddnservice11.ru on IP address 126.96.36.199 are definitely associated with these actors.
PhishMe Intelligence subscribers can find samples of this threat by using the “URL search” and entering the partial string “ddnservice” which will show 18 major spam campaigns tied to those two domains via their Malware Watch List entries. Those domains were active from September 26, 2014 until November 6, 2014, at which time the criminals shifted their usage to dns22dns22.ru.
While the most common email subject used by this campaign was “my new photo ;)” email subjects related to “Order Details” and “New offer Job” and others were also commonly seen. The malware distribution network, commonly known as SmokeLoader, is used in many instances to install the Andromeda botnet, as in the Anunak example.
The current C&C address for this group, first seen on December 19, 2014, is “fudsufsd3.com” which is associated with IP addresses:
188.8.131.52 – hosted at JSC KazakhTelecom (ASN 9198)
184.108.40.206 – hosted at VDS INSIDE, Ltd. (ASN 61214)
220.127.116.11 – hosted at the famously malicious “IT House, Ltd” on ASN 57010.
According to Passive DNS, ddnservice10.ru was seen on near-neighbor IP addresses to two of these — 18.104.22.168 (ASN 57010) used on and after October 31, 2014 and 22.214.171.124 and 126.96.36.199 (ASN 9198) used on and after September 27, 2014 and October 23, 2014 respectively.