Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sandiflux Report - June 2019

408 views

Published on

The report regarding the cybercrime activities conducted by threat actors through the SandiFlux fastflux botnet in the middle of 2019! We have tracked different malware campaigns including (i) attacks conducted by the APT group known as TA505, which are spreding FlawedAmmyyRAT, AmadeyBot and a EmailStealer, (ii) ransomware campaigns such as GandCrab and Sodinokibi, (iii) the campaigns of malware known as Phorphiex Worm/Trik and Ursnif, and (iv) other kind of cybercrime activities such as the hosting of phishingcampaigns and cadingsites domains.

Published in: Science
  • Be the first to comment

Sandiflux Report - June 2019

  1. 1. Advanced Detection Environment Lab Salvatore Saeli, Cyber Security R&D Engineer Pierangelo Lombardo, Data Scientist Federica Bisio, Data Scientist Danilo Massa, Head of Cyber Security Unit SandiFlux Botnet Report June 2019
  2. 2. aizoOn Group - aramis 1 SandiFlux Botnet Report Sommario 1. Introduction ...........................................................................................................................................2 2. SandiFlux 2019 .......................................................................................................................................3 2.1 Shared IPs..........................................................................................................................................3 2.2 Geolocation .......................................................................................................................................4 3. Phishing Campaigns............................................................................................................................5 4. Dumps Stores.........................................................................................................................................6 5. Hacking Group TA505.........................................................................................................................7 5.1 FlawedAmmyy RAT............................................................................................................................7 5.2 Email Stealer......................................................................................................................................8 5.3 Amadey..............................................................................................................................................9 6. Phorphiex/Trik botnet ........................................................................................................................10 7. Ursnif.......................................................................................................................................................10 8. Ransomware Campaigns................................................................................................................11 8.1 GandCrab.........................................................................................................................................11 8.2 Sodinokibi........................................................................................................................................12 9. List of tracked domains ....................................................................................................................13 9.1 Dumps Store....................................................................................................................................13 9.2 Phishing ...........................................................................................................................................13 9.3 Malware ..........................................................................................................................................14 9.4 Unclassified .....................................................................................................................................15 Appendix A..................................................................................................................................................16 References...................................................................................................................................................18
  3. 3. aizoOn Group - aramis 2 SandiFlux Botnet Report 1. Introduction In this document, we report the latest updates regarding a Fast Flux botnet – or Fast Flux Service Network – called SandiFlux, described for the first time in 2018 in β€œSandiflux: Another Fast Flux infrastructure used in malware distribution emerges” [1], published on the Proofpoint website. Subsequently, the same phenomenon had been observed in our study of fast flux botnets [2], when we obtained the evidence of an IP migration from the well- known DarkCloud to the newborn SandiFlux. The main contribution of this document is the analysis of the malicious activities that we have observed, complementary to other analyses already published (see the references at the end of the document), with a focus on the use of fast-flux botnets by cybercriminals. Furthermore, in order to give some evidences to drive the security analysts, for each malware campaigns that we describe, we provide one or more references to samples analyzed in public sandboxes. In the following section, we give an overview of SandiFlux, describing its main features. The subsequent sections are devoted to the description of all the activities that leverage this botnet, with a focus on the dynamic behavior observed within the chain of infection. Finally, we give a list of IoCs, namely the complete list of domains tracked and a sample of the IPs that we have retrieved.
  4. 4. aizoOn Group - aramis 3 SandiFlux Botnet Report 2. SandiFlux 2019 We examined the IPs associated with a list of fast flux domains, gathered via a scouting activity from public repositories such as VirusTotal, Any.Run and HybridAnalysis . The IPs were collected via active DNS analysis in the period from the 18th May 2019 to the 18th June 2019. The main reference for the present report is the article [2]. The collected IPs show a behavior similar to the one associated with the SandiFlux botnet in 2018, both in terms of geolocation and in terms of shared IPs. 2.1 Shared IPs In the following image, we represent the overlap 𝑂"# among all the pairs (𝑖, 𝑗) of the domains in which we retrieved more than 150 IPs, defined as 𝑂"# = *𝑋"⋂𝑋#* *𝑋"⋃𝑋#* where 𝑋" represents the pool of IPs associated with the 𝑖-th domain and |𝑋| is the cardinality of 𝑋 (i.e., the number of IPs in 𝑋). The overlap is represented in the image below in gray-scale, where white corresponds to the absence of overlap (0% of shared IPs) black corresponds to a perfect overlap (100% of shared IPs) and in general the darker the tone, the larger the overlap. Overlap representation π‘Άπ’Šπ’‹ (see text above). Darker tones represent larger overlaps The presence of two clusters is noticeable and correspond to the domains collected in 2018 (on the lower left) and the ones collected in 2019 (on the upper right). As can be expected, the overlap within the clusters is larger than the overlap inter-cluster, but the latter is still greater than zero, showing the presence of a certain amount of shared IPs. This means that the domains belonging to the β€œ2018 snapshot” of SandiFlux are quite similar among themselves in terms of associated IPs, and the same is true for the β€œ2019 snapshot” of SandiFlux; if we compare the two snapshots, the similarity decreases but they still share a
  5. 5. aizoOn Group - aramis 4 SandiFlux Botnet Report certain number of IPs. This suggests that the botnet is the same, and there has been a mild turnover in the IPs, probably related with the limited lifetime of bots. 2.2 Geolocation The image below represents the geographic location of the retrieved IPs. Geographic location of the retrieved IPs, with a detail on East Europe It is notable that the IPs are spread worldwide, but the highest density is found in Eastern Europe, in particular in Romania and Bulgaria. This is confirmed by the image below and does not come as a surprise since a similar situation was observed for SandiFlux in 2018 (see [2]). In the following image, we represent the histogram of the number of IPs localized in the top 7 countries (in terms of retrieved IPs). Number of retreved IPs for the top 7 domains
  6. 6. aizoOn Group - aramis 5 SandiFlux Botnet Report 3. Phishing Campaigns Historically, one of the main purposes of using fast flux botnets is to host phishing domains [3]. The most famous fast flux botnet used for phishing attacks was Avalanche, which taken down by the authorities in 2016 [4]. We have tracked several phishing campaigns targeting numerous companies in the United States such as; United Services Automobile Association (USAA), JP Morgan Chase & Co (CHASE), AT&T, CitiBank and Microsoft. Examples of the involved URLs are: β€’ http://citimembercordservice[.]com/citi/ β€’ http://attonlinerestore[.]com/attt/ β€’ http://usaadebicardonline[.]com/usaa/ β€’ http://chasedebitcardurgent[.]com/chase/ β€’ http://microsoft-offices[.]com/microsoft/ We observed that a common tactic used by phishers consists in the deployment of the same phishing kit, which uses one domain as prefix, followed by a sequential number (e.g., chaseonlinedebit.com, chaseonlinedebit1.com, chaseonlinedebit2.com). Furthermore, most of the tracked domains were hosted by WebNic.cc and the remaining part was hosted by PakNIC (Private) Limited, two internet service providers based in Singapore and Pakistan respectively. Sample of phishing attacks against USAA, CHASE, AT&T and CitiBank
  7. 7. aizoOn Group - aramis 6 SandiFlux Botnet Report 4. Dumps Stores Another historically relevant cybercrime activity that leverages fast flux botnets is the hosting of Dumps Stores/Carding Sites, i.e. the black markets where cyber criminals sell stolen credit cards. In 2016, several well-documented Dumps Stores that leveraged DarkCloud botnet appeared [5]. Last year, during our analysis of DarkCloud and, afterwards, of SandiFlux, we witnessed a change: some historical dumps stores, still present online such as; try2swipe[.]ws, verified[.]vc, unclesam[.]ws, royaldumps[.]top and mcduck[.]org - left fast flux botnets and only a small part of them - such as validcc[.]ws, paysell[.]ws, csh0p[.]ru – moved from DarkCloud to SandiFlux. We have recently observed that almost all the online Dumps Stores publicized by Carding Forums do not leverage SandiFlux, and those that we tracked last year have disappeared. The only Dumps Store that we have tracked, which was hosted in SandiFlux, is β€œThe Fresh Stuffs”. The tracked domains with their respective registrar are shown below: Domain Registrar thefreshstuff.at Key-Systems GmbH thefreshstuffs.org WebNic.cc thefreshstuffs.to Tonic.to While monitoring the change rate of IPs resulting from our FFSN-tracker, we observed that the number of unique IPs tracked at present is much lower than the number of unique IPs registered last year for each dumps store domain; from over 1000 unique IPs of the last year to around 300 unique IPs currently identified. Home page and bulletin board of β€œThe Fresh Stuffs” dump store bestdump.org bestdumps.biz briansclub.at briansclub.cm brocard1.net buybestbiz.net c2bit.pw carderbay.com cardhouse.cc ddumps24.com deluxedumps.com diamondumps.biz ebin.cc entershop.st fe-shop.link flyded.gs freshstuff24.net fullzshop.su fullzstore.su goldenshop.cc goodshopbiz.net greendumps24.biz kingven.cc luckytrack.cc mrwhite.biz pabloescobar.biz russianmarket.gs russianmarket.zone shadowcarders.com smd1.la stardumps24.com tiesto.ec topcc.store vendta.cc worldcvv.me wt1.la wt1shop.org www.fe-acc18.ru yohohobay.cc swipe.bz List of some Dumps Stores gathered from several Carding Forums
  8. 8. aizoOn Group - aramis 7 SandiFlux Botnet Report 5. Hacking Group TA505 Over the last months, several security researchers have been reporting a consistent increase of malicious activities related to the known TA505 hacking group [6] [7] [8] [9] [10]. The group has been active since 2014, mostly targeting banks and retail companies. The attack vector has always been a malicious email attachment, typically an Excel document, which spreads FlawedAmmyy RAT using various AV evasion techniques. After the installation, this RAT downloads two additional components: a custom Email Stealer and Amadey bot. Infection chain of TA505 group attacks 5.1FlawedAmmyy RAT The RAT is built on legitimate software from the Ammyy Company, which has been subject to many abuses after the leak of its source code. Its features include remote desktop control, file system management, proxy support and audio chat. Once installed, the attackers obtain full access to the victim’s device, thus being able to steal files, credentials, and to collect screenshots and access the camera and microphone. After the office document has been opened, its content displays an image of a decoy to lure the victim into executing a malicious macro. The malicious macro uses a multi-stage delivery system: the first stage drops a binary file (e.g. an MSI installer or an Exe File) and execute it, while the second stage downloads the malware itself. We have observed two possible scenarios in which the attacker leverages the SandiFlux botnet: 1. The malicious macro drops the downloader of the malware using a fast-flux domain (in the following example velquene[.]net)1: 2. The attacker uses a fast-flux domain to deliver the malicious document and consequently to drop the downloader of the malware (in the following example waiireme[.]com)2: 1 https://app.any.run/tasks/e4cc943e-b11c-4b95-ac40-f9e342ebeec9/ 2 https://app.any.run/tasks/bd545b8e-e293-446b-bcf9-94a17e7564df/
  9. 9. aizoOn Group - aramis 8 SandiFlux Botnet Report The registrar of all the domains that we have tracked is Eranet International Limited. datdepot.net engast.top furhatsth.net jbswin.net kupitorta.net lecmess.top solsin.top statesdr.top traveser.net vairina.top velquene.net waiireme.com zonaykan.com List of all FlawedAmmyy RAT domains tracked 5.2Email Stealer It is responsible for collecting all the emails stored on the computer, either on the disk or in any email client installed by the user, mainly Microsoft Outlook. The purpose of the malware is to build databases with "fresh" emails to continue spreading the threat. We have observed that the Email Stealer leverages the SandiFlux botnet to host the C2, where it sends all the stolen data by always employing the following path: http[:]//fastfluxdomain[.]tld/es/es.php, as shown in the following example3. In all the cases that we have analyzed, the attacker has left the directory-listing active on the folder β€œes” where all the stolen data are stored. In each of the analyzed cases, the β€œes.php” file and the folders β€œold”,”old2”,”old3”,”old4” were created on the same date and at the same time, except for the files showing the domain nettubex[.]top. Therefore, we can suppose that the observed files lead to two different motherships. Examples of directory listing of some C2 of the Email Stealer 3 https://app.any.run/tasks/6e13978a-4643-4aa8-bfc9-1fa186b230e2/
  10. 10. aizoOn Group - aramis 9 SandiFlux Botnet Report The registrar of all the domains that we have tracked is Eranet International Limited. bascif.com cathits.net cmarcite.net nettubex.top handous.net ldtfair.top safegross.com List of all Email Stealer domains tracked 5.3Amadey It allows authors to perform multiple malicious tasks, such as downloading and running additional malware, receiving commands from a control server, exfiltration of sensitive information, updating or deleting itself, stealing logins, registering keystrokes (Keylogger), participating in Distributed Denial of Service (DDoS) attacks, accessing bank transfer keys and even performing installations of Ransomware. Last year, the botnet was cracked and the source code of the web control panel was loaded on GitHub.4 We observed that Amadey leverages the SandiFlux botnet to host the C2, where it sends all the data regarding the infected host by always employing the following path: http[:]//domain[.]tld/ppk/index.php, as shown in the following example5. During the analysis of this campaign, we observed that there is a connection between the domains employed by the Email Stealer and Amadey. In fact, by adding the path β€œ/ppk/index.php” to one domain among the first ones, we obtain a redirect to the control panel of Amadey botnet at the β€œ/ppk/login.php” path, as shown in the following example. The domains that we checked are highlighted in yellow in the following table. The control panel of Amadey Botnet 4 https://github.com/CyberMonitor/amadey 5 https://app.any.run/tasks/55c5ae41-dcd4-45d6-ad11-81b0e9757bc2/
  11. 11. aizoOn Group - aramis 10 SandiFlux Botnet Report The registrar of all the domains that we have tracked is Eranet International Limited. gohaiendo.com rayshash.com ldtfair.top handous.net bascif.com safegross.com List of all Email Stealer domains tracked 6. Phorphiex/Trik botnet The Phorphiex worm, also known as Trik Botnet, is a decade-old worm historically spread via live chat (e.g. Windows Messenger, Skype) and USB storage drivers. In 2019, it is becoming a very tedious threat due to its infection capabilities, which involve a huge set of malware families [11]. The infection chain begins with a phishing email containing a zip file. Once the javascript file inside the zip has been launched, it loads by employing a Powershell statement, the Phorphiex Worm/Trojan loader and then the GandCrab ransomware, Ursnif ISFB banking Trojan, and the CryptoNight XMRig cryptocurrency miner. We observed that in the infection chain, fast-flux domains were employed to download the Phorphiex worm/Trojan loader. The following example shows the HTTP requests for a sample where the malicious javascript file drops the Phorphiex Worm/Trojan loader and Ursnif performs C2 call-back, both using a fast-flux domain. Respectively, these domains are news- medias[.]ru and adonis-medicine[.]at6. The registrar of all the domains that we have tracked is ARDIS-RU. guebipk-mvd.ru news-medias.ru List of all Phorphiex/Trik domains tracked 7. Ursnif Ursnif, also known as Gozi ISFB or Dreambot, is a well-known and widely distributed banking Trojan involved in several malware campaigns. Banking Trojans are a particular type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. It is often spread by an exploit kit, email attachments and malicious links and has continued to evolve over time; in particular, since its source code has been leaked, the attackers improved and added new features to it. Last year, Talos [12] reported that the domains and associated infrastructure used to distribute this malware, as well as the associated C2 domains, have been leveraging the 6 https://app.any.run/tasks/8fa71135-ecc2-437a-b172-764df12a8145/
  12. 12. aizoOn Group - aramis 11 SandiFlux Botnet Report DarkCloud botnet. In fact, during our analysis on IP migration from DarkCloud to SandiFlux, we observed that the Ursnif campaigns had also been moved. While tracking some of the Ursnif campaigns, we witnessed that part of these were being spread by employing an obfuscated javascript file, and others were part of different malware campaigns, as discussed in the previous paragraph. In the first case, once the javascript file is launched, it drops and executes the malware itself. As Talos reports, we have witnessed several cases in which the domains used to distribute and the domains associated to the C2 both leverage Sandiflux, as shown in the following example by the domains trading-secrets[.]ru and adonis-medicine[.]at respectively7. Furthermore, over the observation period, a small group of domains had a sudden change of behavior: the number of IPs that returned to each domain lookup switched from 10 with a TTL of 150 seconds, to 4 with a TTL of 600 seconds. In the following table, these domains are highlighted in yellow. Key-Systems GmbH was the host of most of the tracked domains, while the remaining domains were hosted by ARDIS-RU. adonis-medicine.at alfa-sentavra.at fitalyaka-service.at intrade-support.ru cloud-start.at regeneration-data.at marcoplfind.at miska-server.at List of all Ursnif domains tracked 8. Ransomware Campaigns Historically, ransomware campaigns have also been using fast-flux botnets for malware distribution, C2 communications or payment pages [1] [2] [3]. One of the most famous cases was Locky, which leveraged DarkCloud over a long period of time. Recently, we have observed that GandCrab, which we tracked last year, and Sodinokibi have been leveraging SandiFlux as distribution infrastructure. 8.1GandCrab GandCrab is the most widespread malware over the last two years, sold as a ransomware- as-a-service (RaaS) solution and has been advertised on a well-known hacking forum since 2018 [13]. In addition, for the first time, this malware introduced other features, such as the payment in DASH cryptocurrency and the use of β€œ.bit” top level domain (TLD). The hacking 7 https://app.any.run/tasks/bb60012c-9ff5-4c6e-8b0b-5f28bc6deba5/
  13. 13. aizoOn Group - aramis 12 SandiFlux Botnet Report group developed at least five versions, while they have recently announced plans to shut down their service, as reported by several security blogs [14]. Last year we tracked GandCrab 2.1 campaign [15], that leveraged SandiFlux to hosting C2 domains, ransomware[.]bit and zonealarm[.]bit. A common characteristic of this attack was that these domains were resolved using only specific DNS servers hardcoded in the executable (e.g. ns1.cloud-name[.]ru, ns1.corp-servers[.]ru). Recently, we have tracked a campaign that employed a malicious Word document to spread GandCrab. When the document is opened, its content displays a decoy image to lure the victim into executing a malicious macro that uses PowerShell to drop and execute the ransomware. This campaign particularly targeted Germany [16], and it was also reported by CERT-Bund8. In contrast to the previous year, the attacker leveraged SandiFlux to distribute GandCrab and not to host the C2 domains, as shown in the following example9: The registrar of all the domains that we have tracked is Eranet International Limited. garizzlas.top flowjob.top List of all GandCrab domains tracked 8.2 Sodinokibi Sodinokibi is a new, emerging ransomware family reported for the first time by Cisco Talos [17]. This ransomware is known to be installed via an Oracle Web Logic exploit, which allows the attackers to infect a host without any form of user interaction, such as opening an email attachment or clicking on a malicious link. However, another recent campaign uses spam email with a malicious Word document as an attachment to download the ransomware onto the target system. In particular, this campaign targets Germany [18], using a document that displays a decoy image to lure the victim into executing a malicious macro to download and install Sodinokibi. We have observed that the attackers leveraged SandiFlux to distribute the ransomware, which was dropped through the malicious Word document, as shown in the following example10: The registrar of all the domains that we have tracked is Eranet International Limited. anmcousa.xyz blaerck.xyz btta.xyz List of all Sodinokibi domains tracked 8 https://twitter.com/certbund/status/1084817259204362240 9 https://app.any.run/tasks/985e56fb-d130-482f-b38e-b87c558d93e1/ 10 https://app.any.run/tasks/961cfd75-3b54-42f6-84d0-9b34055df7bd/
  14. 14. aizoOn Group - aramis 13 SandiFlux Botnet Report 9. List of tracked domains Below we report the list of all the domains that we have tracked grouped by class. 9.1Dumps Store Domain Registrar Campaign thefreshstuff.at Key-Systems GmbH Dumps store thefreshstuffs.org WebNic.cc Dumps store thefreshstuffs.to tonic.to Dumps store 9.2Phishing Domain Registrar Campaign attonlinerestore.com PakNIC (Private) Limited Phishing AT&T attonlinerestore0.com WebNic.cc Phishing AT&T attonlinerestore1.com WebNic.cc Phishing AT&T chasecardmembernotice.com WebNic.cc Phishing Chase chasecardsolutions1.com WebNic.cc Phishing Chase chasecardsolutionsw.com WebNic.cc Phishing Chase chasedebitcardsupport.com WebNic.cc Phishing Chase chasedebitcardurgent.com WebNic.cc Phishing Chase chaseinvalidcardlogin.com WebNic.cc Phishing Chase chaseonlinebusinessc.com WebNic.cc Phishing Chase chaseonlinedebit.com WebNic.cc Phishing Chase chaseonlinedebit1.com WebNic.cc Phishing Chase chaseonlinedebit2.com WebNic.cc Phishing Chase chaseonlinedebit3.com WebNic.cc Phishing Chase chaseonlinedebit5.com WebNic.cc Phishing Chase chaseonlinedebit6.com WebNic.cc Phishing Chase chaseonlinemebershipsupport.com WebNic.cc Phishing Chase chaseonlinresolutionss.com WebNic.cc Phishing Chase chazeonineline.com WebNic.cc Phishing Chase citimembercordservice.com WebNic.cc Phishing CitiBank Online citicardmemberservice0.com WebNic.cc Phishing CitiBank Online citicardmemberservice3.com WebNic.cc Phishing CitiBank Online citicardmemberservice5.com WebNic.cc Phishing CitiBank Online citicardmemberservice7.com WebNic.cc Phishing CitiBank Online citicardmemberservice9.com WebNic.cc Phishing CitiBank Online microsoft-offices.com WebNic.cc Phishing Microsoft usaa-cardmember.com WebNic.cc Phishing USAA usaacustomerservice.com WebNic.cc Phishing USAA usaadebicardonline.com PakNIC (Private) Limited Phishing USAA usaadebicardonline1.com PakNIC (Private) Limited Phishing USAA usaaloginresponse.com WebNic.cc Phishing USAA usaaloginverify.com WebNic.cc Phishing USAA usaamembersupportis.com WebNic.cc Phishing USAA
  15. 15. aizoOn Group - aramis 14 SandiFlux Botnet Report usaamembersupports.com WebNic.cc Phishing USAA usaaresoluton.com WebNic.cc Phishing USAA wellsfargodebtcard.com WebNic.cc Phishing WELLS FARGO 9.3 Malware Domain Registrar Malware Campaign bascif.com Eranet International Limited Amadey gohaiendo.com Eranet International Limited Amadey handous.net Eranet International Limited Amadey ldtfair.top Eranet International Limited Amadey safegross.com Eranet International Limited Amadey rayshash.com Eranet International Limited Amadey blueoyster.top Eranet International Limited Android Bank Bot safegross.com Eranet International Limited Email Stealer bascif.com Eranet International Limited Email Stealer cathits.net Eranet International Limited Email Stealer cmarcite.net Eranet International Limited Email Stealer handous.net Eranet International Limited Email Stealer ldtfair.top Eranet International Limited Email Stealer nettubex.top Eranet International Limited Email Stealer datdepot.net Eranet International Limited FlawedAmmyy RAT engast.top Eranet International Limited FlawedAmmyy RAT furhatsth.net Eranet International Limited FlawedAmmyy RAT jbswin.net Eranet International Limited FlawedAmmyy RAT kupitorta.net Eranet International Limited FlawedAmmyy RAT lecmess.top Eranet International Limited FlawedAmmyy RAT solsin.top Eranet International Limited FlawedAmmyy RAT statesdr.top Eranet International Limited FlawedAmmyy RAT traveser.net Eranet International Limited FlawedAmmyy RAT vairina.top Eranet International Limited FlawedAmmyy RAT velquene.net Eranet International Limited FlawedAmmyy RAT waiireme.com Eranet International Limited FlawedAmmyy RAT zonaykan.com Eranet International Limited FlawedAmmyy RAT garizzlas.top Eranet International Limited GandCrab flowjob.top Eranet International Limited GandCrab guebipk-mvd.ru ARDIS-RU Phorphiex/Tik news-medias.ru ARDIS-RU Phorphiex/Tik anmcousa.xyz Eranet International Limited Sodinokibi blaerck.xyz Eranet International Limited Sodinokibi btta.xyz Eranet International Limited Sodinokibi adonis-medicine.at Key-Systems GmbH Ursnif alfa-sentavra.at Key-Systems GmbH Ursnif fitalyaka-service.at Key-Systems GmbH Ursnif intrade-support.ru ARDIS-RU Ursnif marcoplfind.at Key-Systems GmbH Ursnif
  16. 16. aizoOn Group - aramis 15 SandiFlux Botnet Report miska-server.at Key-Systems GmbH Ursnif regeneration-data.at Key-Systems GmbH Ursnif cloud-start.at Key-Systems GmbH Ursnif 9.4Unclassified Domain Registrar cloudservyuuer.com Eranet International Limited co-operative-bank.com Eranet International Limited donaflopper.xyz Eranet International Limited ffpanelday.net Eranet International Limited ffpdm.net Eranet International Limited gulftra.com Eranet International Limited hubogolas.top Eranet International Limited kasuamuia.top Eranet International Limited kreewalk.com Eranet International Limited neurona.top Eranet International Limited riaalkot.com Eranet International Limited verify-konto-35235123.xyz Eranet International Limited americanexpressproceess.at Key-Systems GmbH hacnostri.at Key-Systems GmbH klll.at Key-Systems GmbH aktualisierung-daten-346132461.top Openprovider aktualisierung-daten-363435.top Openprovider aktualisierung-daten-65757544.icu Openprovider automatischer-524532.top Openprovider kunden-contact-251363251.work Openprovider mitteilung-referenzcode-624563123.top Openprovider wichtige-kundeninformation-7462343636.top Openprovider ameixpress.com WebNic.cc americanexpressnerosult.com WebNic.cc americanexpressrespond.com WebNic.cc berkshirehattway.com WebNic.cc chase121onineline.com WebNic.cc chase453validate.com WebNic.cc chase4thonline.com WebNic.cc secureilonline.com WebNic.cc turbotaxing.com WebNic.cc wells4forgo.com WebNic.cc wellsfargocardservicess.com WebNic.cc wellsi4fargo.com WebNic.cc
  17. 17. aizoOn Group - aramis 16 SandiFlux Botnet Report Appendix A Due the nature of fast-flux botnets, obtaining a relevant sample of IPs useful as an IoC is not an easy task. During the period from the 18th of May 2019 to the 18th of June 2019, we collected hundreds of IPs involved in SandiFlux, and in this context the life cycle of each IP depended on several factors. Below, we provide a list of the top 75 most used IPs (in terms of the number of tracked domains which share them); the fact that many active fast flux domains are associated with these IPs seems to be an indicator of their resilience. In the table below, for each IP, 𝑛3456"78 represents the number of tracked domains that share such an IP. IP 𝒏 π’…π’π’Žπ’‚π’Šπ’π’” IP 𝒏 π’…π’π’Žπ’‚π’Šπ’π’” IP 𝒏 π’…π’π’Žπ’‚π’Šπ’π’” 81.12.175.59 65 62.141.241.11 63 5.204.10.100 61 89.238.207.5 65 66.181.168.248 63 87.119.100.220 61 91.201.175.46 65 78.40.46.135 63 37.247.216.118 60 155.133.93.30 65 85.206.221.28 63 89.17.225.163 60 193.33.1.18 65 87.241.136.1 63 89.45.19.24 60 213.164.242.16 65 89.47.94.113 63 188.254.142.85 60 37.34.176.37 64 89.190.74.198 63 5.253.53.236 59 37.75.33.242 64 151.237.80.80 63 151.251.23.210 59 46.47.98.128 64 178.48.154.38 63 190.213.108.96 59 78.90.243.124 64 181.59.254.21 63 46.214.214.39 58 84.54.187.24 64 186.87.135.97 63 89.215.156.222 58 86.61.75.99 64 190.158.226.15 63 2.185.239.164 57 86.101.230.109 64 195.222.40.54 63 78.31.63.30 57 86.106.200.105 64 195.228.41.2 63 91.139.196.113 57 89.45.19.18 64 203.91.116.53 63 188.112.188.207 57 93.103.166.70 64 212.98.131.181 63 213.222.130.75 57 93.152.165.187 64 31.5.167.149 62 77.70.100.139 56 95.158.162.200 64 46.237.80.152 62 188.208.134.201 56 143.208.165.41 64 79.100.208.102 62 41.110.200.194 54 186.74.208.84 64 89.45.19.26 62 95.111.66.122 53 193.107.99.167 64 95.43.57.155 62 151.237.138.38 53 197.255.225.249 64 181.39.233.180 62 86.104.75.4 52 2.185.146.116 63 190.140.73.248 62 109.166.208.203 52 37.152.176.90 63 196.20.111.10 62 77.81.55.140 51 62.73.70.146 63 5.56.73.146 61 200.91.115.40 51 In the image below, we represent the number 𝑛3456"78 of shared tracked domains as a function of the rank of the IP (after the IPs are sorted in terms of shared domains), represented in a log-log scale. It can be noticed that the behavior is very far from the Zipfian distribution (which should be linear in the log-log scale), and this is only partially explained by the finite-size effect (we didn’t observe an infinite number of domains). The long plateau around the value 60 may indicate that these IPs are considered quite reliable by the bot herder and they are used to host most of the fast flux domains.
  18. 18. aizoOn Group - aramis 17 SandiFlux Botnet Report Number 𝒏 π’…π’π’Žπ’‚π’Šπ’π’” of shared tracked domains as a function of the rank of the IP, represented in a log-log scale
  19. 19. aizoOn Group - aramis 18 SandiFlux Botnet Report References [1] [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux- infrastructure-used-malware-distribution-emerges. [2] P. Lombardo, S. Saeli, F. Bisio, B. Davide e D. Massa, Β«Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic,Β» in Information Security, Springer International Publishing, 2018, pp. 463--480. [3] [Online]. Available: https://www.riskanalytics.com/wp- content/uploads/2017/10/Dark_Cloud_Network_Facilitates_Crimeware.pdf. [4] [Online]. Available: https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network- dismantled-in-international-cyber-operation. [5] [Online]. Available: https://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/. [6] [Online]. Available: https://nao-sec.org/2019/04/Analyzing-amadey.html. [7] [Online]. Available: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target- financial-institutions-recently-en/. [8] [Online]. Available: https://securityaffairs.co/wordpress/81857/malware/flawedammyy-undetected- xlm-macros.html. [9] [Online]. Available: https://medium.com/@1ZRR4H/ta505-intensifica-ciberataques-a-chile-y- latinoam%C3%A9rica-con-flawedammy-9fb92c2f0552. [10] [Online]. Available: https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505- arsenal/. [11] [Online]. Available: https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple- infections-ransomware-banking-trojan-cryptojacking. [12] [Online]. Available: https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html. [13] [Online]. Available: https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html. [14] [Online]. Available: https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its- shutting-down/. [15] [Online]. Available: https://fortinetweb.s3.amazonaws.com/fortiguard/research/AVAR%20- %20The%20GandCrab%20Mentality.pdf. [16] [Online]. Available: https://www.gdata.de/blog/2019/01/31427-verschlusselungstrojaner-die-erste- gandcrab-welle-im-jahr-2019. [17] [Online]. Available: https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits- weblogic.html.
  20. 20. aizoOn Group - aramis 19 SandiFlux Botnet Report [18] [Online]. Available: https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi- spam-cinarat-and-fake-g-data.

Γ—