Darktrace Blog

Perspectives on cyber defense

A new botnet discovered using IoT drawing pads for reflection attacks

Justin Fier, Director of Cyber Analysis | Monday October 30, 2017

Earlier this year, Darktrace detected a new botnet engaged in a large-scale reflection and amplification attack targeting organizations around the world, including several governmental bodies. While covered in our 2017 Threat Report, this attack is more pertinent than ever in light of potentially new, bigger, and more sophisticated IoT hacks, in the likes of the recently reported ‘Reaper Botnet’ , we can increasingly expect to see in 2018.

This new type of botnet we detected earlier this year wasn’t using desktop computers to power its attacks – like Srizbi did when it was sending out 60 billion spam emails per day – and its methodology was distinct from Mirai – which uses DRVs and routers to generate DNS DDoS attacks with speeds of up to 1Tbps.

Instead, this new botnet was commandeering an unlikely assortment of devices made up of, among other things, IoT drawing pads. It contained far fewer devices than typical botnets, but through reflection and amplification techniques using SNMP, it was attempting to launch a powerful denial-of-service attack.

The threat began in a familiar fashion. An architectural firm introduced smart drawing into their network pads without alerting the IT team, and their internal security controls had no way of identifying the vulnerable devices. As such, the devices’ user credentials were never changed from the factory defaults.

Those credentials, along with their public string for SNMP authentication, were publicly available on Shodan, which also revealed that the devices had open ports for HTTP, HTTPS, Telnet, and SIP.

Darktrace detected the vulnerability when hundreds of external IP addresses from around the world made several thousand of SNMP connections to the devices over UDP port 161. Over 99 percent of these connections contained at least one “GetBulkRequest”, an SNMP operation used for the retrieval of large amounts of data.

In response to these requests, the devices issued an exponentially larger number of replies via “GetResponse”, some of which contained as many as 397,000 “GetResponse” objects. In 64 cases, the devices uploaded over 1MB of data.

A sample of this SNMP activity as observed by Darktrace’s AI algorithms:

Figure 1: Anomalous SNMP connections – the request and response are presented as two separate SNMP connections, but we can treat them as the same connection.

Normal network activity for these devices involved very occasional use of “GetBulkRequests” and “GetResponses.” Therefore, these spikes in activity were deemed highly anomalous by Darktrace’s AI algorithms, which had built a deep understanding of normal activity for the devices. By detecting the threat in real time, the security team discovered the threat while it was still in its early stages, and Darktrace’s network visibility provided detailed analytics on the incident.

Figure 2: The number of inbound connections on port 161 to one of the devices on port 161 is shown in orange. External data transfer from port 161 are shown in green. Time, top left, is x-axis value at right-hand origin.

The use of SNMP version 2c and “GetBulkRequests” were telltale signs of a reflection and amplification attack, which use scant resources to generate large attacks. All told, 273.2MiB left the devices on port 161.

The external data transfers on port 80 indicated that the attack went even further, as numerous external devices were attempting to access the devices’ HTTP resources, many of which were administrative PHP files.

A sample of resources that external devices attempted to access via HTTP:

/phpMyAdmin-2.11.1.0/scripts/setup.php
/a_remotecontrol.htm
/phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php
/mysqladmin/scripts.setup.php

Figure 3: The total outbound data from port 161 over the reporting period

Finally, Shodan also revealed that the devices were running an accessible SIP server on port 5060. Packet analysis showed that external devices “dialed” the devices and attempted to place a VoIP – strange behavior on the attacker’s part that remains unexplained.

Figure 4: VoIP call attempts via open SIP protocol

The target IP addresses were likely spoofed. By sending hundreds of “GetBulkRequests” from the spoofed IPs of the target networks, the IoT drawing pads were forced to send back more than 100 times the number of “GetResponses.” This is testament to the power of reflection and amplification attacks. It’s unclear what other devices were used in this attack, but even a small number of IoT devices at the architectural firm were able to generate an alarming amount of traffic.

The target IPs belonged to websites owned by entertainment and design companies, and even governmental bodies. By reporting on the anomalous SNMP requests as soon as they began, the firm’s security team was able to take the drawing pads offline before damage was done.

Had the attack succeeded in sabotaging the target networks, the firm could have been subject to legal action. The company revamped their security policies and made strides to secure all the IoT devices on their network to minimize risk of future incidents.

To learn more about how Darktrace can uniquely identify and neutralize in-progress, subtle IoT threats, don’t miss Justin Fier appear on VICELAND’s Cyberwar show tomorrow, October 31st, at 7 PM PST/10 PM EST.

Down the BadRabbit Hole

Max Heinemeyer, Director of Threat Hunting | Wednesday October 25, 2017

This blog post describes the currently circulating ransomware called BadRabbit and how Darktrace’s machine learning technology detects it. BadRabbit is a self-propagating piece of malware that uses SMB to spread laterally. The campaign is reminiscent of the WannaCry and NotPetya attacks seen earlier this year. Some of the functionality in BadRabbit and the modus operandi of how it infects the targets is similar to the NotPetya attack.

The attack initially hit companies in Russia and Ukraine on October 24th, 2017. Since, the ransomware has spread to other countries across the world as well.

Infection process

The initial infection vector appears to be via drive-by downloads and social engineering using fake Adobe Flash player files. Various news and media websites predominantly but not exclusively in Russia and Ukraine served their visitors with pop-up alerts asking them to download Adobe Flash player software updates. It is unclear at this point if the websites were compromised, or if the advertisement networks were leveraged to display the fake Adobe Flash downloads.

This technique of presenting users with fake updates, commonly Adobe Flash, containing ransomware, adware or other forms of malware, has gained traction in the last six months. The same approach is often applied to trick users into inadvisable actions, such as downloading malware when browsing TV streaming websites, or torrent websites.

Once downloaded, a user has to execute the fake Adobe Flash player with administrative credentials manually. No exploits are used to automatically execute the malware. The malware creates a scheduled task for another file upon execution. The ransomware then encrypts files on the compromised devices using a hard-coded list of file extensions using a RSA 2048 key. The criminals demand a Bitcoin payment for decrypting the files. Users are pointed to a .onion website, which has to be accessed via Tor, to pay the ransom.

BadRabbit can brute-force its way over SMB to other devices on the network using a hard-coded list of common credentials. The malware appears to contain a stripped-down version of the Mimikatz tool which is used to gather credentials on Windows machines. This is likely used to further enhance its lateral movement capabilities using SMB.

Update (October 30, 2017): As the investigation of BadRabbit capabilities continued over the weekend, new details about how BadRabbit spreads have been uncovered. BadRabbit appears to be using the EternalRomance exploit that targets CVE-2017-0145, patched by Microsoft in March 2017, to propagate within the internal network over SMB. As Darktrace’s AI does not rely on identifying individual exploits to detect breaches, this latest discovery does not affect Darktrace’s capability to identify BadRabbit infections. All of the previously identified detection capabilities still hold true.

Darktrace instantly detects BadRabbit

Darktrace has strong detection capabilities for this campaign without the use of any signatures. In fact, we alerted a number of our customers within seconds of the initial fake Flash Player download on their respective networks, and well before the extent of the campaign was publicly known.

The initial fake Adobe Flash Player download from 1dnscontrol[.]com is immediately detected as a suspicious download:

If the early signs of BadRabbit go undetected, the infected devices start brute-forcing access to other devices on the network using SMB - causing thousands of SMB session login attempts per endeavored lateral movement over port 445. This highly anomalous behavior marks a sharp departure from customers’ normal ‘pattern of life’, making BadRabbit very easy to detect for Darktrace’s machine learning technology. Within seconds, Darktrace alerted the affected organizations about this attack flagging it as ‘SMB Session Brute Force’. The below shows an ongoing lateral movement attempt from an infected device to another client device using SMB session brute-force.

Infected devices make connection attempts to one or two seemingly randomly generated IP addresses on the internet over port 445 and also port 139. Examples of these failed connection attempts are displayed below. Darktrace instantly recognized this as unusual behavior for the infected device:

Compromised devices will attempt to move laterally on the network in a search for other devices to infect. Darktrace’s AI algorithms can swiftly recognize this anomalous behavior, alerting the affected organization in real time about these ‘Unusual Internal Connections’, as well as potential ‘Network Scans’.

The below model breaches seen in Darktrace are expected in a BadRabbit infection. Please be aware that not all models listed below are expected to breach in every infection - this depends on the actual behavior observed by Darktrace.

Anomalous File / EXE from Rare External Destination
Device / SMB Session Brute Force
Unusual Activity / Unusual Internal Connections
Device / Network Scan
Unusual Activity / Sustained Unusual Activity
Anomalous Connection / Suspicious Read / Write Ratio
Compliance / Tor Usage

The Darktrace ‘Omnisearch’ and ‘Advanced Search’ features can be used to identify any connections made to the known network Indicators of Compromise:

1dnscontrol[.]com(hosting the fake Adobe Flash player file)
185.149.120[.]3(static IP observed, victims HTTP POSTing to the IP)

Conclusion

BadRabbit is a machine-speed ransomware attack that exhibits some of the functionality and infection mechanics of the WannaCry and NotPetya breaches observed earlier this year. The BadRabbit malware masks itself as an ‘Adobe Flash’ software update, tempting unsuspecting users to initiate a download. After the initial impact, the attack can spread from machine to machine without human intervention.

Darktrace’s AI algorithms are quick to detect the highly anomalous patterns of behavior that BadRabbit triggers on a network, alerting the security team in real time. We have seen BadRabbit bypass traditional security controls around the globe, demonstrating once again the futility of attempting to identify and stop threats with rules and signatures. As Darktrace’s machine learning technology doesn’t rely on any assumptions of what ‘bad’ looks like and detects unfolding attacks not by what they are but by what they do, it is very powerful at catching and stopping ransomware attacks like BadRabbit in real time.

The ‘Matrix Banker’ Reloaded

Max Heinemeyer, Director of Threat Hunting | Thursday October 12, 2017

Overview

Over the last few weeks, Darktrace has confidently identified traces of the resurgence of a stealthy attack targeting Latin American companies. This targeted campaign was first observed between March and June this year. Arbor Networks initially labelled the malware used in the campaign ‘Matrix Banker’. The name used by Proofpoint is ‘Win32/RediModiUpd’. The malware used by the attackers appeared to be still under development when the last report came out in June 2017.

Darktrace has observed an attack wave targeting Mexican companies in August and September 2017. Some of the TTPs (tools, techniques, procedures) observed bear close resemblance to those seen in the ‘Matrix Banker’ attacks earlier this year. The campaign is crafted to be particularly stealthy and to blend into certain networks in Latin America, confirming the suspicion of its targeted nature. Darktrace’s machine learning and AI algorithms were able to identify the infected devices almost instantaneously, despite apparent efforts by the malware author to be covert and stealthy.

Between August and October 2017, Darktrace detected highly anomalous behavior on five seemingly unrelated networks in Mexico. Unlike the original strain of this attack, which was believed to target financial institutions almost exclusively, this latest variant affected customers across a number of industry verticals, suggesting that the threat actors are diversifying their targets. Darktrace has seen the attack hit companies in the healthcare, telecommunications, food and retail sectors.

Infection process

The initial infection vector appears to be phishing emails. The users downloaded the initial piece of malware from compromised Mexican websites. The infected files were Windows executables masqueraded as .mp3 and .gif files. Example downloads are listed below. Darktrace instantly detected the highly anomalous behavior of these downloads, which occurred from 100% rare external domains for the networks, and alerted the respective security teams.

hxxp://gorrasbaratas.com[.]mx/images/sss/sound.mp3 [1]
hxxp://inseltech.com[.]mx/inicio/wp-includes/kk/sound.mp3 [2]

The actual file names of the downloads are ‘logo.gif’.

The ‘Matrix Bankers’ attack tried to conceal malware downloads using masqueraded files in previous attacks. What is interesting about the hacked websites serving the malware is that they are using the .mx top level domain. This localised and targeted technique is used to conceal the traffic and make it blend in with normal network traffic on networks in Mexico.

Following the initial infection, in some cases a second stage malware was downloaded. Darktrace detected this as more anomalous activity since the downloads took place from more 100% rare external destinations:

hxxp://dackdack[.]club/APIv3/modules/nn_grabber_x64.dll [3]
hxxp://dackdack[.]club/APIv3/modules/nn_grabber_x32.dll [4]

Successful second stage downloads were seen to be followed by suspicious HTTP POST beaconing behavior, resembling command and control communication to various domains:

hxxp://kuxkux[.]bit/APIv3/api.php
hxxp://drdrfdd[.]cat/forum/logout.php
hxxp://eaxsess[.]cat/forum/logout.php

Not all targeted companies were seen to receive a second-stage malware download. This might indicate a sophisticated attack plan where the initial generic, covert backdoor is followed by a targeted second-stage payload that is chosen based on the victim and its potential value to the cyber criminals (long term data exfiltration, ransomware, banking Trojan…). Customers reported that infected devices had their anti-virus disabled, or removed by the malware. This showcases that companies cannot solely rely on signature based systems to catch novel, evolving threats.

The beaconing behavior to these 100% unusual external domains was immediately detected as it represented a strong deviation from the devices’ normal ‘pattern of life’. The use of domains hosted on .cat (top level domain used for the Catalan culture and language) indicates that the attackers are highly aware of the cultural context of their target victims and try to make the malware communication blend in with network traffic.

This graphic illustrates the strong detection Darktrace showed during the initial ‘Matrix Banker’ infection. Every colored dot represents a Darktrace detection. A clear deviation from the previous ‘pattern of life’ can be seen around the time of the infection.

Compromised machines made further repeated DNS requests to the domains below:

dackdack[.]tech
dackdack[.]online
kuykuy[.]bit

At the time of our investigation, the domains below resolved to the following IP address:

142.44.188[.]42
dackdack[.]club
eaxsess[.]cat
kuxkux[.]bit
drdrfdd[.]cat

Closing thoughts

Although final attribution is impossible, the evidence strongly suggests that the campaign described here is similar to the ‘Matrix Banker’ campaign observed in March and June 2017 and might be a continuation of it.

The initial malware was concealing its file types by using different file extensions than their MIME type. More precisely, the use of ‘logo.gif’ has been seen in previous ‘Matrix Banker’ attacks.

There are 3,000 deployments of Darktrace’s AI technology across 70 countries, but all identified instances of this type of compromise are in Latin American organizations.

The ‘Matrix Bankers’ have used Catalan top-level domains in past attacks. In fact, some of the domains used previously are very similar to domains observed here. One domain seen in September was the exact same domain as seen in an earlier attack – just with an additional ‘s’ appended:

Example domains from March/June 2017

trtr44[.]cat
lalax[.]cat
eaxses[.]cat

Example domains from August/October 2017

drdrfdd[.]cat
kuxkux[.]bit
eaxsess[.]cat
kuykuy[.]bit
dackdack[.]tech

Although the domains appear to be randomly generated, a closer look reveals that the ‘Matrix Bankers’ seem to favor generating domain names by using keys that are physically close together on a keyboard, or by repeating phrases one might type in a hurry, when lacking creativity for naming a temporary download (e.g. asdasd.jpeg). We saw this pattern for domain name generation in the March - June ‘Matrix Bankers’ campaign as well as here.

Darktrace’s AI technology was able to detect these stealthy and sophisticated attacks because the way in which they manifest themselves represents a sharp deviation from the normal ‘pattern of life’ within an organization. The threat actors applied a number of techniques to blend into the normal noise of networks, but the self-learning algorithms were quick in detecting the anomalous behavior automatically and in real time.

Footnotes

List of IoCs

dackdack[.]club
dackdack[.]tech
dackdack[.]online
eaxsess[.]cat
kuxkux[.]bit
kuykuy[.]bit
drdrfdd[.]cat
inseltech.com[.]mx
gorrasbaratas.com[.]mx
142.44.188[.]42

[1] VirusTotal analysis of this file
[2] SHA-1: 88f3bdc84908c1fb844b337c535eef2d2b31e1dc
[3] VirusTotal analysis of this file
[4] VirusTotal analysis of this file

Resurgence of the Feodo banking Trojan on a government network

Andrew Tsonchev, Director of Cyber Analysis | Monday October 2, 2017

Famous malware like Zeus, Conficker, and CryptoLocker are still some of the most common threats globally. By repurposing and repackaging known threats like these, attackers can create unknown variants that bypass signature-based security tools.

For instance, an older class of banking Trojans – known as Feodo – recently cropped up again on the network of a local US government. However, this particular strain had a key differentiator.

Darktrace detected the malware when it first was downloaded onto the government’s network. After analysis, the malware was found to be consistent with two well-documented Trojans in the Feodo family: Dridex and Emotet .

Traditionally, Trojans in the Feodo family will infect just a single device, but this attack immediately began propagating on the network, spreading to over 200 devices in a matter of hours.

The incident is part of an emerging trend of similar infections, suggesting that the Feodo family of Trojans is undergoing a resurgence , but this time retooled with ability to rapidly spread across the network.

Darktrace first detected the threat when an internal device made a series of anomalous SSL connections to IPs with self-signed certificates. The abnormal connections were a deviation from what Darktrace’s AI algorithms had learned to be normal, triggering Darktrace to raise the first in a series of alerts.

Time: 2017-04-26 11:38:05 [UTC]
Source: 172.16.14.39
Destination: 76.164.161.46
Destination Port: 995
Protocol: SSL
Version: TLSv12 [Considered HIGH security]
Cipher: TLS_RSA_WI TH_AES_256_ GCM_SHA384 [Considered HIGH security]
UID: CbenK822ViUMxJok00

The identical IP certificate subject and issuer:
Subject: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO
Issuer: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO

The device proceeded to download an anomalous ZIP file from an unusual external server. The email purported to be a notification from FedEx, and the file was disguised as an attachment containing tracking numbers. The download was nearly identical to the malicious files usually seen in Dridex and Emotet infections.

Time: 2017-04-28 16:01:03 [UTC]
Source: 172.16.14.39
Destination: 89.38.128.232
Destination Port: 80/tcp
Protocol: HTTP
Path: hxxp://XX[.]ro/UPS__Ship__Notification__Tracking__Number__2SM099383266006810/Y0894C/FEDEX-TRACK/track-tracknumbers-673639733202/
Filename: fedex-track-tracknumbers-133977976498-language-en.zip
Mime Type: application/zip

After downloading the ZIP, the device wrote an executable file to a second device via SMB. This strongly suggested that the infection was spreading, and quickly.

Time: 2017-04-28 16:52:57 [UTC]
Source: 172.16.14.39
Destination: 172.16.10.41
Destination Port: 445/tcp
Protocol: SMB
Action: write
Filename: tptzfqa.exe
Path: \\PU12881\C$
Write Size: 65536
UID: Cxq64s3tCi1vq4Uo00

The graph shows the internal connectivity of the initial device. The spike in activity, which includes numerous alerts due to unusual behavior, occurs immediately following the SMB write made by the original device.

Devices across the network started to mimic this activity by performing the same type of SMB write, each time with the same amount of data – 65536B – and a random string of characters followed by the .exe filetype.

Meanwhile, the initial device was flagged for making a large number of SMB and Kerberos login attempts. At this point, the infection had spread to over 200 devices, which were all attempting to bruteforce passwords using the same credentials as the original device, in addition to standard usernames like ‘Administrator’ and ‘misadmin’.

Bruteforcing over SMB is consistent with lateral movement seen in recent instances of Emotet , in which the Trojan was seen with new, built-in functionality designed for network propagation.

As the malware continued to spread in the government network, devices began making anomalous SSL connections without SNI (Server Name Indication).

This series of anomalies represented a massive deviation from the network’s normal ‘pattern of life’, causing the Enterprise Immune System to raise three high-priority alerts in real time: one alert for the SMB session bruteforce, another for the Kerberos activity, and another for the anomalous SSL connections without SNI.

The final anomaly occurred when devices made a flurry of unusual DNS requests for DGA-generated domains, often involving rare TLDs such as .biz and .info. The DNS requests illustrate a sophisticated method to disguise communications to the attacker’s command and control centers. Darktrace’s AI algorithms deemed this domain fluxing activity to be highly unusual compared to ordinary behavior, thus raising one final alert before the security team was able to intervene.

A sample of the DNS requests:

15:33:00 hd12530.mi.SALTEDHAZE.org made a successful DNS request for rbqfkjjemttqumeobxb.org to dc1-2012.mi.[REDACTED].org
15:33:10 hd12530.mi.SALTEDHAZE.org made a successful DNS request for tmmiqtsdnkjdcqr.biz to dc1-2012.mi.SALTEDHAZE.org
15:33:20 hd12530.mi.SALTEDHAZE.org made a successful DNS request for mehqdlodsgggehchxdwfsmmoq.biz to dc1-2012.mi.SALTEDHAZE.org

Taken on their own, each of these anomalies could be explained as an isolated incident or perhaps a false-positive. But taken together, they form a broader picture of a widespread and aggressive infection, in which an external hacker had taken control of over 200 devices and was using them to attempt to harvest the users’ banking credentials and transfer funds into their own account.

In accordance with the Feodo family of banking Trojans, the malware was likely attempting to steal banking credentials by intercepting web form submissions. Yet, by adding the ability to spread through the network, the attacker was able to create a completely novel attack type that circumvented the perimeter security controls and infected over 200 devices.

As the threat progressed, the Enterprise Immune System raised real-time alerts and revealed in-depth details on the nature of the compromise. Using this information, the government’s security team was able to remediate the situation before any banking credentials could be stolen.

To learn more about the threats Darktrace finds, download our 2017 Global Threat Report which discusses a host of other novel infections that were stopped by the Enterprise Immune System.

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew oversees Darktrace’s OT security offerings, providing cyber defense solutions for industrial environments. Andrew has worked extensively across all aspects of Darktrace's technical and commercial operations, and advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. Andrew has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

EnglishFrançais日本語