Resurgence of the Feodo banking Trojan on a government network

Andrew Tsonchev, Director of Cyber Analysis | Monday October 2, 2017

Famous malware like Zeus, Conficker, and CryptoLocker are still some of the most common threats globally. By repurposing and repackaging known threats like these, attackers can create unknown variants that bypass signature-based security tools.

For instance, an older class of banking Trojans – known as Feodo – recently cropped up again on the network of a local US government. However, this particular strain had a key differentiator.

Darktrace detected the malware when it first was downloaded onto the government’s network. After analysis, the malware was found to be consistent with two well-documented Trojans in the Feodo family: Dridex and Emotet.

Traditionally, Trojans in the Feodo family will infect just a single device, but this attack immediately began propagating on the network, spreading to over 200 devices in a matter of hours.

The incident is part of an emerging trend of similar infections, suggesting that the Feodo family of Trojans is undergoing a resurgence, but this time retooled with ability to rapidly spread across the network.

Darktrace first detected the threat when an internal device made a series of anomalous SSL connections to IPs with self-signed certificates. The abnormal connections were a deviation from what Darktrace’s AI algorithms had learned to be normal, triggering Darktrace to raise the first in a series of alerts.

Time: 2017-04-26 11:38:05 [UTC]
Source: 172.16.14.39
Destination: 76.164.161.46
Destination Port: 995
Protocol: SSL
Version: TLSv12 [Considered HIGH security]
Cipher: TLS_RSA_WI TH_AES_256_ GCM_SHA384 [Considered HIGH security]
UID: CbenK822ViUMxJok00

The identical IP certificate subject and issuer:
Subject: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO
Issuer: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO

The device proceeded to download an anomalous ZIP file from an unusual external server. The email purported to be a notification from FedEx, and the file was disguised as an attachment containing tracking numbers. The download was nearly identical to the malicious files usually seen in Dridex and Emotet infections.

Time: 2017-04-28 16:01:03 [UTC]
Source: 172.16.14.39
Destination: 89.38.128.232
Destination Port: 80/tcp
Protocol: HTTP
Path: hxxp://XX[.]ro/UPS__Ship__Notification__Tracking__Number__2SM099383266006810/Y0894C/FEDEX-TRACK/track-tracknumbers-673639733202/
Filename: fedex-track-tracknumbers-133977976498-language-en.zip
Mime Type: application/zip

After downloading the ZIP, the device wrote an executable file to a second device via SMB. This strongly suggested that the infection was spreading, and quickly.

Time: 2017-04-28 16:52:57 [UTC]
Source: 172.16.14.39
Destination: 172.16.10.41
Destination Port: 445/tcp
Protocol: SMB
Action: write
Filename: tptzfqa.exe
Path: \\PU12881\C$
Write Size: 65536
UID: Cxq64s3tCi1vq4Uo00

The graph shows the internal connectivity of the initial device. The spike in activity, which includes numerous alerts due to unusual behavior, occurs immediately following the SMB write made by the original device.

Devices across the network started to mimic this activity by performing the same type of SMB write, each time with the same amount of data – 65536B – and a random string of characters followed by the .exe filetype.

Meanwhile, the initial device was flagged for making a large number of SMB and Kerberos login attempts. At this point, the infection had spread to over 200 devices, which were all attempting to bruteforce passwords using the same credentials as the original device, in addition to standard usernames like ‘Administrator’ and ‘misadmin’.

Bruteforcing over SMB is consistent with lateral movement seen in recent instances of Emotet, in which the Trojan was seen with new, built-in functionality designed for network propagation.

As the malware continued to spread in the government network, devices began making anomalous SSL connections without SNI (Server Name Indication).

This series of anomalies represented a massive deviation from the network’s normal ‘pattern of life’, causing the Enterprise Immune System to raise three high-priority alerts in real time: one alert for the SMB session bruteforce, another for the Kerberos activity, and another for the anomalous SSL connections without SNI.

The final anomaly occurred when devices made a flurry of unusual DNS requests for DGA-generated domains, often involving rare TLDs such as .biz and .info. The DNS requests illustrate a sophisticated method to disguise communications to the attacker’s command and control centers. Darktrace’s AI algorithms deemed this domain fluxing activity to be highly unusual compared to ordinary behavior, thus raising one final alert before the security team was able to intervene.

A sample of the DNS requests:

15:33:00 hd12530.mi.SALTEDHAZE.org made a successful DNS request for rbqfkjjemttqumeobxb.org to dc1-2012.mi.[REDACTED].org
15:33:10 hd12530.mi.SALTEDHAZE.org made a successful DNS request for tmmiqtsdnkjdcqr.biz to dc1-2012.mi.SALTEDHAZE.org
15:33:20 hd12530.mi.SALTEDHAZE.org made a successful DNS request for mehqdlodsgggehchxdwfsmmoq.biz to dc1-2012.mi.SALTEDHAZE.org

Taken on their own, each of these anomalies could be explained as an isolated incident or perhaps a false-positive. But taken together, they form a broader picture of a widespread and aggressive infection, in which an external hacker had taken control of over 200 devices and was using them to attempt to harvest the users’ banking credentials and transfer funds into their own account.

In accordance with the Feodo family of banking Trojans, the malware was likely attempting to steal banking credentials by intercepting web form submissions. Yet, by adding the ability to spread through the network, the attacker was able to create a completely novel attack type that circumvented the perimeter security controls and infected over 200 devices.

As the threat progressed, the Enterprise Immune System raised real-time alerts and revealed in-depth details on the nature of the compromise. Using this information, the government’s security team was able to remediate the situation before any banking credentials could be stolen.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which discusses a host of other novel infections that were stopped by the Enterprise Immune System.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.