18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206,
220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
UPDATED == Please add: 184.108.40.206, 220.127.116.11, 18.104.22.168 to your blocking list!
A CryptoLocker walk-throughOn December 19th, Malcovery malware analysts found two spam campaigns that were actively distributing malware that lead to CryptoLocker. The first of these was the focus of that day’s T3 report, on AT&T-themed spam. The AT&T spam and the Visa spam from that day both dropped a small “downloader” piece of malware.
The AT&T email had an attached .zip file named VoiceMail.zip which was 8,810 bytes in size and had the MD5 be7d2f4179d6d57827a18a20996a5a42. When unpacked, the included .exe file, VoiceMail.exe, was 15,872 bytes in size and had the MD5 d1ca2dc1b6d1c8b32665fcfa36be810b. At the time of the report, the only VirusTotal detections for that piece of malware were 5 of 49, with most major AV companies failing to detect.
The downloaded Zeus sample, wav.exe had an MD5 of a4bdb44128ca8ee0159f1de3cf11bee0 and was also very poorly detected. The VirusTotal report at that time showed only 8 of 49 detections. Of the major US-based AV, McAfee and TrendMicro detected it, both confirming a Zeus variant.
Immediately after becoming infected with the GameOver version of Zeus, the machine downloaded cryptolocker malware from another site.
CryptoLockerThere are several interesting things we found as we examined this CryptoLocker sample. Perhaps the best way to explain them is to show some of these screenshots first.
#1. This was the first screen that we saw after infection, letting us know we needed to pay a $300 ransom if we anted to decrypt our files.
#2. Our Windows wallpaper was replaced with this image, so we couldn't miss the fact that we were infected.
#3. There was a pull-down menu that gave us two choices of how we wanted to pay. The first choice was to pay 0.6 BitCoins.
#4. This is the BitCoin Account we were supposed to send our money to. We would appreciate anyone else who is infected sending out a tweet with the hashtag "#CryptoBitCoin" letting us know which BitCoin purse you were supposed to send payment to.
#5. We're trying to learn more about the option to pay with a GreenDot MoneyPak. Although we tried to make a payment this way, two valid MoneyPak's that we tried to send were rejected.
CryptoLocker & IIDThe CryptoLocker malware has a Domain Generation Algorithm (DGA) that causes it to generate as many as a thousand domain names based on the date of the infection. As we ran the malware on several different occasions, we realized that of the thousands of tested domains, the domains that resolved tended to resolve to the same IP address, 22.214.171.124. In a DGA, bad guys attempt to protect their botnet by having many possible domain names generated using an algorithm that allows both the bots and the author to know what domains might be valid on a given date in the future. Each bot calculates the current domain possibilities, and begins "calling out" to each of those names. Most of them fail to resolve. But as long as even ONE domain resolves (meaning the criminals, or a sink-hole researcher, have registered the domain), the bot can make connection to generate a valid encryption key and continue the scam. Once the date has passed, the domains are no longer useful, except as evidence, but if the IP addresses are being re-used, this gives us a way of protecting systems.
Malcovery Security's daily "Today's Top Threat" reports share details about the top spam campaigns that are distributing malware. Recipients of the T3 reports would have been provided with all of the IP addresses, MD5s, and VirusTotal reports above as part of this report:
As happens in so many cases, the IP address warned about in this report provides lasting protection, as the same IP was used for CryptoLocker from that day forward. But were there other IP addresses involved as well?
Because Malcovery Security is a partner with Internet Identity, we ran the IP against their Passive DNS Database. IID's President Rod Rasmussen and Threat Intelligence VP Paul Ferguson gave us permission to share some of what we learned there.
CryptoLocker Domains found on 126.96.36.199
|Dec 13, 2013||mqagyenfbebsau.org|
|Dec 13, 2013||ahqnsclgckkpho.org|
|Dec 13, 2013||urkitujgkhsjl.org|
|Dec 14, 2013||kgvmmylyflrqml.org|
|Dec 16, 2013||shjeyrqelevega.org|
|Dec 16, 2013||ohmfbedvtftg.org|
|Dec 16, 2013||rldrrlcakwnumbe.org|
|Dec 16, 2013||hgfcqopaylrvyht.org|
|Dec 18, 2013||wxntojirxraawe.org|
|Dec 18, 2013||jlbrdhtbkmhkryk.org|
|Dec 18, 2013||rwmhbmtauqgyhcqhizinljirjr.org|
|Dec 18, 2013||pdfaayxydaqpyrouwrkydmneu.org|
|Dec 18, 2013||qplmkjrolbvc.org|
|Dec 18, 2013||mdaodtaifpkqkk.org|
|Dec 19, 2013||lnxbofsriihe.org|
|Dec 20, 2013||mpcljoupkkipyl.org|
|Dec 20, 2013||cuxsdtynsyml.org|
|Dec 20, 2013||oxgufearvtqkwh.org|
|Dec 20, 2013||jnptslhlsqise.org|
|Dec 23, 2013||pqulnjwedvbpm.org|
|Dec 23, 2013||vcbetblhrykeyxv.biz|
|Dec 24, 2013||huqenkdqtoatvnc.biz|
|Dec 24, 2013||omeidojwwtmalsy.biz|
|Dec 24, 2013||klufixwglgyb.biz|
|Dec 24, 2013||wwrahwrdcfhygp.org|
|Dec 24, 2013||wnjoalurtgqpd.biz|
|Dec 24, 2013||uwelewosqoirmt.org|
|Dec 26, 2013||yxmbwneyurhxfv.org|
|Dec 26, 2013||mgkppyunffvvd.org|
|Dec 27, 2013||teeusgcggvys.biz|
|Dec 27, 2013||ooqgdlwctrpt.org|
|Dec 27, 2013||www.eliferxmart.com|
|Dec 28, 2013||bsgxxguicafc.org|
|Dec 28, 2013||aemivjtujaddhab.org|
As we examine the NAMESERVER choices on the domains above, we can use the Passive DNS service to find other IP addresses that use some of the same Nameservers.
The fact that at various times this DNS server, known to be associated with CryptoLocker Domain Generation Algorithm-created Domain names, has been seen on these IP addresses makes these IP addresses of interest. But does it look like they are hosting CryptoLocker Domains as well as the DNS? We used the IID Passive DNS to find lists of domain names hosted on these various IP addresses, and then checked to see whether they were used for Technical Support *OR* for distribution of Binaries associated with the CryptoLocker malware. Let's look at what we found!
Our original IP address, 188.8.131.52, was very frequently associated with spam domains related to "Ruby Casino" a criminally operated online gaming service. The IID Passive DNS service showed us dozens of "Ruby" related domains on many of these other domains as well. For each of the other IP addresses, we'll ask
- was a CryptoLocker TechSupport website found on this IP?
- was evidence of CryptoLocker Malware found on this IP?
- was this IP used by Ruby Casino spam domains?
On 184.108.40.206 - aemivjtujaddhab.org - Positive for CryptoLocker TechSupport!
Confirmed (VT 40/48) CryptoLocker malware = mgkppyunffvvd.org file at /0388.exe!
Confirmed Ruby Casino domains!
On 220.127.116.11 - yxmbwneyurhxfv.org - Positive for CryptoLocker TechSupport!
Confirmed CryptoLocker malware = jingo-deny-hosting.com file at /0388.exe
Previously used for Fake AV - see 0x3a blog post on Fake AV
Many Ruby Casino domains, such as arubylifeclub.com, erubylifeclub.com, irubylifeclub.com.
On 18.104.22.168 - aemivjtujaddhab.org - Dec 28, 2013 - Positive for CryptoLocker!
Same binary (0388.exe) available here.
No Ruby Casino
On 22.214.171.124 - usyusdoctfpnee.org - most CryptoLocker prior to December 6th.
Hosted malware on "AdobeFlasherUp1.com" on October 31, 2013.
Many Ruby Casino domains, including zrubywinclub.com and orubywinclub.com.
On 126.96.36.199 (Ukraine) - wwfcogdgntlxw.biz - most CryptoLocker prior to December 3rd.
Confirmed to have hosted Cryptolocker binary on November 21, 2013.
Many Ruby Casino domains, including lrubystardream.com and orubywindream.com.
On 188.8.131.52 - teeusgcggvys.biz - confirmed CryptoLocker on December 29th.
0388.exe binary available at IP or domain level.
Many Ruby Casino domains, including yrubyeurodream.com and zrubyeurodream.com
(184.108.40.206), linked by IID Passive DNS based on common Ruby Casino domains on the previous IP address, was found to be actively hosting CryptoLocker Domains found here on October 30th confirmed to be CryptoLocker by our friends at Malware Must Die, including kwajtnjddqetolh.biz. The most recent Crypto look alike was from December 10th. ukyfkufdi7ytdfuit.ru.
220.127.116.11 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 27th
. This IP has not been seen prior to December 27th.
18.104.22.168 - not confirmed as CryptoLocker by passive DNS.
This IP *WAS* declared to be CryptoLocker in a new paper from Dell Secureworks' Keith Jarvis, more below.
22.214.171.124 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 29th
. Also hosted the AdobeFlasherUp1.com domain mentioned above.
Hosted several Ruby Casino domains, including rubypowerland.com and krubywindream.com
126.96.36.199 - dozens of CryptoLocker domains - confirmed TechSupport domains live on December 29th
0388.exe binary available on live domains, including ooqgdlwctrpt.org
Hosted several Ruby Casino domains, including rubystarsland.com, krubymasterclub.com and others.
Just on these IPs in the month of December, we find the following CryptoLocker domains:
1 Dec lbmuvpwgcmquc.org 1 Dec jknuotworuebip.org 3 Dec usyusdoctfpnee.org 3 Dec msncwipuqpxxoqa.org 5 Dec yebdbfsomgdbqu.biz 5 Dec pkakvsexbmxpwxw.org 5 Dec dhjicdgfykqoq.org 5 Dec wjbodchhlgidofm.org 5 Dec ghvoersorwsrgef.org 5 Dec rttvxygkmwlqmq.net 5 Dec wwfcogdgntlxw.biz 6 Dec bsngfunwcpkjt.org 6 Dec tmphandchtcnffy.org 7 Dec qnsoiclrikwj.org 7 Dec nfnfskbniyajd.org 7 Dec swmbolrxyflhwm.biz 7 Dec agwwcjhinwyl.org 7 Dec osmhvqijsiedt.org 7 Dec cmidahhutlcx.org 7 Dec emttankkwhqsoe.org 9 Dec ormyfnlykajkdr.org 9 Dec ypxnqheckgjkbu.org 10 Dec vsjotulrsjhyf.org 10 Dec kmjqcsfxnyeuo.org 10 Dec cpapfioutwypmh.org 10 Dec xivexnrjahpfk.org 10 Dec ukyfkufdi7ytdfuit.ru 10 Dec www.qnsoiclrikwj.org 10 Dec www.jxjyndpaoofctm.com 11 Dec slbugcihgrgny.org 11 Dec ykmccdhpgavm.org 11 Dec wpowcdntgoye.org 11 Dec gavhopncgfmdq.org 12 Dec rkmmrxbpafgnplt.org 12 Dec fpvpnoqmgntmc.org 13 Dec mqagyenfbebsau.org 13 Dec ahqnsclgckkpho.org 13 Dec urkitujgkhsjl.org 14 Dec kgvmmylyflrqml.org 16 Dec shjeyrqelevega.org 16 Dec ohmfbedvtftg.org 16 Dec rldrrlcakwnumbe.org 16 Dec hgfcqopaylrvyht.org 18 Dec wxntojirxraawe.org 18 Dec jlbrdhtbkmhkryk.org 18 Dec rwmhbmtauqgyhcqhizinljirjr.org 18 Dec pdfaayxydaqpyrouwrkydmneu.org 18 Dec qplmkjrolbvc.org 18 Dec mdaodtaifpkqkk.org 19 Dec lnxbofsriihe.org 20 Dec mpcljoupkkipyl.org 20 Dec cuxsdtynsyml.org 20 Dec oxgufearvtqkwh.org 20 Dec jnptslhlsqise.org 23 Dec pqulnjwedvbpm.org 23 Dec vcbetblhrykeyxv.biz 24 Dec omeidojwwtmalsy.biz 24 Dec huqenkdqtoatvnc.biz 24 Dec klufixwglgyb.biz 24 Dec wwrahwrdcfhygp.org 24 Dec wnjoalurtgqpd.biz 24 Dec uwelewosqoirmt.org 26 Dec yxmbwneyurhxfv.org 26 Dec mgkppyunffvvd.org 27 Dec teeusgcggvys.biz 27 Dec ooqgdlwctrpt.org 28 Dec fsihpjionkbb.net 28 Dec bsgxxguicafc.org 28 Dec aemivjtujaddhab.org 28 Dec iwgymewvnfpyveg.org 28 Dec dryadsncyghpyx.org
We actually found THREE of the IP addresses that we found via Passive DNS analysis listed on a blog site in an article called CIS Cyber Alert Releases Recommendations to Combat Cryptlocker Malware by Thu Pham. That same article refers to a list of CryptoLocker C&C's that CIS is recommending to block. I list those IP addresses here from their list found at: CIS CryptoLocker List. Only three of the IP addresses listed by CIS are on on our list of ten.
Keith Jarvis of Dell SecureWorks released an excellent paper on CryptoLocker Ransomware on December 18, 2013. I just found it tonight as I was Googling for additional evidence on some of the IP addresses above. I highly recommend this resource, available at Dell SecureWorks CryptoLocker Ransomware.
The same Dell Secureworks paper made me aware of the excellent thesis BitIodine: Extracting Intelligence from the Bitcoin Network by Michele Spagnuolo.