Date: 12 April 2019
During Invinsec proactive threat hunting, malware Command and Control (C2) connection attempts were observed, originating from hosts infected with Feodo malware.
Customers who had attempts of connection to the C2 server have been informed. However, as the malware has proven to be quite prevalent across monitored customers, we are informing all Customers as a precaution.
Feodo has been in existence for many years and was originally reported in 2010. It is a family of malware variants including Dridex and Emotet, which specialise in stealing banking credentials.
We are observing a resurgence in retooled Feodo malware. Of particular note is that the tactics used to spread the new campaign differ from previous campaigns.
The Indicators of Compromise (IoCs) of the latest campaign are not yet being detected by many security controls such as intrusion detection systems (IDS).
Whilst the malware family has existed for many years, new campaigns with improved tooling are being released. Unlike previous campaigns that spread the malware through malicious emails, the latest campaign has been observed using URL Redirection and the installation of a malicious browser plugin.
This highlights the need to not only keep technical controls such as anti-virus and IDS up to date, but to also deliver a holistic security programme incorporating administrative controls such as User awareness training and threat hunting.
Invinsec performs proactive threat hunting to discover threats which make it past technical controls, beyond SIEM alerting.
Tactics, Techniques and Procedures
The Threat Actor’s favourite method of infection is through phishing, using emails with attached Word or Excel documents with macros to download the malware.
A different technique was observed in this case, utilising URL redirection to another website whilst a user was browsing legitimate but compromised websites.
The user was redirected to the official Chrome Web Store, where a malicious web browser plugin was downloaded. User interaction was required to download the extension which contained the malware which steals data and sends it to a C2 server.
The below image is a traffic record of the user’s browsing session:
The below image is the summary of analysis of the browser plugin downloaded:
The below image shows the malware has modified a genuine default Chrome Extension (Chrome Media Router):
The mentioned host (186[.]64[.]175[.]137) is infected with malware and is being used for other attacks or to host malicious content. It may be the case that the host owner is not aware of the compromise, since this host was observed contacting other hosts in the wild, which leads us to think this is a Zombie device.
Indicators of Compromise
|Type||File Name / Detail||Hash/IP Address|
|URL||URL / C&C Server||186[.]64[.]175[.]137/nsip/odbc,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/devices,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/vermont/dma/sess/merge,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/nsip/odbc/,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/publish/jit/sess/merge/,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/vermont/dma/sess/merge/,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/publish/srvc/sess/merge/,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/results/merge,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/iplk/splash/sess,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/forced,|
|URL||URL / C&C Server||186[.]64[.]175[.]137/odbc/cone/ringin,|
The relation between IOCs is interpreted in the following figure:
- Updating security blacklists to include the C&C server IP Address.
- End user awareness training to spot and report phishing emails and to be aware of fake links and pop-ups in the browsers.
- Applying restrictions to browser add-in installations to managed endpoints.
TTPs: tactics, techniques and procedures
IOCs: indicators of compromise (includes IP addresses, URLs, hashes, registry keys, filenames)