Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, January 24th 2019 - SANS Internet Storm Center SANS Daily Network Security Podcast (Stormcast) for Thursday, January 24th 2019


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DHS Suggests Checking DNS; Azure Domain Abuse; Twitter Tech Support Scam

SANS Daily Network Security Podcast (Stormcast) for Thursday, January 24th 2019
00:00

My Next Class

Intrusion Detection In-DepthMadridMar 25th - Mar 30th 2019
Defending Web Applications Security EssentialsSan DiegoMay 9th - May 14th 2019

… more classes

DHS Emergency Directive Regarding DNS Tampering
https://cyber.dhs.gov/ed/19-01/

Abuse of Trusted Microsoft Azure Domains
https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/233

Tech Support Scammers Unmasked
https://www.fidusinfosec.com/turning-the-tables-on-virgin-media-twitter-scammers/

Get a free ISC sticker (login required):
https://isc.sans.edu/sticker.html
Spotify spotify logo

Discussion

According to "DHS Emergency Directive Regarding DNS Tampering" which published above and its IOCs included in the following cert alert(https://www.us-cert.gov/ncas/alerts/AA19-024A). We found another indicators related to communications initiated in Nov 1,2018. This old communication from 2 months ago from internal users directly to url: http://www.googleg.com which direct user to another URL: http://ww1.googloe.com. Both of these domains hosted on suspicious server which contains several malicious other domains like: [bingo.sg, adult.sg, asus.com.sg, bank.com.sg]. This server was reversed to several IP addresses:
107.161.23.204 ,192.161.187.200,209.141.38.71, 199.59.242.151.

198.133.158.0/23 -> where the email for the domain (googleg.com) goes which distributed malicious files: ec40ccaad63f8855d8de31a42b7c67ac.exe according to multiple analyzers on virustotal from month ago.

Sample of file names: hcjgfcyz.exe, idkhgdza.exe, xtntzbtk.exe, qqpvgube.exe. although the last file name was from month ago, the first file is NEW file used in this communication.

Analysis: .exe files that will create new exe file (random.exe) under Temp\, create new folder under windows under system32 (random-name) which will use it later to move the exe file in Temp to this place under “random-name”, then create service (using sc.exe utility) for “random-name.exe” with name “WIFI Support” that will auto-start to pretend as internet WIFI connection support service and you can know the following that could happen using this service specially with C2 server domain (107.161.23.204) and other communicated identities: 43.231.4.7, 5.9.32.166, 144.76.199.43, 144.76.199.2, 85.25.119.25, 46.4.52.109, 176.111.49.43, 216.58.215.68 on different ports (80, 425, 481, 443).
So, Kindly check the following additional indicators as you can find more indicators according to file you was infected with it.

URLs:
http://www.googleg.com
http://www.googloe.com

IPs:
43.231.4.7
5.9.32.166
144.76.199.43
144.76.199.2
85.25.119.25
46.4.52.109
176.111.49.43
216.58.215.68
107.161.23.204
192.161.187.200
209.141.38.71
199.59.242.151

Domains:
mail.b-io.co
googleg.com
googloe.com
mail.h-email.net
mail.hope-mail.com

Hashes:
92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d
2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d
7cf061675910e5c55127db45adfadd079e64a86ac7662892526cdbb91b53fb8a
9fda4a79fee8033f66e63dfe41c24ff7675232997bb8afa57261d2d354777b48
4cab79eaad6d89bb7de672fc794fb0f40b130d4fa849b3cef6f5c121c37e96be

Reference:
- https://www.virustotal.com/#/file/92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d/detection
- https://www.virustotal.com/#/file/2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d/detection

-----------------
Author: MoNour
Posted by MoNour on Sun Jan 27 2019, 20:20

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Intrusion Detection In-DepthMadridMar 25th - Mar 30th 2019
Defending Web Applications Security EssentialsSan DiegoMay 9th - May 14th 2019
Intrusion Detection In-DepthSan AntonioMay 28th - Jun 2nd 2019
Defending Web Applications Security EssentialsMunichJul 1st - Jul 6th 2019
Intrusion Detection In-DepthLondonJul 8th - Jul 13th 2019
Intrusion Detection In-DepthBostonJul 29th - Aug 3rd 2019
Defending Web Applications Security EssentialsSan JoseAug 12th - Aug 17th 2019
Defending Web Applications Security EssentialsBrusselsSep 2nd - Sep 7th 2019
Intrusion Detection In-DepthLondonSep 23rd - Sep 28th 2019