SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, January 24th 2019

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS Daily Network Security Podcast (Stormcast) for Thursday, January 24th 2019

According to "DHS Emergency Directive Regarding DNS Tampering" which published above and its IOCs included in the following cert alert(https://www.us-cert.gov/ncas/alerts/AA19-024A). We found another indicators related to communications initiated in Nov 1,2018. This old communication from 2 months ago from internal users directly to url: http://www.googleg.com which direct user to another URL: http://ww1.googloe.com. Both of these domains hosted on suspicious server which contains several malicious other domains like: [bingo.sg, adult.sg, asus.com.sg, bank.com.sg]. This server was reversed to several IP addresses:
107.161.23.204 ,192.161.187.200,209.141.38.71, 199.59.242.151.

198.133.158.0/23 -> where the email for the domain (googleg.com) goes which distributed malicious files: ec40ccaad63f8855d8de31a42b7c67ac.exe according to multiple analyzers on virustotal from month ago.

Sample of file names: hcjgfcyz.exe, idkhgdza.exe, xtntzbtk.exe, qqpvgube.exe. although the last file name was from month ago, the first file is NEW file used in this communication.

Analysis: .exe files that will create new exe file (random.exe) under Temp\, create new folder under windows under system32 (random-name) which will use it later to move the exe file in Temp to this place under “random-name”, then create service (using sc.exe utility) for “random-name.exe” with name “WIFI Support” that will auto-start to pretend as internet WIFI connection support service and you can know the following that could happen using this service specially with C2 server domain (107.161.23.204) and other communicated identities: 43.231.4.7, 5.9.32.166, 144.76.199.43, 144.76.199.2, 85.25.119.25, 46.4.52.109, 176.111.49.43, 216.58.215.68 on different ports (80, 425, 481, 443).
So, Kindly check the following additional indicators as you can find more indicators according to file you was infected with it.

URLs:
http://www.googleg.com
http://www.googloe.com

IPs:
43.231.4.7
5.9.32.166
144.76.199.43
144.76.199.2
85.25.119.25
46.4.52.109
176.111.49.43
216.58.215.68
107.161.23.204
192.161.187.200
209.141.38.71
199.59.242.151

Domains:
mail.b-io.co
googleg.com
googloe.com
mail.h-email.net
mail.hope-mail.com

Hashes:
92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d
2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d
7cf061675910e5c55127db45adfadd079e64a86ac7662892526cdbb91b53fb8a
9fda4a79fee8033f66e63dfe41c24ff7675232997bb8afa57261d2d354777b48
4cab79eaad6d89bb7de672fc794fb0f40b130d4fa849b3cef6f5c121c37e96be

Reference:
- https://www.virustotal.com/#/file/92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d/detection
- https://www.virustotal.com/#/file/2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d/detection

-----------------
Author: MoNour