Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ MMD-0042-2015 - Hunting Mr. Black IDs via Zegost cracking

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š MMD-0042-2015 - Hunting Mr. Black IDs via Zegost cracking


๐Ÿ’ก Newskategorie: Video
๐Ÿ”— Quelle: blog.malwaremustdie.org

This is a short writing, Please bear the straight forward detail w/very few of explanation.
During investigating ELF malware I met this Windows PE binary, it contains an important infrastructure information used by Mr. Black actor (the one who loves attacking our MIPS routers), so I decided to check and post a bit here.

Win32/Zegost.rfn [link] (according to Microsoft)

The malware is sitting in the panel waiting to be distributed by the time I spotted:

The actor who put the PE binary in the picture was attacking my "router" with the other ELF binary one, a MIPS architecture of Linux/Mr.Black, a family of Linux/AES.DDoS, a China ELF backdoor and DDoS'er variant, with the source IP of attacker and CNC lead to that panel's address.

#ELF #Linux/Mr.Black #malware: 1. Move2 S.Korea, #BLOCK: 210.92.18.118 2. ATTK graph attached http://t.co/juaN5YucV2 pic.twitter.com/047s0xBrmU

— ☩MalwareMustDie (@MalwareMustDie) September 4, 2015
Seeing the panel, knowing that the PE (exe file) malware wasn't being distributed yet by the actor, so I decided to grab, analyze and expose it first, and then I may consider it being "even" for their attacking effort to my "router" (noted the quotes).

The PE is a Win32/Zegost variant, the dropper/backdoor type, I uploaded it in VT here --> [link], It drops, self deleted, auto-start set in registry, starting service (also set in registry..as many of the other boring stuff, and the point of interest of I am writing here is contacting mother hosts as backdoor.Below are some reversing snips I did during ID-ing the threat..

The infrastructure

The PE has the CNC hostname permutated DGA function and I managed to extract some of them:

conf.f.360.cn
'qi89.f3322.org'
qup.f.360.cn
u.qurl.f.360.cn
qurl.f.360.cn
qurl.qh-lb.com
qup.qh-lb.com
sdupm.360.cn
sdup.360.cn
sdup.qh-lb.com

Noted: The callback hostnames increased after we allow several CNC downloads. The malware DGA is generating many other fake domains.. For the botnet dissection, please focus is with the actual CNC established IP addresses only.

And each domains I checked as per snipped picture below:

I use the Kelihos fast flux milking script to milk IP addresses of the above domains:

$ cat domains.txt | bash flux.sh
Kelihos FLUX check script by @unixfreaxjp
Sun Sep 6 01:04:57 JST 2015

>>> conf.f.360.cn
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.25
106.120.167.13
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.15
106.120.167.10
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.15
106.120.167.10

>>> qi89.f3322.org
210.92.18.118
210.92.18.118
210.92.18.118

>>> qup.f.360.cn
qup.qh-lb.com.
106.120.162.175
106.120.167.14
qup.qh-lb.com.
106.120.167.13
106.120.167.25
qup.qh-lb.com.
106.120.167.13
106.120.167.25

>>> u.qurl.f.360.cn
qurl.qh-lb.com.
106.38.187.100
106.38.187.103
qurl.qh-lb.com.
106.120.167.100
106.38.187.106
qurl.qh-lb.com.
106.120.167.102
106.38.187.113

>>> qurl.f.360.cn
qurl.qh-lb.com.
106.38.187.105
106.38.187.113
qurl.qh-lb.com.
106.38.187.105
106.38.187.113
qurl.qh-lb.com.
106.38.187.118
101.199.109.151

>>> qurl.qh-lb.com
106.38.187.103
106.38.187.106
106.38.187.100
106.38.187.103
106.38.187.103
106.38.187.100

>>> qup.qh-lb.com
106.120.162.174
106.120.167.10
106.120.162.174
106.120.167.10
106.120.162.178
106.120.162.175
[...]

The result of the IP milking is some of static legit IDC IP addresses in Beijing, China :-) as per listed below... At the first sight I thought these are CNC, but later on I found it very weird :-)


106.120.167.15|15.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.8|8.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.176|176.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.101||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.103||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.104||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.105||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.9|9.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.174|174.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.115||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.116||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
101.199.109.144||23724 | 101.199.108.0/22 | CHINANET-IDC-BJ | CN | 360.cn | Beijing Qihu Technology Company Limited
106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.29|29.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.178|178.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.92|92.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.90|90.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.86|86.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
[...]
I investigated to find the IP addresses listed above IDC are belong to 360.cn, a legit service in PRC/China.

But there's only one IP address that shows different network, this leads us into a malicious utilized host in South Korea, and this is the malware panel's IP address itself..

210.92.18.118||4766 | 210.92.0.0/18 | KIXS-AS | KR | dshw.co.kr | Sudokwonseobubonbu
The GeoIP confirmed:
{"dma_code":"0"
"ip":"210.92.18.118"
"latitude":37.57
"longitude":126.98
"country_code":"KR"
"offset":"9"
"continent_code":"AS"
"country":"Korea Republic of"
"asn":"AS4766"
"isp":"Korea Telecom"
"timezone":"Asia\/Seoul"
"area_code":"0"
"country_code":"KOR/KR"}

Shortly, that IP address 210.92.18.118 (port 8086) is the only IP communicated with the malware via hostname: qi89.f3322.org. Law enforcement may prefer to have this PCAP traffic as PoC/evidence. The callback traffic was replied by the CNC and was sent in encrypted form as per recorded in traffic below, I am sorry, I didn't have energy to crack this further..

..and get the ID :-)

So..I have collected the first three (3) DGA generated basis domains from malware sample which are:

360.cn
'f3322.org'
qh-lb.com
but the #1 and #3 are legit services.

There is only one domain that is really being used as CNC (see the PCAP), the other domains are just being used as decoys to confuse the investigation. And the real CNC hostname is :

"f3322.org" w/Registrant email: "[email protected]"
So now we learn more about the nature of Zegost in generating DGA and faking CNC domains.

Malware is served under domain f3322.org which is having a super bad reputation in being used by Mr.Black ELF attacks and many more ELF attacks, for example:

@MalwareMustDie attacker was http://t.co/xRvhDugAz4 (222.186.34.220), posted details I have at http://t.co/AjZj2eay0z Hope it’s useful.

— jquinby (@jquinby) 2015, 9月 4

Thanks to reddit folks to inform that the f3322.org is a part of a Chinese dynamic hostname/DNS (DDNS) service provider.

We didn't know this detail until now. So it looks like that their services is used by the malware activities. It means the actor can be traced via contacting the f3322.org abuse accordingly. We're on it for we have long list of malicious subdomains used now.

#MalwareMustDie!

...













๐Ÿ“Œ Chinese Hackers Launching Zegost Malware to Attack Government Networks Via Weaponized MS Powerpoint


๐Ÿ“ˆ 38.74 Punkte

๐Ÿ“Œ netbeans-mmd-plugin bis 1.4.3 MMD File Import Request XXE erweiterte Rechte


๐Ÿ“ˆ 34.66 Punkte

๐Ÿ“Œ netbeans-mmd-plugin up to 1.4.3 MMD File Import Request XML External Entity


๐Ÿ“ˆ 34.66 Punkte

๐Ÿ“Œ What is an Intrusion Detection System (IDS)? + Best IDS Tools | UpGuard


๐Ÿ“ˆ 29.42 Punkte

๐Ÿ“Œ Researcher Bypasses IDS Using IDS Signatures


๐Ÿ“ˆ 29.42 Punkte

๐Ÿ“Œ Snort IDS for Hackers, Part 2: Basic Configuration of your Snort IDS


๐Ÿ“ˆ 29.42 Punkte

๐Ÿ“Œ WhatsApp Bug- To Allows iPhone Users to Bypass Face IDs Or Touch IDs


๐Ÿ“ˆ 29.42 Punkte

๐Ÿ“Œ WiFiBroot - A WiFi Pentest Cracking Tool For WPA/WPA2 (Handshake, PMKID, Cracking, EAPOL, Deauthentication)


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ Password Cracking with HashCat (ft ยฃ20,000 cracking PC!)


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ Discord server about hacking/cracking (Netflix for free, teaching hacking/cracking)


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ Z0MBieys hacking/cracking discord server (hacking/cracking, account drops)


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ Z0MBieys hacking/cracking discord server AND site! (hacking/cracking, account drops)


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ record in RSA cracking - With the cracking of 795-bit keys,


๐Ÿ“ˆ 27.97 Punkte

๐Ÿ“Œ MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ How Artificial Intelligence (AI) Detectives Are Cracking Open The Black Box of Deep Learning?


๐Ÿ“ˆ 19 Punkte

๐Ÿ“Œ Blockchain could save AI by cracking open the black box


๐Ÿ“ˆ 19 Punkte

๐Ÿ“Œ MMD-0026-2014 - Router Malware Warning | Reversing an ARM arch ELF AES.DDoS (China malware)


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0027-2014 - Linux ELF bash 0day (shellshock): The fun has only just begun...


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0029-2014 - Warning of Mayhem shellshock attack


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0028-2014 - Fuzzy reversing a new China ELF "Linux/XOR.DDoS"


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0052-2016 - SkidDDOS ELF infection Jan-Feb 2016


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon.inc


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0054-2016 - ATMOS botnet and facts you should know


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0055-2016 - Linux/PnScan ; the ELF worm that circled around


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0056-2016 - Linux/Mirai, how old ELF malcode is recycled..


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0056-2016 - Linux/Mirai, how old ELF malcode is recycled..


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0057-2016 - New ELF botnet: Linux/LuaBot


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0051-2016 - Debungking a tiny ELF remote backdoor (shellcode shellshock part 2)


๐Ÿ“ˆ 17.33 Punkte

๐Ÿ“Œ MMD-0058-2016 - ELF Linux/NyaDrop


๐Ÿ“ˆ 17.33 Punkte

matomo