Share:

From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.

On October 13th, the FBI put out a press release mentioning the takedown of Dridex. Smilex, one of the individuals behind the 220 Dridex botnet was arrested at the end of August. While Dridex did not completely go away after the takedown, the actors have started researching other means and families of malware for infections.

In Threat ID 5156, we observed a phishing email with the content of “Find the attachment for the scanned Document”. This was an Excel spreadsheet containing a macro used to download one of three payloads listed in Figure 1.

Figure 1

Figure 1. URLs in the Word document

It’s also worth mentioning that over the last few days, the Dridex samples that we have seen either don’t work or are weaponized incorrectly.

Conrad over at Dynamoo observed the same files with the same URLs; however, he had a slightly different dropped file, a8a42968a9bb21bd030416c32cd34635. Based on the discussions of the dropped files, people are unsure what family of malware this belongs to.

Figure 2

Figure 2. Screenshot of comments about related file and URLs

We have determined that this specific file is actually a sample of the Neutrino Bot malware, specifically version 4.4. Neutrino has the capability to log keystrokes and clipboard information, DDoS users, and search for files locally on the system. As seen in Figure 3 below, the version number is encoded at the end of the POST request going back to the attacker’s C2 infrastructure. “Cmd=1” is the initial request

Figure 3

Figure 3. POST requests back to attacker infrastructure

Since the attackers are giving us a 404, that means the site is down, right? Well, not necessarily. The attackers are encoding commands in the form of comments at the end of the 404 page, thereby returning instructions back to the malware. It’s also worth noting that the cookie authentication used is an MD5 hash—seen in Figure 4 below, which yields the password of “just for fun”, no quotes.

Figure 4

Figure 4. Observed comment at the end of Neutrino traffic

By reading between “DEBUG” and “ENDOF”, we’re given the string of “MTQ0NDYzMzk0Mjg2MDA0NSNyYXRlIDE1Iw==”, which Base64 decodes to “1444633942860045#rate 15#”. Based on analysis of a previous sample, “1444633942860045” is queried in the registry key of “HKCUSOFTWAREY1FEZFVYXLLB1444633942860045” where “Y1FeZFVYXllb” is the mutex of both the older and newer samples. From the XyliBox blog, rate is a hard-coded value in the Neutrino panel.

The malware also writes to “C:Users<user> AppDataRoamingY1FeZFVYXllb” as a randomly named exe. This has been seen to be notepad.exe, winhlp32.exe, and other files.

Through both open-source research and information provided by PhishMe Intelligence, the targeting of this Neutrino sample has been very vast. One user in China even posted a report about the same hash. (See Figures 5 and 6)

Figure 5

Figure 5. Chinese user seeing the malware as well

Figure 6

Figure 6. Technical indicators from bbs.kafan.cn

By looking at the attacker’s C2 infrastructure, we can see that the /few/ directory was created on October 7th, 2015.

Figure 7

Figure 7. Creation of /few/ directory is October 7, 2015

Likewise, we can observe that the /logo/ directory was created on October 6th, only one day prior. By browsing into this directory, we can see that config.php was made several hours later, as shown in Figure 8.

Figure 8

Figure 8. Screenshot of directory listing showing Last Modification Date of config.php

The creation of the config.php and modification date of /few/ is very important, and shows that our threat actors are experimenting with other families of malware. The press release for the takedown came out on October 13th, just one week after the Neutrino C2 was set up. With Smilex being arrested August 28th, the attackers would have known that something was in the works. While the botnet didn’t completely go down, it is no where near as strong as it once was.

By browsing to the admin.php page, we can see that the attackers have a Pony panel on this system, too. (Figure 9)

Figure 9

Figure 9. Pony panel

Given that the panel and the /few/ directory creation dates are only one day apart, we believe the same actor had access to the pony panel as well as the configurations for Neutrino. The attacker also changed the malware from Neutrino to Dridex within a few hours of the campaign. We believe that the attackers are starting to experiment with other malware families or change targeting and distribution of malware, based on geography.

In November, the attacker also installed another panel to the /7770/ directory., as seen below in the screenshot in Figure 10.

Figure 10

Figure 10. Unknown panel directory

The developers even went to the extent to secure their panel with a CAPTCHA box, as documented in Figure 11.

Figure 11

Figure 11. Panel with CAPTCHA

Looking in one of the sub-directories, the attackers may have been active in late December as well, as seen in Figure 12.

Figure 12

Figure 12. Attacker’s activity in December

Given the nature of the malware support infrastructure found on this system, it looks like our attackers have their hands in other malware families to see what is working for them. Given the distribution of the malware as well as the observed relationships between Neutrino and Dridex, it’s safe to assume that these attackers are working together. Given the timeframe and close proximity to the Dridex takedown, we believe the attackers are trying to scramble to see what works. While Dridex isn’t completely down, it certainly isn’t as successful as it once was.

For malware, here are the hashes:

8faae822e6701b3d966be2849bf2c785

d1feb6aea67463d9001876b68dfdd32d

0fcc9eb9af29b5525b30d53755a413d9

a8223b52aa0e2cb7c3f89e74cb53111d

98192acbe28ae5637bb93dbace8e4861

04a56af9537c460da7bb35edaa884ed1

e47789e7bf6cb9214479c1a44d48226f

a8a42968a9bb21bd030416c32cd34635