Earlier this month, I was fortunate enough to be able to speak at the very first BSides Amsterdam. I shared some insight on botnets and the malicious infrastructure behind them, seen from analyzing DNS traffic through Cisco Umbrella’s resolvers.
Botnets enable the spread of malware and fuel the infrastructure behind cyber crime. Once a cyber criminal is in control of a network of infected systems, they have the means to start spreading large amounts of malware, gaining access to private systems, and gaining resources for use in DDOS attacks.
Analyzing botnet IOCs can reveal previously unseen malicious indicators by pivoting off of domain names, name servers, and IP addresses. We’re going to show a few examples in this blog post of threat hunting using this technique. We’ll also highlight the different stages of an infected system as it’s used as part of a botnet.
Lifecycle of a Bot
The Infection and Spreading stage is when a threat actor begins the means in which they will get their malware onto systems, into email boxes, or setup for hosting malvertising or malicious code on websites. Systems already remotely controlled as part of a botnet are often rented out for a nominal fee. This allows an attacker to rent the use of an infected system in order to use its shared connections within the botnet to drop and propagate a malware payload of their choice. Infected systems that are able to send email can be used to send spam to new systems with the attackers malicious payload as the attachment or include an obfuscated URL in the email text leading to a website hosted by the attacker which will drop the malware payload.
During the Command and Control (C2) Contact or Rallying stage, a bot will attempt to make contact with the attackers C2 server to alert on a successful infection. Domain and IP fast flux is typically used at this time. The C2 server will frequently change it’s hosting IP address(es) and use a low TTL, in order to evade detection by continuously moving hosting addresses. The malware will also contact a large set of domains using a Domain Generation Algorithm. The majority of these domain names are not registered and are NXDOMAINs. The actual C2 server used to control the now infected system will be within this large amount of callout requests to the DGA domains making it hard to differentiate. Infected bots can act as proxies between the infected systems and the C2 server. Compromised servers can also add another layer of proxies that the C2 server can attempt to hide behind.
Now that the C2 server and attacker are aware of the newly infected bot that has joined the botnet, it moves on to the next stage where the bot will Report & Await Commands. Network communications established with the C2 server can allow it to receive additional commands to carry out and to send stolen information or files to the C2 server. The bandwidth provided by the bot can be used to perform DDoS attacks on a given target. More spam can be sent from capable bots at this time and additional malware will be dropped onto systems which is most typically; Remote Access Trojans, Ransomware, Crypto-Miners and Banking Trojans.
The final phase and goal now is to Maintain & Evade Detection to remain part of the botnet. Malware will use techniques to gain persistence on the system. The rallying techniques of proxy layers, DGAs, and domain and IP fast flux will continue.
Why Should We Research the Infrastructure Behind Botnets?
We research the infrastructure that is behind these botnets in order to help stop many cyber crimes. Botnets are a particularly hard problem to solve since there are millions of infected systems all over the globe, and not one central node or host. Infected systems often go unnoticed and participate within a botnet undetected by users or companies. These systems can be leaking private information for years and also providing bandwidth that furthers cyber crimes. The cheap price (within $10) that a bot can be rented or a malware payload can be distributed, also accelerates the proliferation of botnets.
Spam and Pharma Fraud
We’ve been monitoring spam sent in the form of Russian sponsored Canadian pharma fraud (My Canadian Pharmacy) in notable instances on the Necurs botnet. This has surfaced on most likely compromised hosts used in the spread of Hailstorm spam. Associated hosts have been identified by SpamHaus as connected to the criminal spam organization Yambo Financials.
These spam messages go beyond the pushing of fake pharmaceuticals. The spam messages have spread ransomware such as Locky through malicious attachments. Malware is used that turn systems into spambots, sending out even more unwanted email messages. Links included within the messages have also included URLs leading to fake Russian dating sites.
IOCs
Hailstorm spam IPs. The spam campaigns have rotated over time. The latest has been My Canadian Pharmacy.
95.31.22[.]193
185.90.61[.]36
185.90.61[.]37
62.112.8[.]34
87.229.111[.]163
188.126.94[.]79
82.118.242[.]158
217.195.60[.]211
84.124.94[.]11
At Cisco Umbrella we will continue to investigate these types of attacks and reveal the hidden infrastructure behind the botnets that fuel today’s cyber crimes.