By: Ed Miles

There Goes The Neighborhood - Bad Actors On GMHOST Alexander Mulgin Serginovic

Exploit Kit

Introduction

Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After following up the Sundown EK recently pointed out by @malwareforme on the Threatglass database, we found Neutrino (looking like Angler) and other bad behavior in the same network "neighborhood".

It's not clear what reputation this hoster has within the underground community, but the Sundown and Neutrino campaigns both appeared within the same address space registered under "Alexander Mulgin Serginovic" (AMS) with the first Neutrino hits coinciding with the last few hits of Sundown's December 2015 campaign. We have not identified any link between these campaigns apart from the hoster, but we wanted to provide a quick look at some of these activities and the specific indicators we have seen.
 

Sundown Behavior

Other analysts have observed the emergence of the Sundown EK (aka Beta Exploit Pack), with Kafeine in particular commenting that Sundown is a very simple EK compared to the more mature kits like Angler. This continues to be the case, however we have seen that the group operating Sundown has made adjustments, including some changes that happened in the midst of this campaign.
 

Injects

The campaign on ForoMTB Sundown used a small malicious inject within one of the included JavaScript libraries:
 

On CinemaHD, we saw a basic IFRAME inserted directly into the page:
 
 

Gates

 

During December we saw the gate "millychiccolo[.]space/jhgrjhk.php", and after the new year we have seen "pienadigrazia[.]space/counter.php" though we also saw direct traffic from the compromised sites.

Landing Pages

In the past 45 days we have seen Sundown operate with various domains hosting the landing pages, but only on two different IPs: 81.94.199.16 and 185.86.77.160. The path component of the landing page has gone through several iterations. The early hits in this campaign were seen to "millychiccolo[.]space/?9b5b49f7f8c07f43effe4aecc67bf254". Later, the landing page path was encoded with base64 as such: "millychiccolo.space/?OWI1YjQ5ZjdmOGMwN2Y0M2VmZmU0YWVjYzY3YmYyNTQ=". It should be noted that this base64 string decodes to the same MD5-looking path used in the first instance. Sundown changed up the underlying "MD5" for the new year, and we have seen landing pages at "arbitraryh.top/?NjExODEzY2MzNTkyZTkyYWYxZmNlYjExODQzMzAz" (the path decodes to 611813cc3592e92af1fceb11843303).
 
These are some of the domains we saw delivering Sundown landing pages, exploits, and malware payloads:
nomeatea.space
millychiccolo.space
pianolessons.co.vu
tequeryomuch.space
ilsignoreconte.space
arbitraryh.top
pienadigrazia.space
 
Despite the path changes, the behavior of the Sundown landing page is still quite simple: a "carpet bombing" where many or all possible exploits are tried, in some cases with multiple successes. An example of the exploitation flow:
ilsignoreconte[.]space/new/e/360a296ea1e0abb38f1080f5e802fb4b.html
ilsignoreconte[.]space/new/e/053d33558d578d2cafe77639209ab4d9.html
ilsignoreconte[.]space/new/e/49c58cc2b166b1a5b13eab5f472a4f7b.html
ilsignoreconte[.]space/new/e/49c58cc2b166b1a5b13eab5f472a4f7b.swf

Exploit Payloads

Sundown was seen sending the following exploit payloads:
poc2.flv - CVE-2015-3113
49c58cc2b166b1a5b13eab5f472a4f7b.swf - CVE-2015-5122
865hkjjhgfhjrgjkgyjtyg6lkjthyrkljtgh.html - CVE-2015-2419
8573855j6lhk4j54kl5jhk53j654364354.html - CVE-2013-2551
8500d58389eba3b3820a17641449b81d.html - CVE-2014-6332
360a296ea1e0abb38f1080f5e802fb4b.swf - CVE-2014-0515
053d33558d578d2cafe77639209ab4d9.swf - CVE-2015-3113 (via poc2.flv)

Malware Payloads

The delivery of the malware samples was another aspect of Sundown that we saw change. Through December 26, the malware payloads were downloaded from the URL "tequeryomuch[.]space/new/download.php?d=9b5b49f7f8c07f43effe4aecc67bf254". On the 27th we saw payloads coming from "tequeryomuch[.]space/?NGFlY2M2N2JmMjU0&d=9b5b49f7f8c07f43effe4aecc67bf254".

Some of the samples we observed during this campaign:
Sample
4BAEEE098C34B463EB8AC709B9BD9967 (the sample seen on Threatglass)

Behavior
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\ZlFZQkBA\\twunk_32.exe","dropped_md5":"4BAEEE098C34B463EB8AC709B9BD9967"}
{"dropped_path":"C:\\WINDOWS\\Tasks\\ZlFZQkBA.job","dropped_md5":"22D5FD2A8675CF3B673D84716384AE8A"}

{"url":"imagescdn[.]ru/redir.php","destIP":"5.206.60.129","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"178.137.82.42","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"213.231.31.192","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
Sample
D754B473AF45B8D3565C1323D29EAD51

Behavior
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\ZlFZQkBA\\taskman.exe","dropped_md5":"D754B473AF45B8D3565C1323D29EAD51"}
{"dropped_path":"C:\\WINDOWS\\Tasks\\ZlFZQkBA.job","dropped_md5":"07808D2E9A1D1607FCB81C1E0CA03358"}

{"url":"imagescdn[.]ru/redir.php","destIP":"109.251.77.14","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"109.251.77.14","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"213.111.238.98","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
Sample
6580F61B8B1AABFE3CAD6983CA9B2505

Behavior
{"dropped_path":"C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\svchost.exe","dropped_md5":"FAA8EA9027ED6B6C875C247E59285270"}
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\programutiliity\\filename.exe","dropped_md5":"A1429E43D7F19EB893FCC5D7BD2B21E9"}
{"dropped_path":"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\filename.bat","dropped_md5":"7C444F8193480F6DC571BB6483E60A6A"}
 

Geographic Distribution

We've primarily seen this Sundown campaign affect users located in Spain, though this may have more to do with the fact that the primary infected site is a Spanish-language forum.

 
 
Control Panel Login

Though we did not make any efforts to break into the Control Panel, we found it interesting that the login portal was so readily available to anyone who bothered to poke around at all. It's definitely looking a little flashier since Kafeine's analysis.
 

 

 

Neutrino Behavior

Neutrino, like Sundown, operates in the shadow of Angler. In this case, the first signs of activity seen in the campaign actually look very much like Angler, so much so that Blue Coat's blog about the same activity was later updated to correct the identification. Regardless of whether the initial traffic is actually Angler or not, the campaign changed noticeably over the observed duration. The early stage of the campaign triggered Angler signatures from a variety of sources. As can be seen below, the code features the "malware.dontneedcoffee.com" test that has been common to Angler.
 
 
Later stages of the campaign showed more expected Neutrino behavior: where the first stage after the infected website was initially an Angler-alike landing page, the injected code instead directs users to an HTML page that loads a malicious Flash object. This can be clearly seen below in the side-by-side comparison.
 

Infected Sites and Landing Pages

Many of the sites serving this Neutrino campaign were registered under .CZ, the top-level domain (TLD) for the Czech Republic. Since full list is too long to include here, we have created a Pastebin with the data.

We saw landing pages served up from these IPs:
185.86.77.52
89.38.146.229
37.157.195.55
45.32.238.202
185.12.178.219
89.38.144.75 
The list of landing page domains is again too long to reproduce here, so please see our Pastebin for the data.
 

Payloads

While we did not observe a malicious payload from the "Angler" behavior, we found the later stage of the campaign delivered a CyrptoWall 4.0 payload. Shown below is the notice from the locker malware.
 

Geographic Distribution

The geographic distribution of clients affected by this campaign is somewhat more dispersed than the Sundown campaign, though the majority of users were located in the US.
 

Malware Command and Control

In addition to Sundown and Neutrino (with a case of multiple personality disorder), we also identified Necurs and Radamant callback activity on the AMS network. We include details of this activity below.

Necurs Activity

Necurs is a fairly well-known rootkit that is often distributed by EKs and spam e-mails. We did not identify the infection vector for this campaign, but we saw some post infection activity to a Necurs C&C server hosted by AMS. The AMS C&C is only one of many C&Cs we saw, but in an interesting trend, we saw the Necurs callback activity drop off almost entirely going into 2016.
 
 
 
 
Please find the list of Necurs callback IPs on our Pastebin.

Radamant Activity

Radamant is yet another file locker, that according to BleepingComputer just recently became available as of December 7 2015. While we haven't seen very widespread distribution of Radamant yet, we have seen examples from as early as December 4, attempting communication with a server at our new favorite hoster as seen below.
 
{"url":"checkip.dyndns.org/","destIP":"91.198.22.70","ua":"","method":"GET","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/mask.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}

Conclusion

AMS may host many legitimate customers, and while we didn't intend to call them out specifically, we wanted to share some of the malicious behavior we have seen involving this network (and others) in an effort to help other defenders. ThreatLabZ will continue to monitor these campaigns and ensure protection for organizations using the Zscaler Internet security platform.
 
 

Learn more about Zscaler.