This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Nemucod and Locky

Nemucod and Locky

MichaelSconzo
Employee MichaelSconzo
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2016-10-03 06:44 PM

Thanks to Kevin, Rajas, Angela, Ray, and Tophs for all the data, research, and output.

 

On the heels of RSA’s recent investigation into Cerber and Ransomware-as-a-Service (RaaS), additional consideration was given to other aspects of the ‘Crimeware circuit’ that might also be moving into a more commercialized role.  The Nemucod Trojan’s recent evolution as of August-September of 2016, may well provide another fitting example of actors adapting to market forces.  Not coincidentally, the JS/TrojanDownloader.Nemucod is currently being tracked as the second current ‘Top World Threat’ by ESET’s Virusradar[1], with an uptick of activity noted in the latter weeks of September.

 

lockygraph.png

Figure 1: Nemucod trending, courtesy of ESET Virusradar[2]

 

Historically speaking, Nemucod is a relatively well-known family that has often utilized malspam campaigns with the trojan delivering flavors of ransomware, ad-clickers, and other payloads.  However, it is important to note that these payloads were typically each delivered in time-serial linear fashion; this appears to have changed for Nemucod.  Evidence to this fact, analysis of detonated malware (from the week of September 19th) indicates that today’s Nemucod Trojan may be operating as an uncoupled delivery mechanism, capable of dropping not just Locky Ransomware, but a slew of other malicious portable executables (e.g., win32/kovter and win32/boaxxe).

 

Does this shift represent Nemucod actors adjusting their business model to better align core competencies with market demand, in this case for the distribution and delivery of a plethora of crimeware?  It’s possible and even likely, especially considering the evolution of EK delivered Cerber RaaS.  That being said, there is not yet a conclusive body of evidence today to prove or disprove the theory that Numecod actors have hung a shingle as distribution and delivery service providers.

 

Locky ransomware was one of the primary payloads noted in this investigation, and the executables observed demonstrate behavior consistent with Locky as described in previous security industry documentation.  As with previous Nemucod campaigns, the attack vector used for this campaign was mostly e-mail, a sample of which can be seen below.

 

email.png

Figure 5: E-mail attack vector.

 

Meet the Nemucod Trojan.  It is attached above as a non-password protected ZIP containing an HTA (HTML Application) file, which is encoded Javascript responsible for the delivery of one or more malicious payloads.  This type of executable inherently brings agility to the actor’s operating model, because encoded JavaScript can easily be modified to reconfigure malware-serving domains or IPs.  Add to this, the amount of bulletproof hosting available in countries with “less stringent laws and/or regulations”, and it becomes apparent how quickly Nemucod can launch or modify a campaign.

 

Another noteworthy observation was that community antivirus and malware detection capabilities typically mischaracterize Nemucod.  Rather then identifying the trojan as a downloader and delivery mechanism, the community often categorizes Nemucod by the payload it most commonly.  This fact has probably helped obscure Nemucod’s utility in delivering multiple flavors of ransom and other crimeware.

 

In the case of Locky, the delivered payload is a PHP interpreter, an additional PHP library, and then the download of a third PHP file, which uses a hard-coded encryption key to encrypt important files and rename them after its namesake, “.locky”.  Once this routine has completed, the software then proceeds to inform the user and demand ransom.

 

Screen Shot 2016-09-29 at 12.41.51 PM.png

Figure 2: Maltego snapshot of Locky Infrastructure

 

Post-delivery, observed a number of Locky .PHP check-ins via HTTP posts direct to IPs connections (e.g., userinfo.php, data/info.php, submit.php, amin.php).  It is believed that these are initial check-ins by the ransomware once it has successfully installed itself.  There were also a number of expected callbacks to 51.254.0.0/15, a known command and control (c2) infrastructure for Locky.  In our malware samples, the majority of activity destined for 51.255.105.2, confirming it as a current Locky C2 site[3]. 

 

httprequest.png

Figure 3: Sample of Locky’s direct-to-IP check-in, courtesy of VirusTotal[4]

 

In addition to this activity, a large number of callbacks were also seen heading to 51.255.107.30, which is likely critical infrastructure related to Locky malspam.  This was demonstrated by a number of SMTP formatted port 80 callbacks to known infrastructure as well as the large number of POP, IMAP, and other mail related domains hosted therein.  51.255.107.30 itself hosts more than 50 mail related domains as well as a possible control panel (cpanel[.]rowz.[.]ru).  Similar provisioning was noted across other nodes within the Locky infrastructure.

 

lockytable.png

Figure 4: Additional Locky domains

 

Also not surprising, there were a number of connections to dynamic DNS provider checkip[.]dyndns[.]org, who has been a player in too many past crimeware campaigns to list.

 

While little detail currently exists on most open source ransomware trackers with regard to Locky payment processing, several candidate hosts were noted during the course of this research.  First, in addition to it’s C2 role, 51.255.105.2 was found to be hosting more than 400 possible payment site domains matching a [8-20char DGA].[key].win pattern.  185.141.25.108 was also noted as a possible payment site host with a smaller number of [DGA].[DGA].top and [DGA].[DGA].pw patterned domains observed. 

 

There was also handful of traffic to Eastern European hosting services (e.g., 185.162.8.101 Eurohoster hosting services out of Bulgaria) and privately registered Ukrainian infrastructure such as 107.181.187.228, identified as hosting obscure domains like m2.[]dreamboatoffer[.]com and horehjw19882[.]com, coincidentally owned by an IOS developer living in Ukraine.  It’s not possible at this stage to determine if these artifacts are indicative of compromised infrastructure hijacked for Locky or possibly something more closely related to the actual group of Locky actors.

 

vtscoring.png

Figure 4: VirusTotal site scoring[5]

 

Another aspect of the Nemucod investigation revealed that many of the ‘Locky’ characterized hashes were false positive identifications (by several algorithms within VirusTotal) that actually demonstrated behavior more consistent with malvertising.  These hashes made direct callbacks to Akamai CDN infrastructure (e.g., aka.ms) and are likely further examples of Nemucod’s evolved ability for multiple payloads and more importantly achieving multiple revenue streams.

  

Conclusion

While no significantly new technical understanding was developed during the course of this research.  RSA was able to identify several Nemucod and Locky behaviors that are currently being evaluated for post-infection signature based detection in RSA Security Analytics (i.e. NetWitness).  Additionally, the RSA FirstWatch Exploit Domain and FirstWatch Exploit IP threat intelligence feeds were updated as of September 28th, 2016 to include more than 3000 unique indicators of compromise (IOCs) for the Nemucod trojan as well as Locky ransomware it currently delivers.

 

In addion, a new App Rule is also available in Live. The query is:

rule="action = 'post' && risk.info = 'http direct to ip request' && content = 'application/x-www-form-urlencoded' && direction='outbound' && (extension = 'php' || extension = 'cgi' )

This rule should have a low false-positive rate, if you find anything to the contrary please let us know.

 

Perhaps more important than the technical discoveries though is the additional evidence this research contributes to the theory that crimeware actors are adopting commercially accepted market principles to refine their business models in order to increase profits and diversify revenue streams.

 

Footnotes

[1] http://www.virusradar.com/en

[2] http://www.virusradar.com/en/JS_TrojanDownloader.Nemucod/chart/month

[3] http://malware-traffic-analysis.net/2016/09/16/index3.html

[4] https://www.virustotal.com/intelligence/search/?query=81e85dcaf482aba2f8ea047145490493%C2%A0+

[5] https://www.virustotal.com/en/url/d188070f344a6645c451c0602ceb6afe0f9336fe1803df687eab1ae186f8b06c/analysis/1475167507/

  • Content
  • intel
  • locky
  • Malware
  • nemucod
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
5 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.