In the early days of malware, we all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different. Whereas botnets previously had to run on systems that attackers owned or had compromised, now bots can run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers.
One user at PhishMe received the following message over Skype, where the “user” sent several attempts for a phone call to them.
Figure 1 shows the attacker trying to call with a username that also contains a link to a domain, www.viewror[d]com. Once clicked, a voice directs the user to click the download link and install a “proprietary” video player in order to play the video.
By looking at the underlying HTML in the download page, we can see that this download is part of an affiliate program where the attacker is probably getting money on a per-install or per-download basis.
Once the executable is opened, it asks to run as administrator. As any user would do…just push play! The user is presented with a screen to install different aspects of the program. Once we are given it the option to start installing, VideoPlayer.exe downloads, installs, and runs many different things. All of these are pieces of adware being installed to the system.
One of the final steps is to install “Search Protect”, a very shady application that gives you “protected” searches.
The malware does download a “proprietary” media player, called Media Player Classic, but there is nothing proprietary about the media player, which is available for free download online.
So that’s all fine and good…but let’s say we wanted to actually disrupt the attackers from continuing to do this. While it may not stop them by any means, it will definitely cause them some hassle. First, we’ll need their infrastructure.
Attacking the Infrastructure (Legally)
The first step of trying to damage the attackers infrastructure is to know what part of the infrastructure you’re looking at. Looking back at Figure 2, we can see that the attackers are using one of the domains of northeated[d]info. At the time of analysis, this resolves to 18.104.22.168, which is currently hosted in the Amazon AWS cloud. By looking at other connections of processes and other TCP connections, we can see some of the information that is being passed back.
And here are other IP addresses that were part of this campaign:
In order to properly disrupt infrastructure, you need to reach out to those who own the infrastructure. In our case, these IP addresses are hosted on AWS. The Amazon security team has been very helpful, and it was a pleasure working with them on this!
Attacking the Usernames (Legally)
By looking at the Skype username, there are two fields that are present, the name and description. Here’s what the attackers name looks like:
One of the even cooler things is that you can search by name in Skype. Here’s what happens when you do that:
By scrolling through the list of bots, we can gather a list of domains the attackers are using as well:
So how do you attack this long list of bot names being used for badness? You pass it over to the security folks at Microsoft, of course! (Who have also been very helpful in this matter!)
The Malware Samples
And here are the links for the different pieces of adware downloaded!
When users are trained to spot suspicious things, the amount of information you can get back increases 100 fold. And in this case, the user reported a small piece of information, which resulted in the disruption of a large adware campaign, on both the infrastructure and bot side of things.