30th FIRST at KL Lightning Talk

Transcript

1. CUTWAIL INFRASTRUCURE OBSERVATION For 30th FIRST KL LT 1

2. Who am I • <CUT> 2

3. My personal work • One of my hobby is “sinkhole”!

   ※ • Last year I talked LT “From my sinkhole”. about targeted attack victim countries • Today I’ll talk about new findings. • ※over 2,000 domains. • Mainly are “Targeted Attack” domain which attacker used. (Fraud domains include) • over 120,000 access / 1 hour. • from about 100 countries access / 1 day. 3

4. “Banking Trojan Malware Mail” • In Japan, we got many

   “Banking Trojan Malware Mails. 4 https://t.co/rSSd3ICpjr Made by @taku888infinity

5. 2 types of Malicious Mail • 1. Attachment Macro Type

   : “Invoice (請求書)” • 2. Link / JS Type : “Notice from Rakuten (楽天カードか らのお知らせ)” • These are “Bebloh” and “Ursnif”. • When I analyzed Attachment Type Malware, it worked irregularly. • That malware downloaded Cutwail / PushDo. 5 @bomccss @abel1ma

6. Cutwail works ... • Spam Bot • If you don’t

   know please see this page : • Banking Trojans: Ursnif Global Distribution Networks Identified https://researchcenter. paloaltonetworks.com/2 017/02/unit42-banking- trojans-ursnif-global- distribution-networks- identified/ 6

7. I checked CUTWAIL malware connections... • I found expired domain

   -> I got it -> link to sinkhole. 7 PushDo connection list https://malwarebreakdown.com/2016/11/01/pushdo-checkin-traffic-update/

8. Result • I got access from 151 countries! (23,736IP) (2018/06/25)

   8 1 Japan 3144 2 India 1758 3 Russia 1432 4 Indonesia 1260 5 Kazakhstan 1242 6 Italy 1086 7 Azerbaijan 1057 8 Bulgaria 969 9 Ukraine 738 10 Iran 687 11 Turkey 659 12 Thailand 554 13 Vietnam 530 14 Mexico 444 15 United States 402 16 Kyrgyzstan 362 17 Belarus 355 18 Georgia 351 19 Armenia 348 20 Philippines 344 The most infected country is “Japan”! 21 Pakistan 341 22 Uzbekistan 314 23 Nigeria 265 24 Algeria 238 25 Iraq 228 26 Poland 213 27 Brazil 202 28 Malaysia 185 29 Romania 180 30 Egypt 178 31 China 155 32 Canada 150 33 Peru 137 34 Spain 125 35 Bangladesh 118 36 Lebanon 115 37 France 109 38 Venezuela 107 39 Syria 104 40 Bosnia and Herzegovina 92 41 Hashemite Kingdom of Jordan 91 42 Germany 83 43 Republic of Moldova 80 44 Argentina 79 45 Saudi Arabia 79 46 Ecuador 77 47 United Kingdom 75 48 Mongolia 70 49 Colombia 67 50 Greece 64 51 Macedonia 61 52 Israel 59 53 Hungary 57 54 Tajikistan 56 55 South Africa 55 56 Tunisia 54 57 Afghanistan 53 58 Serbia 52 59 Palestine 52 60 Sweden 50

9. Infected IP transition • India, Russia, Indonesia, Kazakhstan and Azerbaijan

   are growing. • Attacker is targeting (focusing) these countries now? 9 1 Japan 3144 1 Japan 2549 2 India 1758 ↑ 2 Bulgaria 1243 3 Russia 1432 ↑ 3 Italy 839 4 Indonesia 1260 ↑ 4 Mexico 707 5 Kazakhstan 1242 ↑ 5 Turkey 669 6 Italy 1086 ↓ 6 Russia 490 7 Azerbaijan 1057 ↑ 7 Indonesia 469 8 Bulgaria 969 ↓ 8 India 304 9 Ukraine 738 9 Ukraine 279 10 Iran 687 ↑ 10 Belarus 268 11 Turkey 659 11 Egypt 262 12 Thailand 554 ↑ 12 Thailand 261 13 Vietnam 530 ↑ 13 Brazil 255 14 Mexico 444 ↓ 14 Iran 246 15 United States 402 ↑ 15 United States 224 16 Kyrgyzstan 362 ↑ 16 Algeria 215 17 Belarus 355 17 Peru 189 18 Georgia 351 ↑ 18 Philippines 164 19 Armenia 348 ↑ 19 Poland 156 20 Philippines 344 20 Spain 155 2018/06/25 2018/03/15

10. Peak I found a “PEAK TIME” (06/25) 10 From 3pm(JST)

11. YES, I HAVE • From 06/25 4pm(JST) • We got

    Banking Trojan Mails.(over 3,000 recipients) • I suspect Cutwail was responded to command, so sinkhole access grown. 11

12. All senders belong to us • All 50(sample) malicious mail

    sender IPs matched sinkhole gathered IPs. • Actually Cutwail Infrastructure used to attack Japan. 12 FROM Resolved MATCHED 185.78.62.110 110-62-78-N2.customer.vsm.sh 1 112.137.61.186 112-137-61-186.dc.ctc.ad.jp 1 113.43.147.66 113x43x147x66.ap113.ftth.ucom.ne.jp 1 113.43.202.162 113x43x202x162.ap113.ftth.arteria-hikari.net 1 120.51.26.228 120.51.26.228.ap.gmobb-fix.jp 1 122.221.156.218 122x221x156x218.ap122.ftth.ucom.ne.jp 1 151.0.183.130 151-0-183-130.ip282.fastwebnet.it 1 95.19.7.158 158.7.19.95.dynamic.jazztel.es 1 192.244.102.30 192-244-102-30.utmtype.msone.jp 1 2.230.192.65 2-230-192-65.ip203.fastwebnet.it 1 201.223.33.214 201-223-33-214.baf.movistar.cl 1 203.179.95.225 203-179-95-225.cust.bit-drive.ne.jp 1 211.9.43.16 211-9-43-16.cust.bit-drive.ne.jp 1 211.9.56.113 211-9-56-113.cust.bit-drive.ne.jp 1 219.117.197.107 219.117.197.107.static.zoot.jp 1 221.242.247.163 221x242x247x163.ap221.ftth.ucom.ne.jp 1 42.200.193.202 42-200-193-202.static.imsbiz.com 1 219.111.52.51 51.52.111.219.st.bbexcite.jp 1 58.13.69.234 58x13x69x234.ap58.ftth.ucom.ne.jp 1 59.120.117.79 59-120-117-79.HINET-IP.hinet.net 1 60.56.118.87 60-56-118-87f2.kns1.eonet.ne.jp 1 79.100.193.179 79-100-193-179.ip.btc-net.bg 1 87.126.66.131 87-126-66-131.ip.btc-net.bg 1 88.149.180.1 88-149-180-1.v4.ngi.it 1 89.212.204.88 89-212-204-88.static.t-2.net 1 86.38.158.9 9.158.38.86.mobile.mezon.lt 1 90.154.132.28 90-154-132-28.ip.btc-net.bg 1

13. And this Infra may use to another campaign 13 ZLAB

    Malware Analysis Report http://csecybsec.com/download/zlab/20 180621_CSE_Ursnif-Necurs_report.pdf Italian DHL-Themed Phishing leads to Ursnif, Spambot https://cofense.com/italian-dhl-themed- phishing-leads-ursnif-spambot/

14. <snip> 14