Tcpview geo ip download#Thus, we expect to see a different download location and likely a Locky payload.įigure 7. This is because the host is in a location not specifically targeted for Trickbot delivery. In the following figures, we see a host POST data back to the C2 and receive a slightly different response. Payload downloaded by the intermediate downloader. The decrypted Trickbot observed in the request below is 4fcee2679cc65585cc1c1c7baa020ec262a2b7fb9b8dc7529a8f73fab029afad.įigure 6. Note the user-agent header is identical to that of the connectivity check in Figure 4.ĭue to the host being within the UK, we received an encrypted Trickbot payload. Trickbot download can be seen in Figure 6. This likely determines geolocation based targeting, this request led to the download of Trickbot as we used a UK based exit point. The downloader Trojan posts data back to the command and control server. In cases where the geolocation matches a set list (we believe this list is likely identical to the earlier VBA discussed in the Introduction section), we will see the traffic below.įigure 5. The User-Agent “Windows-Update-Agent” in the connectivity check, initial check-in, and final payload delivery are all identical.įor the network traffic below, we will use the QtBot sample, d97be402740f6a0fc70c90751f499943bf26f7c00791d46432889f1bedf9dbd2, as at the time of analysis the command and control server was still live and serving geo specific payloads. Downloader component issues a request to an innocuous domain as a connectivity check.įinally, once the connectivity check passes, QtBot will beacon back to its command and control server using an HTTP POST request with an RC4 encrypted payload and await a response which is encrypted with the same RC4 key. When QtBot is started, it initially performs a connectivity check to the legitimate domain, ds.download.windowsupdatecom, via an HTTP POST request.įigure 4. Tcpview geo ip code#Once the QtBot binary has been downloaded, its executed from the user’s %temp% directory using the PowerShell directive Start-Process which can be seen in the decoded base64 blob included in the code block above. Note that the Content-Type doesn’t match. Download of the QtBot downloader, with the executable in the clear. Once a live command and control server responds, the QtBot binary (798aa42748dcb1078824c2027cf6a0d151c14e945cb902382fcd9ae646bfa120) is downloaded in the clear.įigure 3. The entire list is iterated over until a valid download location is found (this can be observed in the cmd.exe window which is spawned in the background by the initial DDE execution). This campaign relies on the user to download the attachment, open it, and click through several dialog boxes. Most of the observed lures fall either within the “Financial Statement” category (Invoice, Billing, Receipt) or “File Transfer” category (efax, file scan). Shows an example email lure with a malicious document that uses DDE to deliver a payload. The malicious DDE documents are included as attachments to malspam lures like the one below (seen ):įigure 1. Palo Alto Networks has observed more than 4 million unique sessions with QtBot activity since October 19 th, 2017. This new downloader is responsible for loading the final payload, either Locky or Trickbot, again based on GeoIP. QtBot replaces the previously discussed VBA and features a robust anti-analysis suite to protect itself. These documents load an intermediate downloader which we have tagged in AutoFocus as “QtBot”. Recently, Unit 42 researcher Brad Duncan observed Necurs malspam campaigns distributing Microsoft Office documents that were abusing DDE. If this check failed, Locky would be served instead. With this information, the VBA script would enter a loop checking for the presence of the country codes: UK, IE, AU, GB, LU, or BE and, if any of those country codes was present, URIs to serve Trickbot were selected for download and execution. Previously, geo-targeting was controlled by a relatively simplistic VBA script which utilized GeoIP lookup services and parsed the country code to determine the compromised host’s location. Unit 42 and external malware researchers believe the payloads are geo-targeted. The most common Locky and Trickbot affiliates are being distributed via shared malspam campaigns.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |