This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting Dreambot variants using RSA NetWitness

AhmedSonbol1
Employee
Employee
‎2017-04-04 05:15 PM

Ursnif, also known as Gozi and ISFB, is a banking Trojan that primarily targets English-speaking countries. It was first discovered in 2007 and in 2010 its source code was unintentionally leaked [1]; which provided the basis for much of the legacy Ursnif variant diagnosis and detection. Dreambot is a newer variant (ca 2016) of Ursnif that incorporates capabilities such as Tor communications and peer-to-peer functionality [2].

 

Dreambot malware has been observed to spread via many of the conventional crimeware avenues to include exploit kits, e-mail attachments and links [2] [3]. To evade automated malware analysis, Dreambot uses password protected macro attachments and also delays for 250 seconds prior to downloading the malware [4].

 

This threat advisory discusses how to detect Dreambot beaconing activity using RSA NetWitness Logs & Packets.

 

A system infected with Dreambot reaches out to its command and control server as follows:

 

Get_avi_packet_blog.png

 

The behavior is consistent across many Dreambot samples:

 

Get_avi.PNG

 

Then a Tor client is retrieved:

 

Get_dll_packet_blog.png

 

Get_dll.PNG

 

The check-in is different for other Dreambot variants:

 

Post_bmp_bin_packet_blog.png

 

Post_bmp_bin.PNG

 

Assuming that the appropriate meta keys are enabled, the following queries can be used to detect Dreambot network activity:

  • Detect the check-in activity you can use:

    action = 'get' && filename = '.avi' && extension = 'avi' && directory contains '/images/' && direction = 'outbound'

    action = 'post' && directory begins '/images/' && query begins 'filename=' && extension = 'bin' && direction='outbound'
  • Detect the Tor client retrieval you can use:

    action = 'get' && filename = 'test32.dll',' t32.dll', ' t64.dll' && extension = 'dll' && directory contains '/tor/' && direction = 'outbound'

 

Dreambot samples can be found on VirusTotal here and here, and on Payload Security here and here.

 

All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

To find those IOCs using RSA NetWitness, please refer to this post.

 

In addition, the following Application Rule is now available on Live:


LiveSearch.PNG

 

newLiveSech.PNG

 

Below is a screenshot of the Application Rule detecting Dreambot traffic:

 

sessionAnalysis.PNG

 

 

Thanks go to Rajas Save for contributing to this threat advisory.

 

References:

  1. https://securityintelligence.com/gozi-goes-to-bulgaria-is-cybercrime-heading-to-less-chartered-territory/#.VdQEtfnddi8
  2. https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
  3. RIG EK at 92.53.127.21 Drops Dreambot – MALWARE BREAKDOWN 
  4. New Password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware !! - Cysinfo 
© 2022 RSA Security LLC or its affiliates. All rights reserved.