November 2015 Intel Statistics

Our first month since we are in public beta is over, and we’ve already received an impressive amount of feedback and interest from end users and companies. We want to sincerely thank everybody for your help and valuable feedback.

Without further adieu lets dive into some statistics about the first month of data that we have processed and collected so far through our Deepviz Threat Intelligence platform.

The top ten of countries hosting malware command and control servers  see the United States in the first position, followed by Ukraine and China:

  1. United States
  2. Ukraine
  3. China
  4. Japan
  5. Romania
  6. Russian Federation
  7. Korea, Republic of
  8. Taiwan
  9. India
  10. Germany

We also monitored all domains registered in November and contacted by malware, with the most prevalent here (you can safely click the links, they are linking to our threat intelligence service):

reliancepublications.co.in

kk8000.com

streetappear.net

electricappear.net

captainbright.net

winfixer.com

3468.in

3475.in

4745.in

4634.in

gladfell.net

equalcompe.net

equalfell.net

equalcount.net

groupfell.net

3463.in

gladcompe.net

mymgjzacbyx.com

Among the various malware families we’ve identified, we have seen an interesting trend of infostealers, malware able to steal stored browser data by intercepting network traffic and/or sniffing browser’s config files.

infostealers
Clusters of infostealers active in November 2015

Here are some of the MD5s representing the top 5 clusters, it is possible to keep investigating by looking at similar samples on the Threat Intelligence webpage linked by each one of them.

Cluster 1 (Zbot)

133a7e1442cfd2f1f224116adfeb1b06
2514e8969e902848dd1486b2a8e84a60
48bf955df062c656a80f208ec9e75400

Cluster 2 (Kelihos)

6532271e09bbd40838208d6bb292f23d
cfaf9eaf671061a7ccdb32cf5bb7c3d8
049d71f93a9536ee5eee8a44f94032fe

Cluster 3 (Dorkbot)

2a722adb4c58c54ec9a614253bd82c86
4046aee8908aacfb061525bd0b1105fb
2671ad6c7d3bbc8dc2c2e8a5c97aabc6

Cluster 4 (Vawtrak)

a12370b7d63426da992a1fe07ce31c6a
1a7416e792fc7f51ec7fcc97d3a12fb0
886b1a2f616e2e0b04f3235b8d629e24

Cluster 5 (Tinba)

d4ab4c8549be22098a037dce8d7afb8d
962df1c2505e62be69e89478889d0ab6
1adf5e5866ecb1261457003041d24831

November has been an interesting month not only for Deepvi as a company but also because of the identification and detection of new Cryptowall 4.0 Ransomware, the last build of the Cryptowall family.

Here is a list of interesting IPs contacted by the malware:

184.168.221.53
103.21.59.9
184.168.221.59
143.95.52.38
37.140.192.166
93.186.202.54
184.168.47.225
199.83.129.153
160.153.66.46
143.95.248.187
173.237.190.55
101.99.75.11
64.247.179.218
103.224.22.13
103.27.61.200
52.91.146.127
195.208.1.153
198.20.114.210
176.114.1.110
66.7.210.114

While some of those IPs are unique to Cryptowall 4.0, what’s really interesting is that some of them have been used in the past for other malware campaigns spreading:

Trojan.Pushdo

Trojan.Fareit

 

We will be launching 64bit support for our sandbox very shortly – so stay tuned!