Threat Intelligence Report: Feodo C&C Botnet

Date:   12 April 2019

Summary

During Invinsec proactive threat hunting, malware Command and Control (C2) connection attempts were observed, originating from hosts infected with Feodo malware.

Customers who had attempts of connection to the C2 server have been informed. However, as the malware has proven to be quite prevalent across monitored customers, we are informing all Customers as a precaution.

Feodo has been in existence for many years and was originally reported in 2010. It is a family of malware variants including Dridex and Emotet, which specialise in stealing banking credentials.

We are observing a resurgence in retooled Feodo malware. Of particular note is that the tactics used to spread the new campaign differ from previous campaigns.

The Indicators of Compromise (IoCs) of the latest campaign are not yet being detected by many security controls such as intrusion detection systems (IDS).

Conclusions

Whilst the malware family has existed for many years, new campaigns with improved tooling are being released. Unlike previous campaigns that spread the malware through malicious emails, the latest campaign has been observed using URL Redirection and the installation of a malicious browser plugin.

This highlights the need to not only keep technical controls such as anti-virus and IDS up to date, but to also deliver a holistic security programme incorporating administrative controls such as User awareness training and threat hunting.

Invinsec performs proactive threat hunting to discover threats which make it past technical controls, beyond SIEM alerting.

Tactics, Techniques and Procedures

The Threat Actor’s favourite method of infection is through phishing, using emails with attached Word or Excel documents with macros to download the malware.

A different technique was observed in this case, utilising URL redirection to another website whilst a user was browsing legitimate but compromised websites.

The user was redirected to the official Chrome Web Store, where a malicious web browser plugin was downloaded. User interaction was required to download the extension which contained the malware which steals data and sends it to a C2 server.

The below image is a traffic record of the user’s browsing session:

The below image is the summary of analysis of the browser plugin downloaded:

The below image shows the malware has modified a genuine default Chrome Extension (Chrome Media Router):

The mentioned host (186[.]64[.]175[.]137) is infected with malware and is being used for other attacks or to host malicious content. It may be the case that the host owner is not aware of the compromise, since this host was observed contacting other hosts in the wild, which leads us to think this is a Zombie device.

Indicators of Compromise

Type File Name / Detail Hash/IP Address
Doc File emotet_e1_b1a3005bbc7634fd77fda0c6b08fc60cc026bd104731e0058430b55a41190d04_2019-03-20__140504.doc b1a3005bbc7634fd77fda0c6b08fc60cc026bd104731e0058430b55a41190d04
Exe File Tlimpt.exe ee758091f3c9d67f6fee479b68447129eecd3468399c3eeb9344575af1fd6c80
Exe File boottimetoast.exe 3d54872a752b1883ddf9e4bc8d910a91aaa48922f3C&Ca9ac9ad2e243836f982d
Exe File OneClickMaintenance.exe 60585bf1170b57824b064d18007a6e7d16ad3202cdabc09073717ee3b59e6229
File Tlimpt.exe d2f68f838ad0e69ac32dcf6a5df4d71cf7cc855e17fa18c8d84bb8a916078dc1
URL URL / C&C Server 186[.]64[.]175[.]137/nsip/odbc,
URL URL / C&C Server 186[.]64[.]175[.]137/devices,
URL URL / C&C Server 186[.]64[.]175[.]137/vermont/dma/sess/merge,
URL URL / C&C Server 186[.]64[.]175[.]137/,
URL URL / C&C Server 186[.]64[.]175[.]137/nsip/odbc/,
URL URL / C&C Server 186[.]64[.]175[.]137/publish/jit/sess/merge/,
URL URL / C&C Server 186[.]64[.]175[.]137/vermont/dma/sess/merge/,
URL URL / C&C Server 186[.]64[.]175[.]137/publish/srvc/sess/merge/,
URL URL / C&C Server 186[.]64[.]175[.]137/results/merge,
URL URL / C&C Server 186[.]64[.]175[.]137/iplk/splash/sess,
URL URL / C&C Server 186[.]64[.]175[.]137/forced,
URL URL / C&C Server 186[.]64[.]175[.]137/odbc/cone/ringin,
IP C&C Server 186[.]64[.]175[.]137

The relation between IOCs is interpreted in the following figure:

Advice

We recommend

  • Updating security blacklists to include the C&C server IP Address.
  • End user awareness training to spot and report phishing emails and to be aware of fake links and pop-ups in the browsers.
  • Applying restrictions to browser add-in installations to managed endpoints.

TTPs:      tactics, techniques and procedures

IOCs:      indicators of compromise (includes IP addresses, URLs, hashes, registry keys, filenames)

Leave a Reply