MMD-0042-2015 - Hunting Mr. Black IDs via Zegost cracking

This is a short writing, Please bear the straight forward detail w/very few of explanation.
During investigating ELF malware I met this Windows PE binary, it contains an important infrastructure information used by Mr. Black actor (the one who loves attacking our MIPS routers), so I decided to check and post a bit here.

Win32/Zegost.rfn [link] (according to Microsoft)

The malware is sitting in the panel waiting to be distributed by the time I spotted:

The actor who put the PE binary in the picture was attacking my "router" with the other ELF binary one, a MIPS architecture of Linux/Mr.Black, a family of Linux/AES.DDoS, a China ELF backdoor and DDoS'er variant, with the source IP of attacker and CNC lead to that panel's address.

Seeing the panel, knowing that the PE (exe file) malware wasn't being distributed yet by the actor, so I decided to grab, analyze and expose it first, and then I may consider it being "even" for their attacking effort to my "router" (noted the quotes).

The PE is a Win32/Zegost variant, the dropper/backdoor type, I uploaded it in VT here --> [link], It drops, self deleted, auto-start set in registry, starting service (also set in registry..as many of the other boring stuff, and the point of interest of I am writing here is contacting mother hosts as backdoor.Below are some reversing snips I did during ID-ing the threat..

The infrastructure

The PE has the CNC hostname permutated DGA function and I managed to extract some of them:

conf.f.360.cn
'qi89.f3322.org'
qup.f.360.cn
u.qurl.f.360.cn
qurl.f.360.cn
qurl.qh-lb.com
qup.qh-lb.com
sdupm.360.cn
sdup.360.cn
sdup.qh-lb.com

Noted: The callback hostnames increased after we allow several CNC downloads. The malware DGA is generating many other fake domains.. For the botnet dissection, please focus is with the actual CNC established IP addresses only.

And each domains I checked as per snipped picture below:

I use the Kelihos fast flux milking script to milk IP addresses of the above domains:

$ cat domains.txt | bash flux.sh
Kelihos FLUX check script by @unixfreaxjp
Sun Sep 6 01:04:57 JST 2015

>>> conf.f.360.cn
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.25
106.120.167.13
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.15
106.120.167.10
qup.f.360.cn.
qup.qh-lb.com.
106.120.167.15
106.120.167.10

>>> qi89.f3322.org
210.92.18.118
210.92.18.118
210.92.18.118

>>> qup.f.360.cn
qup.qh-lb.com.
106.120.162.175
106.120.167.14
qup.qh-lb.com.
106.120.167.13
106.120.167.25
qup.qh-lb.com.
106.120.167.13
106.120.167.25

>>> u.qurl.f.360.cn
qurl.qh-lb.com.
106.38.187.100
106.38.187.103
qurl.qh-lb.com.
106.120.167.100
106.38.187.106
qurl.qh-lb.com.
106.120.167.102
106.38.187.113

>>> qurl.f.360.cn
qurl.qh-lb.com.
106.38.187.105
106.38.187.113
qurl.qh-lb.com.
106.38.187.105
106.38.187.113
qurl.qh-lb.com.
106.38.187.118
101.199.109.151

>>> qurl.qh-lb.com
106.38.187.103
106.38.187.106
106.38.187.100
106.38.187.103
106.38.187.103
106.38.187.100

>>> qup.qh-lb.com
106.120.162.174
106.120.167.10
106.120.162.174
106.120.167.10
106.120.162.178
106.120.162.175
[...]

The result of the IP milking is some of static legit IDC IP addresses in Beijing, China :-) as per listed below... At the first sight I thought these are CNC, but later on I found it very weird :-)


106.120.167.15|15.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.8|8.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.176|176.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.101||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.103||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.104||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.105||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.9|9.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.14|14.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.174|174.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.115||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.38.187.116||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
101.199.109.144||23724 | 101.199.108.0/22 | CHINANET-IDC-BJ | CN | 360.cn | Beijing Qihu Technology Company Limited
106.38.187.102||23724 | 106.38.176.0/20 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.29|29.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.162.178|178.162.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.92|92.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.90|90.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
106.120.167.86|86.167.120.106.static.bjtelecom.net.|23724 | 106.120.160.0/19 | CHINANET-IDC-BJ | CN | chinatelecom.com.cn | ChinaNet Beijing Province Network
[...]
I investigated to find the IP addresses listed above IDC are belong to 360.cn, a legit service in PRC/China.

But there's only one IP address that shows different network, this leads us into a malicious utilized host in South Korea, and this is the malware panel's IP address itself..

210.92.18.118||4766 | 210.92.0.0/18 | KIXS-AS | KR | dshw.co.kr | Sudokwonseobubonbu
The GeoIP confirmed:
{"dma_code":"0"
"ip":"210.92.18.118"
"latitude":37.57
"longitude":126.98
"country_code":"KR"
"offset":"9"
"continent_code":"AS"
"country":"Korea Republic of"
"asn":"AS4766"
"isp":"Korea Telecom"
"timezone":"Asia\/Seoul"
"area_code":"0"
"country_code":"KOR/KR"}

Shortly, that IP address 210.92.18.118 (port 8086) is the only IP communicated with the malware via hostname: qi89.f3322.org. Law enforcement may prefer to have this PCAP traffic as PoC/evidence. The callback traffic was replied by the CNC and was sent in encrypted form as per recorded in traffic below, I am sorry, I didn't have energy to crack this further..

..and get the ID :-)

So..I have collected the first three (3) DGA generated basis domains from malware sample which are:

360.cn
'f3322.org'
qh-lb.com
but the #1 and #3 are legit services.

There is only one domain that is really being used as CNC (see the PCAP), the other domains are just being used as decoys to confuse the investigation. And the real CNC hostname is :

"f3322.org" w/Registrant email: "[email protected]"
So now we learn more about the nature of Zegost in generating DGA and faking CNC domains.

Malware is served under domain f3322.org which is having a super bad reputation in being used by Mr.Black ELF attacks and many more ELF attacks, for example:

Thanks to reddit folks to inform that the f3322.org is a part of a Chinese dynamic hostname/DNS (DDNS) service provider.

We didn't know this detail until now. So it looks like that their services is used by the malware activities. It means the actor can be traced via contacting the f3322.org abuse accordingly. We're on it for we have long list of malicious subdomains used now.

#MalwareMustDie!