Tracking down a malware campaign with Deepviz

During the last week, while processing our feed of data, our classifier found an interesting sample which had very poor detections.

The sample with hash f399f4a6c4bd141c48761575d4d3ce9d showed malicious activities, trying to retrieve FTP passwords, SSH sessions, e-mail accounts and digital certificates, and thus it was automatically flagged as malicious by our malware analysis sandbox.  However its attempts to connect to many different IPs was interesting enough to try and investigate a bit more in depth using our threat intelligence framework.

trojan map

In the last 2 months we have seen more than 700 different MD5s connecting to at least one of those IPs, all of them showing very similar system behavior and, interestingly enough, adding the same autorun registry key:

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkChecker = <path to the dropped file>

Our clustering engine discovered 5 main families sharing the same behavior:

infostealing trojan cluster

However the main interesting detail is that among the various IPs contacted by the malware, there is a common IP: 78.139.185.21. Time to ping again our APIs and discover that the IP is related to the domain gorodkoff.com:

Registrant name: Vitaliy Kazakov
Registrant email: vitaly_kaz324@mail.ru
Registrant info: REGTIME LTD.
Creation date: 2014-11-21 00:00:00
Updated date: 2014-11-21 15:51:13
Expiration date: 2015-11-21 04:00:00

Looking back at its history, we have found the domain to keep changing its IP address many times:

2.133.159.157
61.217.196.79
78.137.24.192
14.97.54.238
31.202.178.239
85.65.55.219
78.139.185.21
176.117.76.21
128.69.108.226
82.211.132.7
77.109.23.44
174.101.64.231
31.43.101.178
192.162.76.92
159.224.48.80
93.77.181.7
212.193.48.220
77.52.74.56
114.155.107.44
95.188.67.191

Double checking how many samples are connecting to at least one of the above listed IPs resulted in over 1.400 different MD5s showing the same behavior.

Some of the MD5s part of this campaign:

05e65d1faac2a4a1d8871368112f1780

4a44ba589516f68f317f1caaadf2fb81

49a4bb0b5b26935b637b474e5a2c00f8

61ffeda765fd7f69b7e5cc446d7f746b

e9b95fab22a5f9eeac36a631e96dea06

5e51d8756722b377eb6ead7b6e008b15