During the last week, while processing our feed of data, our classifier found an interesting sample which had very poor detections.
The sample with hash f399f4a6c4bd141c48761575d4d3ce9d showed malicious activities, trying to retrieve FTP passwords, SSH sessions, e-mail accounts and digital certificates, and thus it was automatically flagged as malicious by our malware analysis sandbox. However its attempts to connect to many different IPs was interesting enough to try and investigate a bit more in depth using our threat intelligence framework.
In the last 2 months we have seen more than 700 different MD5s connecting to at least one of those IPs, all of them showing very similar system behavior and, interestingly enough, adding the same autorun registry key:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetworkChecker = <path to the dropped file>
Our clustering engine discovered 5 main families sharing the same behavior:
However the main interesting detail is that among the various IPs contacted by the malware, there is a common IP: 126.96.36.199. Time to ping again our APIs and discover that the IP is related to the domain gorodkoff.com:
Registrant name: Vitaliy Kazakov Registrant email: firstname.lastname@example.org Registrant info: REGTIME LTD. Creation date: 2014-11-21 00:00:00 Updated date: 2014-11-21 15:51:13 Expiration date: 2015-11-21 04:00:00
Looking back at its history, we have found the domain to keep changing its IP address many times:
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
Double checking how many samples are connecting to at least one of the above listed IPs resulted in over 1.400 different MD5s showing the same behavior.
Some of the MD5s part of this campaign: