search

kbandla / APTnotes

Various public documents, whitepapers and articles about APT campaigns
3.5k stars 883 forks source link

FROM SEOUL TO SONY: THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER #260

Closed threatcrowd closed 8 years ago

threatcrowd commented 8 years ago

http://s2.textlab.io/store/data/001398694.pdf?key=b2b1f47367309e88f9aa9787840bcf19&r=1

FROM SEOUL TO SONY: THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER By Snorre Fagerland, Blue Coat Systems Inc. February 2016 EXECUTIVE SUMMARY The attack on Sony Pictures Entertainment in November 2014 was not a single incident. Through technical indicators, we connect the attack to several destructive events going back to at least 2009. The identity of the perpetrators is unknown, but several of these previous events have been attributed by others to North Korean threat actors. In this report, we show how we have connected these events to the threat actors known as DarkSeoul or Silent Chollima. Whoever they are, this group is still active, mainly going after South Korean targets in several sectors. Malware belonging to this threat complex has apparently been produced as late as January 2016. We detail the evolution of some of the most common tools used by these attackers and present indicators of compromise and mitigation information where we can. In parallel with this report, the security company Novetta is publishing its own independent research covering the same threat complex. This report is available from http://operationblockbuster.com. INTRODUCTION Much has been written about the Sony hack. However, hard data has not been as plentiful. In an attempt to provide additional insight, we detail some facts about the malware reportedly used in the attack, and attempt to draw lines to other malware and incidents, beyond the mere speculative. In order to expand the case, we will look at a variety of evidence. In most cases, we will not settle for one single factor as the basis for assessments, but instead correlate information of different kinds. Factors that we will include are for example: • Obfuscation methods • Code structure • Text strings, such as encryption keys • Known localization • Digital code signing certificates Details about the different indicators are included in the appendixes. Acknowledgements A big thank you goes out to all who helped with this paper – notably Waylon Grange, always an invaluable source of insight and information, and the good folks over at Farsight Security who gracefully provided passive DNS data. MALWARE KNOWN TO BE CONNECTED WITH THE SONY CASE To start at the beginning: The official statements from the FBI (1) and US-CERT (2) mention the md5 hashes of the following set of malware files: d1c27ee7ce18675974edf42d4eea25c6 (dropper) 760c35a80d758f032d02cf4db12d3e55 (wiper) e1864a55d5ccb76af4bf7a0ae16279ba (web server) e904bf93403c0fb08b9683a9e858c73e (backdoor) In the weeks following the attack, a number of other malware instances came to light that were obviously connected; such as 2618dd3e5c59ca851f03df12c0cab3b8 (SMB worm) b80aa583591eaf758fd95ab4ea7afe39 (wiper) 6467c6df4ba4526c7f7a7bc950bd47eb (backdoor) Most vendors now use the name Destover for a group of malware that was part of the Sony intrusion. Though many pieces of malware are somewhat different, we’ll use that name as well to avoid confusion. The US-CERT advisory also mentions the import hashes of a number of other malware. These are non-unique indicators, but can help in locating related samples. A NOTE ABOUT THE HANGUL WORD PROCESSOR (*.HWP, HWPX) FORMAT The Hangul Word Processor is software developed by the Korean company Hancom. It is similar in usage area to Microsoft Word, but is specifically adapted to the Korean written language Hangul. The file format used by this software is also somewhat similar to Microsoft Word, with the use of OLE2-based documents for previous versions of HWP, and ZIP archive-based documents for newer versions. A number of vulnerabilities have existed for these formats. These have been used maliciously by several different threat actors over time, also by the threat actors mentioned in this paper. MALWARE ARCHEOLOGY As research into this case progressed, it became obvious that we were tracing malware relationships back in time. In fact, the earliest indicators we’ve found go all the way back to at least 2009. Around this time a malware development project started that would become the backbone of intrusions and destructive attacks against mainly South Korean targets for years to come. In fact, modern-day malware from the same threat actor still contains traces of this first eo-malware. The initial starting points were likely publicly available source codes for Rbot and Mydoom, found on Chinese code sharing sites like Programmers United Develop Net (PUDN). There is no universally adopted naming for the early generations of this family in the AV industry. Usually they are detected as Dllbot or Npkon, but these names can also cover other families, thus our use of a different name in this paper - KorDllbot. We will cover the evolution of KorDllbots and related malware, and how these came to be involved in various intrusion cases. TIMELINE OF LIKELY DARKSEOUL-RELATED ATTACKS A timeline of destructive intrusions in or related to the Korean peninsula. THE KORDLLBOT BACKDOOR FAMILY KorDllbot is a family of small/medium size trojans that usually are configured to be installed as services. Samples can vary a great deal in functionality - from just listening on a port and accepting commands, to harvesting data, to actively spreading over SMB. This functionality seems almost modular, using different encryption and encoding methods and different C&C command words. Build environment for the early generations was typically Visual Studio 6. KorDllbots use C&C commands starting at different integer offsets depending on version. Here, versions 1.1/1.2/1.5, 1.03, 1.04.2 and 1.05.2 sending success or error status back to remote control client after file deletion. Common capability seen in the KorDllbot family is:

DESTOVER “E4004C1F” BACKDOOR, JUL-SEP 2015 The main differences in this backdoor arise from the inclusion of what appears to be modified open source SSL/TLS code. This is used to construct legitimate SSL headers, though the communication itself is encrypted by a homegrown encoding scheme. This backdoor is found in both x86 and x64 variants. The name e4004c1f is taken from the start of the authentication key found in all these samples. The command integers vary somewhat between sub variants: Variant A samples use the range 0x00-0x0f, with addition of bytes 0x12, 0x1b, and 0x64. Variant B samples use the range 0x0a-0x24, with exception of bytes 0x18, 0x1c, and 0x1d Variant C samples use the range 0x0a-0x26, with exception of bytes 0x18, 0x1c, and 0x1d This family has also been used as the payload of CVE-2015-6585 trojanized HWP documents. The FireEye write-up on this mentions a backdoor they name HANGMAN (7). FireEye uses a proprietary malware naming scheme which makes it somewhat difficult to correlate, but we believe this corresponds to the “e4004c1f” variant. In the same blog post FireEye mentions a backdoor they call PEACHPIT. Based on the code snippet shown, we believe PEACHPIT to belong to one of the early KorDllbot generations. As mentioned, the exact same CMXE code has been used in several generations from 2011 and onwards. Decoy documents used by “e4004c1f” include descriptions of the LDAP protocol, and a text on the virtues of Scrum vs Kanban. The latter was attempted sent to the Korean Google group “sysadminstudy”. It is possible that this generation of malware has been aimed at the IT/software industry. Decoy documents used by the “e4004c1f” variant include a Korean text on the LDAP protocol. Apart from the similarities with other malware established in the publications mentioned above, this variant has been distributed in a particular installer which includes the backdoor in an embedded password-protected zip archive. The password for this zip archive is “!1234567890 dghtdhtrhgfjnui$%^^&fdt” - identical to the password used by Destover “Volgmer” backdoors already detailed in this paper. There are also code similarities with Volgmer elsewhere – for example, the function to declare network API’s from ws2_32.dll is identical, and the API names are encoded using the same API obfuscation scheme. The C&C configuration can be hardcoded, or stored in a data file and subkeys under the registry key HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security. Some variant A samples uses subkey a57890bc-ca23-3453-a23c-d385e9058fdf Some variant C samples uses subkey 821d1af-7a08-4b06-81cd-869365cdf713 The network API declaration function of a Destover “Volgmer” and a Destover “e4004c1f” backdoor. DESTOVER “BASICHWP” BACKDOOR, SEP 2015 This generation of backdoors is similar to the previous ones in that they use a custom SSL-like protocol for C&C communication. They have been further simplified, but use more C++ classes, and the 256-bit stream cipher Caracachs (hardcoded password “abcdefghijklmnopqrstuvwxyz012345”) is used for both network traffic and API obfuscation. The same password is used in the example code for Caracachs found online (8), so no great effort has been taken to protect the encryption. This variety of Destover is the third we have seen installed by documents exploiting the CVE-2015-6585 HWP vulnerability. Command word set for this generation of backdoors is 0x8378-0x8390. Decoy document content include a CV from an apparently South Korean individual, and a document apparently from the South Korean Foreign Affairs and Unification Committee, as seen below. Decoy: State information systems audit planning document, Aug 2015 DESTOVER “FORMBOUNDARY” BACKDOOR, NOV 2015 This backdoor has many code overlaps with RandomDomain.B – for example, it uses CharSwap API obfuscation, and uses the same set of integer commands. It has evolved away from the use of faked SSL, which means whole segments of code have been removed, including most of the domain names used for the SSL handshake. Instead, it connects to the C&C server via regular HTTP on port 80 and initially posts a blob of random data disguised as a legitimate file. Any real content is sent encrypted afterwards, using one of the bytewise XOR encodings known from RandomDomain. Sending initial POST statement to C&C server The HTTP header fields can vary – many are selected from hardcoded lists, including the “Host” field. The FormBoundary string is terminated by a randomly generated character sequence, and the malware queries the system via the API call ObtainUserAgentString to get the current default User Agent. If this call fails, the hardcoded User Agent “AgentString” is used instead. DESTOVER “VOLGMER2” BACKDOOR, JAN 2016 This was found as a DLL backdoor sample “t(x86).dll” which contained several traits in common with the Volgmer series. Further data mining revealed that identically to Volgmer, the sample is installed by a dropper which contains the DLL in an embedded zip file resource named “MYRES” in its body. This dropper is again extracted by another outer dropper with a similar embedded zip inside, which also in addition contains a configuration file ntuser.inf. This config file contains - among other things - C&C IP and port information, which is read and written to a registry key before being used by the main payload component. HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security subkey = “72ca1d1af-7afc-4c06-cc1d-8feaac5cdf764”. Volgmer2 shares API declaration functions and string decode algorithms with the original Volgmer. However, there are also clear differences. Its network behavior has moved away from HTTP post with the recognizable “Mozillar” UserAgent. Instead, C&C traffic is performed via faked SSL with another encryption twist – RC4 with a layer of XOR on top. They RC4 key is binary, and hardcoded in the executable: 0x0d, 0x06 ,0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82. Similarly to the RandomDomain series, Volgmer2 uses domain names chosen randomly from a list in its SSL handshake. ShADprops.dll «MYRES» ZIP resource Loader(x86).dll ntuser.inf config data «MYRES» ZIP resource t(x86).dll main payload The dropper executables in the “Volgmer 1” series contained some checks for VM environments. Volgmer2 has taken this further, and included a number of anti-debugging tricks and of checks for what appears to be known sandbox environments. Volgmer1 vs Volgmer2 dropper evasions. The change also means that the malware continues to work if under a virtualized environment, if there are no other indicators that there is monitoring or debugging activity going on. The check for known sandbox environments is done by comparing the computer name with the names in the following list: MARS53 35347 JOHN-PC TVMCOM PLACEHOL-6F699A WIN7PRO-MALTEST WINDOWS-F99AACA XELRCUZ-AZ RATS-PC PXE472179 The command integers used by Volgmer2 are in the range 0x09-0x27 with the exception of 0x17, 0x1b and 0x1c. APPENDIX: ALGORITHMS AND OTHER INDICATORS Chopstring obfuscation Chopstring deobfuscator Deobfuscation of the API name before it is sent to GetProcAddress. Yes, they look up GetProcAddress using GetProcAddress. Go figure. XOR-A7 obfuscation This is a forward bytewise XOR encoding using 0xA7 as key. String deobfuscation functions in the Sony Destover (left) malware and Destover “b076e058” (right). They are identical, even down to using 0xa7 as xor key. XOR-XX-SUB-XX obfuscation This is a forward bytewise XOR, SUB encoding, usually used in communication encryption/decryption. The inverse is usually also present in the form of ADD, XOR. Many different byte combinations are used in the various variants. BC-SUB API Obfuscation This is a forward bytewise decoding where the each character value is subtracted from 0xBC to arrive at a cleartext character. This decoding is used instead of ChopString in some KorDllbot variants. DB-SUB API Obfuscation This is a forward bytewise decoding where the each character value above ‘a’ and below ‘z’ is subtracted from 0xDB to arrive at a cleartext character. CharSwap API Obfuscation This is an encoding where some character ASCII values are increased or decreased by nine. CharSwap is used for obfuscation of both APIs and regular strings. Above figure shows API de-obfuscation. The CharSwapped API names GetDriveTypeA, SetFileTime and Process32Next. Intbox encoding This encoding is used instead of ChopString in some Destover variants. RC4+XOR encryption This encryption is used by Volgmer2 on network traffic data. KorDllbot / Joanap AES keys “Bb102@jH4$t3hg%6&G1s_2J3gCNwVrUeI!Dr3hytg^CHGf%ion” “b n4rbhriq890v9=023=01&(T-0Q325J1N;LK'” Koredos RC4 key “A39405WKELsdfirpsdLDPskDORkbLRTP12330@3$223%!” Joanap PLAIN_CRYPT keys “9025jhdho39ehe2” “hybrid!@hybrid!@#” “iamsorry!@1234567” Destover “b076e058” RSA authentication key string “b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b00827b693593 a76be884f41b491ee1f6136b3755add91e2de9b0f5b3849d463fcd7b9a3b6cd0744caf809f510ee04ab3c714f53422d2 4f33361f75145b08286d2d7d99704684ed1d25fd5a9dc7b993f8e4d074234fd82d3” Destover “Volgmer.A” RSA authentication key string “bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40bd51483321ebe44595f799da8421 5ebd7137c9e267f54a342048e510fddfdec2404764fdf128c330862e747d7a98cd557a15500051a5b6651572a398bbe 5a51d52dc7af3b34b06b68c7974b9f8e45fd3636fd628c1dbcf65bbb68b2dd058017” Destover “Volgmer.B/C” RSA authentication key string “b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d73469b8beabc14b90e907 88c28f2d7c660e43db2e6f81aa05a08cae4517845ba4b9fc614e77e39d502003fcc6712d45428f339bcc06787745f734 1e9884fae803ad2fbb9670acb15b2da62735081fb2bc2a9b8b434dbe211a4b59b03” Destover “b59d1659” RSA authentication key string “b59d165982e3d5721c4d40195f85aedf2a12d6616be11a2c19fa11821604edc4675bdca4f9b9cbfb27244203ca8e21 500ae592d7bb2776e8ed9179dc1fb47819f140d0052f28865c201a036f3f698d0c256c3446e09c83eda056c91ee9e25 927148a3521439d57b0682a4c2723bd18dcd37c0f9b08ff8c7c3bc37684d2b4d241” Destover “b8ac0905” RSA authentication key string “b8ac0905cda0360fc115f614119da76d84e2277762bd7558b2650a79013fb50138f732d5a03730d7d5b173a12d9a8 42353ca433758d417fa8b452ec075f87bf76a7056ecdd2b063432f414e4ad52fdb078b8a9d84635774e5234ce28a762 d91af1cb9c026ffd68b88f1032c9c2c8fa1d187a054f906781c56fb07b0f6bb908cb” Destover “e4004c1f” RSA authentication key string “e4004c1f94182000103d883a448b3f802ce4b44a83301270002c20d0321cfd0011ccef784c26a400f43dfb901bca753 8f2c6b176001cf5a0fd16d2c48b1d0c1cf6ac8e1da6bcc3b4e1f96b0564965300ffa1d0b601eb2800f489aa512c4b248c 01f76949a60bb7f00a40b1eab64bdd48e8a700d60b7f1200fa8e77b0a979dabf” Destover “Randomdomain.A/B” SSL remote server names contained in Client Hello wwwimages2.adobe.com www.paypalobjects.com www.paypal.com www.linkedin.com www.apple.com www.amazon.com www.adobetag.com windowslive.tt.omtrdc.net verify.adobe.com us.bc.yahoo.com urs.microsoft.com supportprofile.apple.com support.oracle.com support.msn.com startpage.com sstats.adobe.com ssl.gstatic.com ssl.google-analytic.com srv.main.ebayrtm.com skydrive.live.com signin.ebay.com securemetrics.apple.com secureir.ebaystatic.com secure.skypeassets.com secure.skype.com secure.shared.live.com secure.logmein.com sc.imp.live.com sb.scorecardresearc.com s1-s.licdn.com s.imp.microsoft.com pixel.quantserve.com p.sfx.ms mpsnare.iesnare.com login.yahoo.com login.skype.com login.postini.com login.live.com l.betrad.com images-na.ssl-images-amazon.com fls-na.amazon.com extended-validation-ssl.verisign.com daw.apple.com csc.beap.bc.yahoo.com by.essl.optimost.com b.stats.ebay.com apps.skypeassets.com api.demandbase.com ad.naver.com accounts.google.com Destover “Randomdomain.C” SSL remote server names contained in Client Hello myservice.xbox.com uk.yahoo.com web.whatsapp.com www.apple.com www.baidu.com www.bing.com www.bitcoin.org www.comodo.com www.debian.org www.dropbox.com www.facebook.com www.github.com www.google.com www.lenovo.com www.microsoft.com www.paypal.com www.tumblr.com www.twitter.com www.wetransfer.com www.wikipedia.org Destover “Volgmer2” SSL remote server names contained in Client Hello ad.naver.com all.baidu.com www.amazon.com www.apple.com www.bing.com www.dell.com www.hp.com www.microsoft.com www.oracle.com www.paypal.com www.uc.com www.yahoo.com (Note that domain names included in Destover SSL handshakes are legitimate and used only as disguise.) APPENDIX: THE MICROSOFTCODESIGNINGPCA SELF-SIGNED SAMPLE CLUSTER Group: 03c64293830f4c8f43666b3901d02332 87bae4517ff40d9a8800ba4d2fa8d2f9df3c2e224e97c4b3c162688f2b0d832e KorDllbot v1.1 backdoor service, listening on port 179 Group: 3d348a74aab5359d422da7fad24b8c2c a7d088bf3ae2a82f711f816922779ac7b720170298ac43c76cf8c6e1aa8dfadd Proxymini 0.2.1, Luigi Auriemma fd95e095658314c9815df6a97558897cb344255bd54d03c965fa4cbd16d7bafd NoiseSin data stealer 82169a2d8f15680c93e1436687538afa01d6a2ecfe7a7cb613817c64a1a82342 NoiseSin data stealer 792b484ac94f0baefc7e016895373ba92c2927e3463f62adb701ddbe4c90604c KorDllbot backdoor (Unobfuscated API loading) 162d6223c1c1219ca81a77e60e6b776058517272fe7cac828a3f64dcacd87811 KorDllbot backdoor (XOR-obfuscated API loading) 56e0b1794a588e330e32a10813cdc9904e472c55f17dd6c8de341aeaf837d077 Keylogger c16a66c1d8e681e962f03728411230fe7c618b7294c143422005785d3a724ec4 Dropper for 162d6223c1c1219ca81a77e60e6b776058517272fe7cac828a3f64dcacd87811 57b4c2e71f46fe3e7811a80d19200700c15dd358bdf9d9fdf61f1c9a669f7b4b NoiseSin data stealer Group: 09b075a5393e93a3479a00051714de52 2d9edf45988614f002b71899740d724008e9a808efad00fa79760b31e0a08073 Joanap backdoor and SMB worm 006e0cc29697db70b2d4319f320aa0e52f78bf876646f687aa313e8ba04e6992 Joanap backdoor and SMB worm dda136bc51670e57a4b2f091f83ab7b44291a9323d5483abd9e91b78221e027f Data harvester Group: 17522941a80c25ab4c9cfe5f28d9361f 163571bd56001963c4dcb0650bb17fa23ba23a5237c21f2401f4e894dfe4f50d SMB worm and backdoor dropper for f901083da11222e3221f5d3e5d5f79d7ea3864282ea565e47c475ad23ef96ff4 Group: 9d0550e00b6d5da9407e28bca4336cc9 3d2a7ea04d2247b49e2dcad63a179ae6a47237eddbfd354082f1417a63e9696e Joanap backdoor and SMB worm ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 Joanap backdoor and SMB worm Group: e7d382fb2e1ea4a44a8d193f4014e514 6e8a2329567cdbbba68460ccb97209867d7508983cb638662b33bfe90d0134d4 KorDllbot backdoor dropper, disguised as a Korean Windows hotpatch af7b53ce584b83085488e1190e1458948eaf767631f766e446354d0d5523e9d0 Dropped KorDllbot component 69300a42e055f68a8057192077fbbef3be5b66514ea9ca258b077c5c7e9417a9 KorDllbot backdoor dropper Group: 14ccfa0756059e93469bfef60935d999 e0cd4eb8108dab716f3c2e94e6c0079051bfe9c7c2ed4fcbfdd16b4dd1c18d4d SMB worm and backdoor dropper for a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f 96c35225dc4cac65cc43a6cc6cdcce3d13b3bda286c8c65cad5f2879f696ad2a Backdoor dropper for 0075d16d8c86f132618c6365369ff1755525180f919eb5c103e7578be30391d6 Group: c23d8473c335159a435b5c920b961971 29355f6d4341089b36834b4a941ef96b3bf758a4fe35fbb401cc4e74b9b1c90f Yahoo IM backdoor service 9e226a5eb4de19fcb3f7ecc3abcf52ea22a1f1a42a08dd104f5f7a00164e074e Yahoo IM backdoor exe 041605e498bb41b07d2d43003152cc2a992e7e2ade7a47ee9aef2570bdb16d94 Yahoo IM backdoor exe 82fe3a8f2248643505e8de1977b734f97eb38225e6d3df6ea8f906430514b4f5 Yahoo IM backdoor exe Group: a02925c39912b68a4a0555246a031abb 08203b4ddc9571418b2631ebbc50bea57a00eadf4d4c28bd882ee8e831577a19 Joanap dropper, backdoor and SMB worm Group: f487c2cfd330cf8e4f9171672d99cecd 8e3c3398353931c513c32330c07f65b6ee6f62fc7a56edac7cbe4edb1bf4c74e KorDllbot backdoor dropper bb4204dd059849848e9492523ce32520bf37cb80974320c0ca71f3b79e83f462 Downloader and backdoor 2f8c448bb05ed1218e638c61bb56ebb953b962ed5e065b08fa03cfcf6f6a1c68 Downloader and backdoor Group: e4046a19ef86378a43907279d072e5fb f98c67c4cf9b02acaabb555664a0d9d648a1e43f681f9bf234af066d5451be8d KorDllbot 1.05.2 downloader and backdoor Group: 33f8c3f1b7df61b949ed876422818bb1 1226d3635c1a216be9316c9dfa97f103c79ed4c44397e5e675d3b1e37786bf31 KorDllbot backdoor Group: de85322cb067a1aa41af54c2de87fb03 c5baece9978649659220af2681a3a43b83f8ae47afdd3862185d1fec7735a7d2 Dropped KorDllbot component a4b982d4e7137d7d3687f3127e6d5c2a8b2be1f53daeebce9175461c7e6a53cd KorDllbot backdoor dropper 9bcecd6afa54eb4f343b7eb82a86ceee189cc10bc91fa83f8cdc98cc5aaef117 KorDllbot backdoor dropper, disguised as a Korean Windows hotpatch Group: dde039353663cdb14337e6793ca2a8cf b7f2595dd62d1174ce6e5ddf43bf2b42f7001c7a4ec3c4cbe3359e30c674ed83 KorDllbot backdoor Group: 940888706c199a8342ef85eb60fecbb6 b039383a19e3da74a5a631dfe4e505020a5c5799578187e4ccc016c22872b246 KorDllbot backdoor service installer f4a06dd6ebfd0805d445f45ce33d7bba4a33c561111c39a347024069a78169e9 KorDllbot backdoor service 3acaea01fd79484d5a72c72e1b9c2fbf391145fb1533c17a8a83e897d8777f82 Removes backdoor service 81067f057d523fdcddf7df1da39a7c3614c45f6bff6bd387274c049244efda3b Removes backdoor service Group: 7940994b304aa1ac4d2d64e6b7b8890d 218ee208323dc38ebc7f63dba73fac5541b53d7ce1858131fa3bfd434003091d KorDllbot backdoor service installer 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503 KorDllbot backdoor service Group: 328e8fb5f3ec48894f6af0eb0a821d01 6d5d706f5356e087f5961ba2ed808c51876d15c2e09eb081618767b36b1d012f KorDllbot backdoor service Group: 7301505ed41ad49a4b379588d64be787 7a538c3eed1f01b62a19226750c1369e4e9210b1331d5829ca91fe2b69087f06 Downloader 6059cb08489170aea77caf0940131e5765b153a593e76d93a0f244e89ddb9e90 Uploader e97a8909349a072ed945899fbe276fc27e9c5847bc578b0abccf017da3fd680c Dropper for 7a538c3eed1f01b62a19226750c1369e4e9210b1331d5829ca91fe2b69087f06 Group: f0eeae68ca747c804b6a1d078525ebd1 c4852ddba88e5c53a8711c4c7540b7ac98dac6b9e31d10dd999a81a4f0e117c3 KorDllbot backdoor service 3ebb3d8292a1aa5dc81b028beeefdec0f0448516d6225b336ee37d550ab8c3ab KorDllbot backdoor service Group: 61fd3dc8a14f3a9f4ffbb82b6b9165c2 87e68055959328d857b287e797896d9a96695b69ed300a843eee73319427b3b3 KorDllbot 1.03 backdoor service 94e14a85a2046b40842f6c898c5f6c3200de3d89c178a9a9f9a639c1d3de9ee9 KorDllbot 1.04.4 backdoor Group: 00f70a83e7c9fbb54ea74e8bbc14c609 cd8c729da299b29618819afeef8b2a79451e6c3d35dea3769ef638c649c69001 KorDllbot 1.04.4 backdoor service Group: b46daf51cd766faa487311beac043847 9d9889585f1a4048a3955d3a9cead2f426a509afaeacad27540382cc3266f0fa KorDllbot backdoor service Group: 10cc28f0b769aba64fe81a0cd640122f 888844c040be9d0fc3dab00dd004aa9e8619f939aff2eba21e4f48ca20e13784 KorDllbot 1.2 backdoor service Group: db8c962c5c8366854f9b052dab52d54a d7044a35e76543a03cd343d71652c7bbd9a28e246d7f3a43f4a2e75cd0ef7366 KorDllbot 1.04.5 backdoor service Group: 206f156f15bb3c814f24bebf69ec04c7 50974c15a546e961fbee8653e5725960a77b79e0f7c8eadf3b6d35ba3a46dd57 KorDllbot backdoor service Group: 7c4a1d98042a2d814c93e8d8f78ee6fe bfb5fa2a09ac60efcc0e9f05e781bd22cae0b8f6ba356d7819285f073845a0eb KorDllbot 1.03 backdoor service Group: 888ba4e41cd689a14ee48b2dbe87428e 9bc8fe605a4ad852894801271efd771da688d707b9fbe208106917a0796bbfdc KorDllbot service dropper. Drops 0a27acaaebc7db0878239b40ab9d2feff13888839c05a03348fc09b78de6ced5 7b171a160cb2a17f87ca6a4a1c62b4cd9e718f987b7278d3effe0614b5b51be4 KorDllbot service dropper. Drops 0a27acaaebc7db0878239b40ab9d2feff13888839c05a03348fc09b78de6ced5 0a27acaaebc7db0878239b40ab9d2feff13888839c05a03348fc09b78de6ced5 KorDllbot backdoor service APPENDIX: MALWARE HASHES KorDllbot-related samples 87bae4517ff40d9a8800ba4d2fa8d2f9df3c2e224e97c4b3c162688f2b0d832e fd95e095658314c9815df6a97558897cb344255bd54d03c965fa4cbd16d7bafd 82169a2d8f15680c93e1436687538afa01d6a2ecfe7a7cb613817c64a1a82342 792b484ac94f0baefc7e016895373ba92c2927e3463f62adb701ddbe4c90604c 162d6223c1c1219ca81a77e60e6b776058517272fe7cac828a3f64dcacd87811 56e0b1794a588e330e32a10813cdc9904e472c55f17dd6c8de341aeaf837d077 c16a66c1d8e681e962f03728411230fe7c618b7294c143422005785d3a724ec4 57b4c2e71f46fe3e7811a80d19200700c15dd358bdf9d9fdf61f1c9a669f7b4b 2d9edf45988614f002b71899740d724008e9a808efad00fa79760b31e0a08073 006e0cc29697db70b2d4319f320aa0e52f78bf876646f687aa313e8ba04e6992 dda136bc51670e57a4b2f091f83ab7b44291a9323d5483abd9e91b78221e027f 163571bd56001963c4dcb0650bb17fa23ba23a5237c21f2401f4e894dfe4f50d 3d2a7ea04d2247b49e2dcad63a179ae6a47237eddbfd354082f1417a63e9696e ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 6e8a2329567cdbbba68460ccb97209867d7508983cb638662b33bfe90d0134d4 af7b53ce584b83085488e1190e1458948eaf767631f766e446354d0d5523e9d0 69300a42e055f68a8057192077fbbef3be5b66514ea9ca258b077c5c7e9417a9 e0cd4eb8108dab716f3c2e94e6c0079051bfe9c7c2ed4fcbfdd16b4dd1c18d4d 96c35225dc4cac65cc43a6cc6cdcce3d13b3bda286c8c65cad5f2879f696ad2a 29355f6d4341089b36834b4a941ef96b3bf758a4fe35fbb401cc4e74b9b1c90f 9e226a5eb4de19fcb3f7ecc3abcf52ea22a1f1a42a08dd104f5f7a00164e074e 041605e498bb41b07d2d43003152cc2a992e7e2ade7a47ee9aef2570bdb16d94 82fe3a8f2248643505e8de1977b734f97eb38225e6d3df6ea8f906430514b4f5 08203b4ddc9571418b2631ebbc50bea57a00eadf4d4c28bd882ee8e831577a19 8e3c3398353931c513c32330c07f65b6ee6f62fc7a56edac7cbe4edb1bf4c74e bb4204dd059849848e9492523ce32520bf37cb80974320c0ca71f3b79e83f462 2f8c448bb05ed1218e638c61bb56ebb953b962ed5e065b08fa03cfcf6f6a1c68 f98c67c4cf9b02acaabb555664a0d9d648a1e43f681f9bf234af066d5451be8d 1226d3635c1a216be9316c9dfa97f103c79ed4c44397e5e675d3b1e37786bf31 c5baece9978649659220af2681a3a43b83f8ae47afdd3862185d1fec7735a7d2 a4b982d4e7137d7d3687f3127e6d5c2a8b2be1f53daeebce9175461c7e6a53cd 9bcecd6afa54eb4f343b7eb82a86ceee189cc10bc91fa83f8cdc98cc5aaef117 b7f2595dd62d1174ce6e5ddf43bf2b42f7001c7a4ec3c4cbe3359e30c674ed83 b039383a19e3da74a5a631dfe4e505020a5c5799578187e4ccc016c22872b246 f4a06dd6ebfd0805d445f45ce33d7bba4a33c561111c39a347024069a78169e9 3acaea01fd79484d5a72c72e1b9c2fbf391145fb1533c17a8a83e897d8777f82 81067f057d523fdcddf7df1da39a7c3614c45f6bff6bd387274c049244efda3b 218ee208323dc38ebc7f63dba73fac5541b53d7ce1858131fa3bfd434003091d 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503 6d5d706f5356e087f5961ba2ed808c51876d15c2e09eb081618767b36b1d012f 7a538c3eed1f01b62a19226750c1369e4e9210b1331d5829ca91fe2b69087f06 6059cb08489170aea77caf0940131e5765b153a593e76d93a0f244e89ddb9e90 e97a8909349a072ed945899fbe276fc27e9c5847bc578b0abccf017da3fd680c c4852ddba88e5c53a8711c4c7540b7ac98dac6b9e31d10dd999a81a4f0e117c3 3ebb3d8292a1aa5dc81b028beeefdec0f0448516d6225b336ee37d550ab8c3ab 87e68055959328d857b287e797896d9a96695b69ed300a843eee73319427b3b3 94e14a85a2046b40842f6c898c5f6c3200de3d89c178a9a9f9a639c1d3de9ee9 cd8c729da299b29618819afeef8b2a79451e6c3d35dea3769ef638c649c69001 9d9889585f1a4048a3955d3a9cead2f426a509afaeacad27540382cc3266f0fa 888844c040be9d0fc3dab00dd004aa9e8619f939aff2eba21e4f48ca20e13784 d7044a35e76543a03cd343d71652c7bbd9a28e246d7f3a43f4a2e75cd0ef7366 50974c15a546e961fbee8653e5725960a77b79e0f7c8eadf3b6d35ba3a46dd57 bfb5fa2a09ac60efcc0e9f05e781bd22cae0b8f6ba356d7819285f073845a0eb 9bc8fe605a4ad852894801271efd771da688d707b9fbe208106917a0796bbfdc 7b171a160cb2a17f87ca6a4a1c62b4cd9e718f987b7278d3effe0614b5b51be4 0a27acaaebc7db0878239b40ab9d2feff13888839c05a03348fc09b78de6ced5 Joanap-related samples 29b8c57226b70fc7e095bb8bed4611d923f0bcefc661ebae5182168613b497f8 66d44e2bc7495662d068051c5a687d17c7e95c8f04acb0f06248b34cd255cd25 fae77c173815b561ad02d8994d0e789337a04d9966dd27a372fd9055f1ac58b1 c1c56c7eb2f6b406df908ae822a6ea936f9cc63010ee3c206186f356f2d1aa94 4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e 113d705d7736c707e06fb37ac328080b3976838d0a7b021fd5fb299896c22c7c 1a6c3e5643d7e22554ac0a543c87a2897ea4ea5a07bc080943a310a391e20713 0b860af58a9d2d7607f09022aa69508b0966a1cc8d953d3995a5fe07f8fabcac 5d73d14525ced5bdf16181f70f4d931b9c942c1ae16e318517d1cd53f4cd6ea9 c34ad273d836b2f058bbd73ea9958d272bd63f4119dacacc310bf38646ff567b 500c713aa82a11c4c33e9617cad4241fcef85661930e4986c205233759a55ae8 5f5acf76a991c1ca33855a96ec0ac77092f2909e0344657fe3acf0b2419d1eea c6d96be46ce3d616e0cb36d53c4fade7e954e74bfd2e34f9f15c4df58fc732d2 d558bb63ed9f613d51badd8fea7e8ea5921a9e31925cd163ec0412e0d999df58 006e0cc29697db70b2d4319f320aa0e52f78bf876646f687aa313e8ba04e6992 2d9edf45988614f002b71899740d724008e9a808efad00fa79760b31e0a08073 3d2a7ea04d2247b49e2dcad63a179ae6a47237eddbfd354082f1417a63e9696e ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 f4113e30d50e0afc4fa610a3181169bb03f6766aea633ed8c0c0d1639dfc5b29 08203b4ddc9571418b2631ebbc50bea57a00eadf4d4c28bd882ee8e831577a19 a3992ed9a4273de53950fc55e5b56cc5b1327ffee59b1cea9e45679adc84d008 575028bbfd1c3aaff27967c9971176ae7038902f1a67d70def55ae8456e6166d 428cf6ec1a4c947b51ec099a656f575ce42f67737ee53f3afc3068a25adb4c0d f53e3e0b3c524471b1f064aabd0f782802abb4e29534a1b61a6b25ad8ec30e79 Destover “b076e058” samples Droppers: 6e93d7bdb01af596019fa48986544ca24aa06463f17975a084b28ce9ab3cf910 e0066ddc9e6f62e687994a05027e3eaa02f6f3ad6d71d16986b757413f2fb71c Dropped components: 9ec83d39d160bf3ea4d829fa8d771d37b4f20bec3a68452dfc9283d72cee24f8 10d3ab45077f01675a814b189d0ac8a157be5d9f1805caa2c707eecbb2cbf9ac 33207f4969529ad367909e72e0f9d0a63c4d1db412e41b05a93a7184ec212af1 389ee412499fd90ef136e84d5b34ce516bda9295fa418019921356f35eb2d037 e0ce1f4b9ca61747467cee56307f9ea15dd6935f399837806f775e9b4f40e9ca 54ab7e41e64eb769b02b855504c656eaaff08b3f46d241cb369346504a372b4f 47830371f6f3d90d6a9fbe39e7f8d43a2e126090457448d0542fcbec4982afd6 Destover “Volgmer” samples Droppers: 37dd416ae6052369ae8373730a9189aefd6d9eb410e0017259846d10ac06bff5 87db427b1b44641d8c13be0ba0a2b2f354493578562326d335edfeb998c12802 e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b Dropped components: 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1 b987f7e6467704029c7784e9beb9ad3aa6e1375a661dc10b5f3d11c6a8fc1ef2 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d 9f177a6fb4ea5af876ef8a0bf954e37544917d9aaba04680a29303f24ca5c72c 78af649d3d6a932bcf53cfe384ce6bf9441f4d19084692b26b7e28b41f7a91bd 5d617f408622afc94b1ca4c21b0b9c3b17074d0fcd3763ee366ab8b073fc63e9 fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9 c5946116f648e346b293e2e86c24511a215ebe6db51073599bba3e523fb0d0a8 eab55bded6438cd7b8a82d6447a09bba078ded33049fca22d616a74bb2cad08f ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd Destover “Windowsupdatetracing” samples Droppers: 83e507104ead804855d07bc836af4990542d1eac5ac2a8ce86f985d082199f6f d94ceade521452864ae8daae9d6b202a79d4761f755c7c769ec4e103c7c3127d bebf6266e765f7a0eefcde7c51507cc9f6e3b5d5b82a001660454e4e84f6e032 4166f6637b3b11f69cccbeb775f9ee6987a5a30475c54db189b837ee3fbbf0d1 eeb146ebbc3f144f5a6156d07322a696eead9c4895a9a6f94212d24056acd41c Destover “Messagethread” samples Droppers, var A 6959af7786a58dd1f06d5463d5ba472396214d9005fce8559d534533712a9121 68006e20a2f37609ffd0b244af30397e18df07483001150bcc685a9861e43d44 d8fedef123b3d386f0917f11db9fae0956ffe5b16a9aaad8805f72309437d066 Droppers, var B 2368ee0e0001599b7789d8199c7b19f362a87925118ae054309d85f960d982ec 6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009 98abfcc9a0213156933ccd9cb0b85dc51f50e498dbfdec62f6a66dc0660d4d92 d36f79df9a289d01cbb89852b2612fd22273d65b3579410df8b5259b49808a39 Destover “b8ac0905” X86 Service DLL sample: 696ff9dda1ce759e8ff6dd96b04c75d232e10fe03809ba8abac7317f477f7cf5 Destover “b59d1659” X64 Service DLL sample: 7501c95647cef0c56e20c6d6a55de3d23f428e8878a05a603a0b37ea987a74e2 Destover “e4004c1f” HWP dropper documents: 3c3d2ab255daa9482fd64f89c06cdbfff3b2931e5e8e66004f93509b72cf1cc7 7d9631a62ae275c58e7ad2a3e5e4c4eac22cff46c077410ad628be6c38dd5e08 Dropper executables: ca4b4a3011947735a614a3dc43b67000d3a8deefb3fffa95b48f1d13032f2aea 31a76629115688e2675188d6f671beacfe930794d41cf73438426cc3e01cebae Dropped components: 7cea18dce8eb565264cc37bfa4dea03e87660b5cea725e36b472bafdcfe05ab1 757cd920d844fdcb04582a89b55f62b9a3e9bf73804abf94c9a9e15d06030b93 8a4f000049ad2a6c4eeac823c087b1c6e68c58b241c70341821cceccdf0f2d17 0654d112c17793c7a0026688cee569e780b989a9eb509585a977efd326dc2873 453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4 1f689996439db60970f4185f9cfc09f59bfe92650ba09bda38c7b1074c3e497b Destover “Duuzer” samples X86 samples: 029f93b7b7012777ee9fb2878d9c03b7fc68afad0b52cdc89b28a7ea501a0365 5831e614d79f3259fd48cfd5cd3c7e8e2c00491107d2c7d327970945afcb577d 6b70aa88c3610528730e5fb877415bc06a16f15373c131284d5649214cd2e96b 9b4c90ca8906e9fea63c9ea7a725db5fc66e1ca6c2a20bec2e8c1749b0000af5 b0cfaab0140f3ea9802dc6ed25bf208a2720fb590733966b7a3e9264a93a4e66 b3c0b7e355bee34cdb73d0bbdb1ba1b61797c035db31f0c82b19f9aa6a7abcc7 36844e66e5f4d802595909e2cbe90a96ad27da6b254af143b6611ab9ee85a13e 4efeea9eeae3d668897206eeccb1444d542ea537ca5c2787f13dd5dadd0e6aaa 5b28c86d7e581e52328942b35ece0d0875585fbb4e29378666d1af5be7f56b46 66df7660ddae300b1fcf1098b698868dd6f52db5fcf679fc37a396d28613e66b 72008e5f6aab8d58e4c8041cde20ee8a4d208c81e2b3770dbae247b86eb98afe 822a7be0e520bb490386ad456db01f26c0f69711b4ac61ba2cb892d5780fe38f 899ff9489dde2c5f49d6835625353bfe5ea8ca3195ca01362987a9d4bdac162d 8b50d7d93565aab87c21e42af04230a63cd076d19f8b83b063ef0f61d510adc7 90d8643e7e52f095ed59ed739167421e45958984c4c9186c4a025e2fd2be668b ac27cfa2f2a0d3d66fea709d7ebb54a3a85bf5134d1b20c49e07a21b6df6255a c5be570095471bef850282c5aaf9772f5baa23c633fe8612df41f6d1ebe4b565 ce0e43c2b9cb130cd36f1bc5897db2960d310c6e3382e81abfa9a3f2e3b781d7 facb32efc05bc8c4f3cb3baa6824db0f7effc56c02dbc52c33bafe242a1def77 763d1cb589146dd44e082060053ffbf5040830c79be004f848a9593d6be124ac 02d1d4e7acd9d3ec22588d89aed31c9a9d55547ef74fa3749659b610893f5405 47181c973a8a69740b710a420ea8f6bf82ce8a613134a8b080b64ce26bb5db93 e187811826b2c33b8b06bd2392be94a49d068da7f703ae060ee4faffde22c2fe X64 samples: 2811fdceb8a8aa03bbf59c0b01a43bd1f2aee675a8f20d38194258046987e5fa 39e53ba6984782a06188dc5797571897f336a58b8d36020e380aa6cd8f1c40a2 530a0f370f6f3b78c853d1e1a6e7105f6a0f814746d8a165c4c694a40c7ad09a 7a2a740d60bd082c1b50ab915ef86cc689ba3a25c35ac12b24e21aa118593959 eaea45f8bfb3d8ea39833d9dcdb77222365e601264575e66546910efe97cba99 ee49322ed9fb43a9a743b54cc6f0da22da1d6bc58e87be07fd2efe5e26c3ef8a ef07d6a3eb4a0047248c845be3da3282c208ede9508a48dbb8128eacc0550edf 477ca3e7353938f75032d04e232eb2c298f06f95328bca1a34fce1d8c9d12023 5a69bce8196b048f8b98f48c8f4950c8b059c43577e35d4af5f26c624140377c 89b25f9a454240a3f52de9bf6f9a829d2b4af04a7d9e9f4136f920f7e372909b a01bd92c02c9ef7c4785d8bf61ecff734e990b255bba8e22d4513f35f370fd14 b93793e3f9e0919641df0759d64d760aa3fdea9c7f6d15c47b13ecd87d48e6a9 d589043a6f460855445e35154c5a0ff9dbc8ee9e159ae880e38ca00ea2b9a94f Destover “Randomdomain” samples X86 samples: 92cc25e9a87765586e05a8246f7edb43df1695d2350ed921df403bdec12ad889 f2a14c5ef6669d1eb08fababb47a4b13f68ec8847511d4c90cdca507b42a5cf3 520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18 e55fff05de6f2d5d714d4c0fa90e37ef59a5ec4d90fdf2d24d1cb55e8509b065 e506987c5936380e7fe0eb1625efe48b431b942f61f5d8cf59655dc6a9afc212 2477f5e6620461b9146b32a9b49def593755ac9788fc4beeee81bf248aa2e92a f69747d654acc33299324e1da7d58a0c8a4bd2de464ec817ad201452a9fa4b54 44884565800eebf41185861133710b4a42a99d80b6a74436bf788c0e210b9f50 2f629c3c65c286c7f55929e3d0148722c768c730a7d172802afe4496c0abd683 b5e1740312b734fb70a011b6fe52c5504c526a4cccb55e154177abe21b1441c9 X64 samples: 0e162a2f07454d65eaed0c69e6c91dd10d29bdb27e0b3b181211057661683812 a53e33c77ecb6c650ee022a1311e7d642d902d07dd519758f899476dbaae3e49 c95eaedaafd8041bb0fea414b4ebc0f893f54cdec0f52978be13f7835737de2a da255866246689572474d13d3408c954b17d4cc969c45d6f45827799e97ed116 8465138c0638244adc514b2722fcb60b2a26a8756aa7d97f150e9bdc77e337cc Destover “FormBoundary” sample 77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976 Destover “BasicHwp” samples HWP dropper document: 794b5e8e98e3f0c436515d37212621486f23b57a2c945c189594c5bf88821228 Droppers: c248da81ba83d9e6947c4bff3921b1830abda35fed3847effe6387deb5b8ddbb 794b5e8e98e3f0c436515d37212621486f23b57a2c945c189594c5bf88821228 fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0 Dropped components: c3f5e30b10733c2dfab2fd143ca55344345cc25e42fbb27e2c582ba086fe3326 Destover “Volgmer2” samples Droppers: 1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954 f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3 Dropped components: 96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a APPENDIX: C&C DATA Joanap-related C&C addresses 110.164.115.177 118.102.187.188 118.70.143.38 119.15.245.179 122.55.13.34 168.144.197.98 189.114.147.186 196.44.250.231 201.222.66.25 60.251.197.122 62.135.122.53 62.150.4.42 62.87.153.243 63.131.248.197 63.149.164.98 64.71.162.61 66.210.47.247 69.15.198.186 72.156.127.210 75.145.139.249 78.38.221.4 80.191.114.136 81.130.210.66 81.83.10.138 83.211.229.42 92.253.102.217 92.47.141.99 93.62.0.22 94.28.57.110 96.39.78.157 Volgmer C&C addresses (dynamic normal, hardcoded bold) 103.16.223.35 113.28.244.194 116.48.145.179 117.239.214.162 12.217.8.82 123.176.38.17 123.176.38.175 134.121.41.45 186.116.9.20 186.149.198.172 190.210.39.16 195.28.91.232 199.15.234.120 200.42.69.13 200.42.69.133 203.131.222.99 206.123.66.136 206.163.230.170 212.33.200.86 213.207.142.82 220.128.131.251 24.242.176.130 41.21.201.101 64.3.218.243 78.93.190.70 83.231.204.157 84.232.224.218 89.122.121.230 89.190.188.42 200.87.126.116 194.224.95.20 Destover “MessageThread” C&C IP addresses: 101.76.99.183 112.206.230.54 124.47.73.194 165.138.120.35 175.45.4.158 177.189.204.214 187.176.34.40 202.182.50.211 203.131.222.102 208.105.226.235 209.237.95.19 211.76.87.252 213.42.82.243 31.210.53.11 59.125.119.135 59.125.62.35 61.91.100.211 62.141.29.175 65.117.146.5 71.40.211.3 85.112.29.106 91.183.41.5 93.157.14.154 Destover “WindowsUpdateTracing” real C&C IP addresses (after XOR translation). Addresses in red are inferred from pDNS only (no sample). 1.202.129.201 110.78.165.32 113.10.158.4 124.81.92.85 140.134.23.140 196.36.64.50 199.83.230.236 201.22.95.127 202.9.100.206 185.20.218.28 200.55.243.150 122.179.175.224 124.123.219.216 108.166.93.13 14.141.129.116 217.128.80.228 58.137.122.226 2.224.202.27 14.2.240.20 59.125.75.217 41.38.151.7 201.203.27.170 64.206.243.35 184.180.159.183 24.77.32.241 64.228.222.61 217.8.95.250 180.26.59.158 41.41.29.214 Destover “RandomDomain” C&C IP addresses: 103.233.121.22 187.111.14.62 187.54.39.210 200.202.169.103 202.152.17.116 203.131.210.247 206.248.59.124 37.34.176.14 94.199.145.55 Destover “Duuzer” C&C IP addresses: 110.77.140.155 113.160.112.125 114.143.184.19 148.238.251.30 161.139.39.234 161.246.14.35 175.111.4.4 177.0.154.88 177.19.132.216 177.52.193.198 184.173.254.54 185.20.218.28 185.30.198.1 185.81.99.17 186.167.17.115 194.165.149.51 196.202.33.106 200.87.126.117 201.163.208.37 202.39.254.231 203.113.122.163 203.115.13.105 203.170.66.206 210.211.124.229 223.255.129.230 31.210.54.14 37.148.208.67 37.58.148.34 41.21.201.107 41.76.46.182 5.22.140.93 62.0.79.45 67.229.173.226 78.38.114.213 87.101.243.246 90.80.152.49 203.132.205.250 59.90.208.171 201.25.189.114 Destover “BasicHwp” C&C IP addresses: 91.183.71.18 184.20.197.204 208.87.77.153 201.216.206.49 87.101.243.252 208.69.30.151 69.54.32.30 Destover “Volgmer2” C&C IP addresses: 121.170.194.185 222.236.46.5 APPENDIX: YARA RULES rule Destover : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Used for attacks on Sony Pictures Entertainment and targets in South Korea" strings: $a1= "recdiscm32.exe" $a2= "taskhosts64.exe" $a3= "taskchg16.exe" $a4= "rdpshellex32.exe" $a5 ="mobsynclm64.exe" $a6 ="comon32.exe" $a7 ="diskpartmg16.exe" $a8 ="dpnsvr16.exe" $a9 ="expandmn32.exe" $a10="hwrcompsvc64.exe" $a12="cmd.exe /c wmic.exe /node:\"%s\" /user:\"%s\" /password:\"%s\" PROCESS CALL CREATE \"%s\" > %s" $a13="#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C66" $a14="b8ac0905cda0360fc115f614119da76d84e2277762bd7558b2650a79013fb50138f732d5a03730d7d5b17" $a15="b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b0082" $a16="bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40bd51483321ebe44595f7" $a17="b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d73469b8beabc1" $a18="b59d165982e3d5721c4d40195f85aedf2a12d6616be11a2c19fa11821604edc4675bdca4f9b9cbfb27244" $a19="e4004c1f94182000103d883a448b3f802ce4b44a83301270002c20d0321cfd0011ccef784c26a400f43df" $b1 = "---------------End--------------!" $b2 = "WaitRecv End" wide condition: any of ($a) or all of ($b) } rule Destover2 : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Used for attacks on Sony Pictures Entertainment and targets in South Korea" strings: $a1 = "%sd.e%sc" fullword ascii wide $a2 = "xe" fullword ascii wide $a3 = "cm" fullword ascii wide $b1 = "%smd.e%sc" fullword ascii wide $c1 = "%sm%se%sc" fullword ascii wide $d = "ChfTime Success" ascii wide $e = {FF15????????6A3EFF75??FF15????????5985C0598D85????????50FF75??68????????68????????75} $f = "%s \"%s > %s 2>&1\"" ascii wide condition: all of ($a_) or ($b1 and $a2) or ($c1 and $a2) or $d or $e or $f } rule DarkSeoul_Obf_ChopString : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Obfuscation method used by the DarkSeoul group" strings: $a1={8B54240456BE????????57B91400000033C08BFEF3AB803A0074158A023C2E74073C2074038806468A42014284C075EB} condition: any of them } rule DarkSeoul_Obf_BCSUB : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Obfuscation method used by the DarkSeoul group" strings: $a1="pM[XpSZJ[JC{" condition: any of them } rule DarkSeoul_Obf_XORA7 : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Obfuscation method used by the DarkSeoul group" strings: $a1={E0C2D3F7D5C8C4E6C3C3D5C2D4D4} condition: any of them } rule DarkSeoul_Obf_Caracachs : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Obfuscation method used by the DarkSeoul group" strings: $a1={F3EEAEFFFBB821BF9AE3D820FDC0} condition: any of them } rule DarkSeoul_Keystrings : Backdoor { meta: author = "Blue Coat Systems, Inc." info = "Encryption keys used by the DarkSeoul group" strings: $a1 = "Bb102@jH4$t3hg%6&G1s_2J3gCNwVrUeI!Dr3hytg^CHGf%ion" $a2 = "BAISEO%$2fas9vQsfvx%$" $a3 = "A39405WKELsdfirpsdLDPskDORkbLRTP12330@3$223%!" condition: any of them } rule Joanap : { meta: author = "Blue Coat Systems, Inc." info = "SMB worm family used by the DarkSeoul group" strings: $a1="NTLMSSP" $a2="MiniDumpWriteDump" $a3="password <=14" $a4="KGS!@#$%" $b1="9025jhdho39ehe2" $b2="y@s!11yid60u7f!07ou74n001" $b3=“y0uar3@s!11yid!07,ou74n60u7f001” condition: all of ($a) or any of ($b_) }

ghost commented 8 years ago

added in 7e57360