MAR-10135536-8 – North Korean Trojan: HOPLIGHT
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.This report provides analysis of nine malicious executable files. Seven of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates. For a downloadable copy of IOCs, see: Submitted Files (9)05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690...) 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3...) 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E...) 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463...) 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D...) 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6...) 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD...) d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2...) ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79...) Additional Files (4)49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll) 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat) 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI) cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll) IPs (15)112.175.92.57 113.114.117.122 128.200.115.228 137.139.135.151 181.39.135.126 186.169.2.237 197.211.212.59 21.252.107.198 26.165.218.44 47.206.4.145 70.224.36.194 81.94.192.10 81.94.192.147 84.49.242.125 97.90.44.200 Findings05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461Tagstrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
DescriptionThis artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.The malware is capable of the following functions:---Begin Malware Capability---Read, Write, and Move FilesEnumerate System DrivesCreate and Terminate ProcessesInject into Running ProcessesCreate, Start and Stop ServicesModify Registry SettingsConnect to a Remote HostUpload and Download Files---End Malware Capability---The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world.---Begin SSL Certificate Header---1 0 UNL10UPolarSSL10UPolarSSL Test CA0110212144407Z2102121144407Z0<1 0 UNL10UPolarSSL10UPolarSSL Client 200---End SSL Certificate Header---When executed, the malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware. These IP addresses are referenced in 'udbcgiut.dat' below. The malware also contains an embedded Zlib compression library that appears to further obfuscate the communications payload.The following notable strings have been linked to the use of the SSL certificates and can be used to identify the malware:---Begin Notable Strings---fjiejffndxklfsdkfjsaadiepwnofuierfsdkljffjoiejftyuirreykfgkodfgkfdskgdfogpdokgsdfpgztretrtireotreotieroptkierertetudjfirejeryrtyuiyyuiyiyj lildvucverfdfe poiiumwq---End Notable Strings---The next four artifacts contain identical characteristics as those described above. Therefore, only capability that is unique will be described for the following four artifacts. 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525Tagstrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.When this artifact is executed, it will write the file 'udbcgiut.dat' to C:\Users\<user>\AppData\Local\Temp.The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malware. However, only connections to the first two IP addresses were attempted during analysis. 197.211.212.59Ports
Whoisinetnum: 197.211.208.0 - 197.211.215.255netname: ZOL-16e-MOBILE-CUSTOMERSdescr: ZOL Customers on ZTE Mobile WiMAX Platformcountry: ZWadmin-c: BS10-AFRINICadmin-c: GJ1-AFRINICadmin-c: JHM1-AFRINICtech-c: BS10-AFRINICtech-c: GJ1-AFRINICtech-c: JHM1-AFRINICstatus: ASSIGNED PAmnt-by: LIQUID-TOL-MNTsource: AFRINIC # Filteredparent: 197.211.192.0 - 197.211.255.255person: B Siwelaaddress: 3rd Floor Greenbridge Southaddress: Eastgate Centeraddress: R. Mugabe Roadaddress: Harareaddress: Zimbabwephone: +263774673452fax-no: +2634702375nic-hdl: BS10-AFRINICmnt-by: GENERATED-DVCNVXWBH3VN3XZXTRPHOT0OJ77GUNN3-MNTsource: AFRINIC # Filteredperson: G Jayaaddress: 3rd Floor Greenbridge Southaddress: Eastgate Centeraddress: R. Mugabe Roadaddress: Harareaddress: Zimbabwephone: +263773373135fax-no: +2634702375nic-hdl: GJ1-AFRINICmnt-by: GENERATED-QPEEUIPPW1WPRZ5HLHRXAVHDOKWLC9UC-MNTsource: AFRINIC # Filteredperson: John H Mwangiaddress: Liquid Telecom Kenyaaddress: P.O.Box 62499 - 00200address: Nairobi Kenyaaddress: Nairobi, Kenyaaddress: Kenyaphone: + 254 20 556 755 Relationships
DescriptionThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, zol-ad-bdc.zol.co.zw is associated with the IP address, however, no DNS query is made for the name. 181.39.135.126Ports
Whoisinetnum: 181.39.135.120/29status: reallocatedowner: Clientes Guayaquilownerid: EC-CLGU1-LACNICresponsible: Tomislav Topicaddress: Kennedy Norte Mz. 109 Solar 21, 5, Piso 2address: 5934 - Guayaquil - GYcountry: ECphone: +593 4 2680555 [101]owner-c: SELtech-c: SELabuse-c: SELcreated: 20160720changed: 20160720inetnum-up: 181.39/16nic-hdl: SELperson: Carlos Monteroe-mail: networking@TELCONET.ECaddress: Kennedy Norte MZ, 109, Solar 21address: 59342 - Guayaquil -country: ECphone: +593 42680555 [4601]created: 20021004changed: 20170323 Relationships
DescriptionThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address. 112.175.92.57Ports
Whoisinetnum: 112.160.0.0 - 112.191.255.255netname: KORNETdescr: Korea Telecomadmin-c: IM667-APtech-c: IM667-APcountry: KRstatus: ALLOCATED PORTABLEmnt-by: MNT-KRNIC-APmnt-irt: IRT-KRNIC-KRlast-modified: 2017-02-03T02:21:58Zsource: APNICirt: IRT-KRNIC-KRaddress: Seocho-ro 398, Seocho-gu, Seoul, Koreae-mail: hostmaster@nic.or.krabuse-mailbox: hostmaster@nic.or.kradmin-c: IM574-APtech-c: IM574-APauth: # Filteredmnt-by: MNT-KRNIC-APlast-modified: 2017-10-19T07:36:36Zsource: APNICperson: IP Manageraddress: Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90country: KRphone: +82-2-500-6630e-mail: kornet_ip@kt.comnic-hdl: IM667-APmnt-by: MNT-KRNIC-APlast-modified: 2017-03-28T06:37:04Zsource: APNIC Relationships
DescriptionThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, mail.everzone.co.kr is associated with the IP address, however, no DNS query is made for the name. 81.94.192.147Ports
Whoisinetnum: 81.94.192.0 - 81.94.192.255netname: IOMARTHOSTINGdescr: iomart Hosting Limitedcountry: GBadmin-c: RA1415-RIPEtech-c: RA1415-RIPEstatus: ASSIGNED PAremarks: ABUSE REPORTS: abuse@redstation.commnt-by: REDSTATION-MNTmnt-domains: REDSTATION-MNTmnt-routes: REDSTATION-MNTcreated: 2016-02-14T11:44:25Zlast-modified: 2016-02-14T11:44:25Zsource: RIPErole: Redstation Admin Roleaddress: Redstation Limitedaddress: 2 Frater Gate Business Parkaddress: Aerodrome Roadaddress: Gosportaddress: Hampshireaddress: PO13 0GWaddress: UNITED KINGDOMabuse-mailbox: abuse@redstation.come-mail: abuse@redstation.comnic-hdl: RA1415-RIPEmnt-by: REDSTATION-MNTcreated: 2005-04-22T17:34:33Zlast-modified: 2017-05-02T09:47:13Zsource: RIPE% Information related to '81.94.192.0/24AS20860'route: 81.94.192.0/24descr: Wayne Dalton - Redstation Ltdorigin: AS20860mnt-by: GB10488-RIPE-MNTcreated: 2015-11-03T12:58:00Zlast-modified: 2015-11-03T12:58:00Zsource: RIPE Relationships
DescriptionThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address. 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289Details
AntivirusNo matches found. Yara RulesNo matches found. ssdeep MatchesNo matches found. Relationships
Description'udbcgiut.dat' is dropped by three of the four PE32 executables. This file contains a 32byte unicode string uniquely generated for the infected system, as well as four socket pairs in hexidecimal.---Begin Decoded Socket Pairs---197.211.212.59:443181.39.135.126:443112.175.92.57:744381.94.192.147:7443---End Decoded Socket Pairs---The unicode string generated during this analysis was '8a9b11762b96c4b6'. The socket pairs remain the same for all instances of the malware.For the PE32 executables, 'udbcgiut.dat' was dropped in the victim's profile at %AppData%\Local\Temp. For the 64bit executables, 'udbcgiut.dat' was dropped in C:\Windows. 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818Tagstrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
DescriptionThis artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.This artifact appears to be named 'lamp.exe'. The malware contains the following debug pathway:---Begin Debug Pathway---Z:\Develop\41.LampExe\Release\LampExe.pdb---End Debug Pathway--- ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642dTagsadwaretrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.This program attempts to initiate a TLS Handshake to the four IP/Port pairs listed in 'udbcgiut.dat'. If the program is unable to establish a connection, the file 'udbcgiut.dat' is deleted.After 'udbcgiut.dat' is deleted, an outbound SSL connection is made to 81.94.192.10. The IP address is hard coded in the malware and are not randomly generated.This artifact also loads several APIs that are commonly associated with Pass-The-Hash (PTH) toolkits, indicating a capability to harvest user credentials and passwords.---Begin Common PTH APIs---SamiChangePasswordUserSamFreeMemorySamCloseHandleSamOpenUserSamLookupNamesInDomainSamOpenDomainSamConnect---End Common PTH APIs--- 81.94.192.10WhoisDomain name: redstation.net.uk Registrant: Redstation Limited Registrant type: UK Limited Company, (Company number: 3590745) Registrant's address: 2 Frater Gate Business Park Aerodrome Road Gosport Hampshire PO13 0GW United Kingdom Data validation: Nominet was able to match the registrant's name and address against a 3rd party data source on 21-Feb-2017 Registrar: Easyspace Ltd [Tag = EASYSPACE] URL: https://www.easyspace.com/domain-names/extensions/uk Relevant dates: Registered on: 11-Apr-2005 Expiry date: 11-Apr-2019 Last updated: 12-Apr-2017 Registration status: Registered until expiry date. Name servers: ns1.redstation.com ns2.redstation.com Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware5.dll'. No domain is associated with the IP address. 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004dTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep Matches
PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a malicious x64 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.In addition to the capabilities described above, this variant will hook the Windows Local Security Authority (lsass.exe). 'lsass.exe' will check the registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name: Security Packages. If not found, this value is added by 'lsass.exe'.Next, the malware will drop the embedded file, 'rdpproto.dll' into the %System32% directory.The file, 'udbcgiut.dat' is then written to C:\Windows. Outbound connection attempts are made to the socket pairs found within this file as described above. 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359Tagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep Matches
PE Metadata
PE Sections
Relationships
Description"rdpproto.dll" is dropped into the %System32% directory by 868036E102DF4CE414B0E6700825B319. When the library is loaded,"rdpproto.dll" will attempt to send SSL Client Hello packets to any of the following embedded IP addresses:---Begin Embedded IP Addresses---21.252.107.19870.224.36.194113.114.117.12247.206.4.14584.49.242.12526.165.218.44137.139.135.15197.90.44.200128.200.115.228186.169.2.237---End Embedded IP Addresses---This artifact contains the following notable strings:---Begin Notable Strings---CompanyNameAdobe System IncorporatedFileDescriptionMicrosoftWindows TransFilter/FilterType : 01 WindowsNT ServiceFileVersion6.1 Build 7601InternalNameTCP/IP Packet Filter ServiceLegalCopyrightCopyright 2015 - Adobe System IncorporatedLegalTrademarksOriginalFileNameTCP/IP - PacketFilter---End Notable Strings--- 21.252.107.198Ports
WhoisNetRange: 21.0.0.0 - 21.255.255.255CIDR: 21.0.0.0/8NetName: DNIC-SNET-021NetHandle: NET-21-0-0-0-1Parent: ()NetType: Direct AllocationOriginAS: Organization: DoD Network Information Center (DNIC)RegDate: 1991-06-30Updated: 2009-06-19Ref: https://whois.arin.net/rest/net/NET-21-0-0-0-1OrgName: DoD Network Information CenterOrgId: DNICAddress: 3990 E. Broad StreetCity: ColumbusStateProv: OHPostalCode: 43218Country: USRegDate: Updated: 2011-08-17Ref: https://whois.arin.net/rest/org/DNIC Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 70.224.36.194Ports
WhoisDomain Name: AMERITECH.NETRegistry Domain ID: 81816_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.corporatedomains.comRegistrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.htmlUpdated Date: 2017-06-09T05:27:34ZCreation Date: 1996-06-14T04:00:00ZRegistry Expiry Date: 2018-06-13T04:00:00ZRegistrar: CSC Corporate Domains, Inc.Registrar IANA ID: 299Registrar Abuse Contact Email: domainabuse@cscglobal.comRegistrar Abuse Contact Phone: 8887802723Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedName Server: NS1.ATTDNS.COMName Server: NS2.ATTDNS.COMName Server: NS3.ATTDNS.COMName Server: NS4.ATTDNS.COMDNSSEC: unsignedDomain Name: ameritech.netRegistry Domain ID: 81816_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.corporatedomains.comRegistrar URL: www.cscprotectsbrands.comUpdated Date: 2017-06-09T05:27:34ZCreation Date: 1996-06-14T04:00:00ZRegistrar Registration Expiration Date: 2018-06-13T04:00:00ZRegistrar: CSC CORPORATE DOMAINS, INC.Registrar IANA ID: 299Registrar Abuse Contact Email: domainabuse@cscglobal.comRegistrar Abuse Contact Phone: +1.8887802723Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibitedRegistry Registrant ID:Registrant Name: Domain AdministratorRegistrant Organization: AT&T SERVICES, INC.Registrant Street: 801 Chestnut StreetRegistrant City: Saint LouisRegistrant State/Province: MORegistrant Postal Code: 63101Registrant Country: USRegistrant Phone: +1.3142358168Registrant Phone Ext:Registrant Fax: +1.3142358168Registrant Fax Ext:Registrant Email: att-domains@att.comRegistry Admin ID:Admin Name: Domain AdministratorAdmin Organization: AT&T SERVICES, INC.Admin Street: 801 Chestnut StreetAdmin City: Saint LouisAdmin State/Province: MOAdmin Postal Code: 63101Admin Country: USAdmin Phone: +1.3142358168Admin Phone Ext:Admin Fax: +1.3142358168Admin Fax Ext:Admin Email: att-domains@att.comRegistry Tech ID:Tech Name: Domain AdministratorTech Organization: AT&T SERVICES, INC.Tech Street: 801 Chestnut StreetTech City: Saint LouisTech State/Province: MOTech Postal Code: 63101Tech Country: USTech Phone: +1.3142358168Tech Phone Ext:Tech Fax: +1.3142358168Tech Fax Ext:Tech Email: att-domains@att.comName Server: ns3.attdns.comName Server: ns1.attdns.comName Server: ns2.attdns.comName Server: ns4.attdns.comDNSSEC: unsigned Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 113.114.117.122Ports
Whoisinetnum: 113.112.0.0 - 113.119.255.255netname: CHINANET-GDdescr: CHINANET Guangdong province networkdescr: Data Communication Divisiondescr: China Telecomcountry: CNadmin-c: CH93-APtech-c: IC83-APremarks: service providerstatus: ALLOCATED PORTABLEmnt-by: APNIC-HMmnt-lower: MAINT-CHINANET-GDmnt-routes: MAINT-CHINANET-GDlast-modified: 2016-05-04T00:15:17Zsource: APNICmnt-irt: IRT-CHINANET-CNirt: IRT-CHINANET-CNaddress: No.31 ,jingrong street,beijingaddress: 100032e-mail: anti-spam@ns.chinanet.cn.netabuse-mailbox: anti-spam@ns.chinanet.cn.netadmin-c: CH93-APtech-c: CH93-APauth: # Filteredmnt-by: MAINT-CHINANETlast-modified: 2010-11-15T00:31:55Zsource: APNICperson: Chinanet Hostmasternic-hdl: CH93-APe-mail: anti-spam@ns.chinanet.cn.netaddress: No.31 ,jingrong street,beijingaddress: 100032phone: +86-10-58501724fax-no: +86-10-58501724country: CNmnt-by: MAINT-CHINANETlast-modified: 2014-02-27T03:37:38Zsource: APNICperson: IPMASTER CHINANET-GDnic-hdl: IC83-APe-mail: gdnoc_HLWI@189.cnaddress: NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOUphone: +86-20-87189274fax-no: +86-20-87189274country: CNmnt-by: MAINT-CHINANET-GDremarks: IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cnabuse-mailbox: antispam_gdnoc@189.cnlast-modified: 2014-09-22T04:41:26Zsource: APNIC Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 47.206.4.145Ports
WhoisDomain Name: FRONTIERNET.NETRegistry Domain ID: 4305589_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.register.comRegistrar URL: http://www.register.comUpdated Date: 2017-09-14T07:53:05ZCreation Date: 1995-10-14T04:00:00ZRegistry Expiry Date: 2018-10-13T04:00:00ZRegistrar: Register.com, Inc.Registrar IANA ID: 9Registrar Abuse Contact Email: abuse@web.comRegistrar Abuse Contact Phone: +1.8003337680Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedName Server: AUTH.DLLS.PA.FRONTIERNET.NETName Server: AUTH.FRONTIERNET.NETName Server: AUTH.LKVL.MN.FRONTIERNET.NETName Server: AUTH.ROCH.NY.FRONTIERNET.NETDNSSEC: unsignedDomain Name: FRONTIERNET.NETRegistry Domain ID: 4305589_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.register.comRegistrar URL: www.register.comUpdated Date: 2017-09-14T00:53:05.00ZCreation Date: 1995-10-14T04:00:00.00ZRegistrar Registration Expiration Date: 2018-10-13T04:00:00.00ZRegistrar: REGISTER.COM, INC.Registrar IANA ID: 9Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibitedRegistry Registrant ID:Registrant Name: FRONTIERNET HOSTMASTERRegistrant Organization:Registrant Street: 95 N. FITZHUGH ST.Registrant City: ROCHESTERRegistrant State/Province: NYRegistrant Postal Code: 14614-1212Registrant Country: USRegistrant Phone: +1.8664747662Registrant Phone Ext:Registrant Fax:Registrant Fax Ext:Registrant Email: HOSTMASTER@FRONTIERNET.NETRegistry Admin ID:Admin Name: FRONTIERNET HOSTMASTERAdmin Organization:Admin Street: 95 N. FITZHUGH ST.Admin City: ROCHESTERAdmin State/Province: NYAdmin Postal Code: 14614-1212Admin Country: USAdmin Phone: +1.8664747662Admin Phone Ext:Admin Fax:Admin Fax Ext:Admin Email: HOSTMASTER@FRONTIERNET.NETRegistry Tech ID:Tech Name: FRONTIERNET HOSTMASTERTech Organization:Tech Street: 95 N. FITZHUGH ST.Tech City: ROCHESTERTech State/Province: NYTech Postal Code: 14614-1212Tech Country: USTech Phone: +1.8664747662Tech Phone Ext:Tech Fax:Tech Fax Ext:Tech Email: HOSTMASTER@FRONTIERNET.NETName Server: AUTH.DLLS.PA.FRONTIERNET.NETName Server: AUTH.FRONTIERNET.NETName Server: AUTH.LKVL.MN.FRONTIERNET.NETName Server: AUTH.ROCH.NY.FRONTIERNET.NETDNSSEC: unSigned Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 84.49.242.125Ports
WhoisDomain Name: NEXTGENTEL.COMRegistry Domain ID: 13395561_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.domaininfo.comRegistrar URL: http://www.ports.domainsUpdated Date: 2017-11-10T23:44:50ZCreation Date: 1999-11-17T15:47:51ZRegistry Expiry Date: 2018-11-17T15:47:51ZRegistrar: Ports Group ABRegistrar IANA ID: 73Registrar Abuse Contact Email: abuse@portsgroup.seRegistrar Abuse Contact Phone: +46.707260017Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedName Server: ANYADNS1.NEXTGENTEL.NETName Server: ANYADNS2.NEXTGENTEL.NETDNSSEC: unsignedDomain Name: nextgentel.comRegistry Domain ID: 13395561_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.domaininfo.comRegistrar URL: ports.domainsUpdated Date: 2017-11-10T23:44:50ZCreation Date: 1999-11-17T15:47:51ZRegistrar Registration Expiration Date: 2018-11-17T15:47:51ZRegistrar: PortsGroup ABRegistrar IANA ID: 73Registrar Abuse Contact Email: abuse@portsgroup.seRegistrar Abuse Contact Phone: +46.317202000Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedRegistry Registrant ID:Registrant Name: HostmasterRegistrant Organization: NextGenTel ASRegistrant Street: Sandslimarka 31Registrant City: SANDSLIRegistrant State/Province:Registrant Postal Code: 5254Registrant Country: NORegistrant Phone: +47.55527900Registrant Fax: +47.55527910Registrant Email: hostmaster@nextgentel.comRegistry Admin ID:Admin Name: HostmasterAdmin Organization: NextGenTel ASAdmin Street: Sandslimarka 31Admin City: SandsliAdmin State/Province:Admin Postal Code: 5254Admin Country: NOAdmin Phone: +47.55527900Admin Fax: +47.55527910Admin Email: hostmaster@nextgentel.comRegistry Tech ID:Tech Name: Hostmaster v/ Eivind OlsenTech Organization: NextGenTel ASTech Street: Postboks 3 SandsliTech City: BergenTech State/Province:Tech Postal Code: 5861Tech Country: NOTech Phone: +47.41649322Tech Fax: +47.55527910Tech Email: hostmaster@nextgentel.comName Server: ANYADNS1.NEXTGENTEL.NETName Server: ANYADNS2.NEXTGENTEL.NETDNSSEC: unsigned Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 26.165.218.44Ports
WhoisNetRange: 26.0.0.0 - 26.255.255.255CIDR: 26.0.0.0/8NetName: DISANET26NetHandle: NET-26-0-0-0-1Parent: ()NetType: Direct AllocationOriginAS: Organization: DoD Network Information Center (DNIC)RegDate: 1995-04-30Updated: 2009-06-19Ref: https://whois.arin.net/rest/net/NET-26-0-0-0-1OrgName: DoD Network Information CenterOrgId: DNICAddress: 3990 E. Broad StreetCity: ColumbusStateProv: OHPostalCode: 43218Country: USRegDate: Updated: 2011-08-17Ref: https://whois.arin.net/rest/org/DNICOrgTechHandle: MIL-HSTMST-ARINOrgTechName: Network DoDOrgTechPhone: +1-844-347-2457OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.milOrgTechRef: https://whois.arin.net/rest/poc/MIL-HSTMST-ARINOrgAbuseHandle: REGIS10-ARINOrgAbuseName: RegistrationOrgAbusePhone: +1-844-347-2457OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.milOrgAbuseRef: https://whois.arin.net/rest/poc/REGIS10-ARINOrgTechHandle: REGIS10-ARINOrgTechName: RegistrationOrgTechPhone: +1-844-347-2457OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.milOrgTechRef: https://whois.arin.net/rest/poc/REGIS10-ARIN Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 137.139.135.151Ports
WhoisNetRange: 137.139.0.0 - 137.139.255.255CIDR: 137.139.0.0/16NetName: SUC-OLDWESTNetHandle: NET-137-139-0-0-1Parent: NET137 (NET-137-0-0-0-0)NetType: Direct AssignmentOriginAS: Organization: SUNY College at Old Westbury (SCAOW)RegDate: 1989-11-29Updated: 2014-02-18Ref: https://whois.arin.net/rest/net/NET-137-139-0-0-1OrgName: SUNY College at Old WestburyOrgId: SCAOWAddress: 223 Store Hill RoadCity: Old WestburyStateProv: NYPostalCode: 11568Country: USRegDate: 1989-11-29Updated: 2011-09-24Ref: https://whois.arin.net/rest/org/SCAOWOrgTechHandle: SUNYO-ARINOrgTechName: SUNYOWNOCOrgTechPhone: +1-516-876-3379OrgTechEmail: sunyownoc@oldwestbury.eduOrgTechRef: https://whois.arin.net/rest/poc/SUNYO-ARINOrgAbuseHandle: SUNYO-ARINOrgAbuseName: SUNYOWNOCOrgAbusePhone: +1-516-876-3379OrgAbuseEmail: sunyownoc@oldwestbury.eduOrgAbuseRef: https://whois.arin.net/rest/poc/SUNYO-ARINRAbuseHandle: SUNYO-ARINRAbuseName: SUNYOWNOCRAbusePhone: +1-516-876-3379RAbuseEmail: sunyownoc@oldwestbury.eduRAbuseRef: https://whois.arin.net/rest/poc/SUNYO-ARINRTechHandle: SUNYO-ARINRTechName: SUNYOWNOCRTechPhone: +1-516-876-3379RTechEmail: sunyownoc@oldwestbury.eduRTechRef: https://whois.arin.net/rest/poc/SUNYO-ARINRNOCHandle: SUNYO-ARINRNOCName: SUNYOWNOCRNOCPhone: +1-516-876-3379RNOCEmail: sunyownoc@oldwestbury.eduRNOCRef: https://whois.arin.net/rest/poc/SUNYO-ARIN Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 97.90.44.200Ports
WhoisDomain Name: CHARTER.COMRegistry Domain ID: 340223_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2017-07-03T04:22:18ZCreation Date: 1994-07-30T04:00:00ZRegistry Expiry Date: 2019-07-29T04:00:00ZRegistrar: MarkMonitor Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@markmonitor.comRegistrar Abuse Contact Phone: +1.2083895740Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedName Server: NS1.CHARTER.COMName Server: NS2.CHARTER.COMName Server: NS3.CHARTER.COMName Server: NS4.CHARTER.COMDNSSEC: unsignedDomain Name: charter.comRegistry Domain ID: 340223_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2017-12-18T04:00:14-0800Creation Date: 1994-07-29T21:00:00-0700Registrar Registration Expiration Date: 2019-07-28T21:00:00-0700Registrar: MarkMonitor, Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: abusecomplaints@markmonitor.comRegistrar Abuse Contact Phone: +1.2083895740Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)Registry Registrant ID:Registrant Name: Domain AdminRegistrant Organization: Charter Communications Operating, LLCRegistrant Street: 12405 Powerscourt Drive,Registrant City: Saint LouisRegistrant State/Province: MORegistrant Postal Code: 63131Registrant Country: USRegistrant Phone: +1.3149650555Registrant Phone Ext:Registrant Fax: +1.9064010617Registrant Fax Ext:Registrant Email: hostmaster@charter.comRegistry Admin ID:Admin Name: Domain AdminAdmin Organization: Charter Communications Operating, LLCAdmin Street: 12405 Powerscourt Drive,Admin City: Saint LouisAdmin State/Province: MOAdmin Postal Code: 63131Admin Country: USAdmin Phone: +1.3149650555Admin Phone Ext:Admin Fax: +1.9064010617Admin Fax Ext:Admin Email: hostmaster@charter.comRegistry Tech ID:Tech Name: Charter Communications Internet Security and AbuseTech Organization: Charter Communications Operating, LLCTech Street: 12405 Powerscourt Drive,Tech City: Saint LouisTech State/Province: MOTech Postal Code: 63131Tech Country: USTech Phone: +1.3142883111Tech Phone Ext:Tech Fax: +1.3149090609Tech Fax Ext:Tech Email: abuse@charter.netName Server: ns4.charter.comName Server: ns3.charter.comName Server: ns1.charter.comName Server: ns2.charter.comDNSSEC: unsigned Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 128.200.115.228Ports
WhoisDomain Name: UCI.EDURegistrant:University of California, Irvine6366 Ayala Science LibraryIrvine, CA 92697-1175UNITED STATESAdministrative Contact:Con WielandUniversity of California, IrvineOffice of Information Technology6366 Ayala Science LibraryIrvine, CA 92697-1175UNITED STATES(949) 824-2222oit-nsp@uci.eduTechnical Contact:Con WielandUniversity of California, IrvineOffice of Information Technology6366 Ayala Science LibraryIrvine, CA 92697-1175UNITED STATES(949) 824-2222oit-nsp@uci.eduName Servers:NS4.SERVICE.UCI.EDU 128.200.59.190NS5.SERVICE.UCI.EDU 52.26.131.47Domain record activated: 30-Sep-1985Domain record last updated: 07-Jul-2016Domain expires: 31-Jul-2018 Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 186.169.2.237Ports
Whoisinetnum: 186.168/15status: allocatedaut-num: N/Aowner: COLOMBIA TELECOMUNICACIONES S.A. ESPownerid: CO-CTSE-LACNICresponsible: Administradores Internetaddress: Transversal 60, 114, A 55address: N - BOGOTA - Cucountry: COphone: +57 1 5339833 []owner-c: CTE7tech-c: CTE7abuse-c: CTE7inetrev: 186.169/16nserver: DNS5.TELECOM.COM.COnsstat: 20171220 AAnslastaa: 20171220nserver: DNS.TELECOM.COM.COnsstat: 20171220 AAnslastaa: 20171220created: 20110404changed: 20141111nic-hdl: CTE7person: Grupo de Administradores Internete-mail: admin.internet@TELECOM.COM.COaddress: Transversal, 60, 114 A, 55address: 571111 - BOGOTA DC - CUcountry: COphone: +57 1 7050000 [71360]created: 20140220changed: 20140220 Relationships
DescriptionA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address. 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761Tagstrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Relationships
DescriptionThis artifact is a malicious 64bit Windows dynamic library called 'Vote_Controller.dll'. The file shares similar functionality with 'rdpproto.dll' above, and attempts to connect to the same ten IP addresses.42682D4A78FE5C2EDA988185A344637D also contains the same public SSL certificate as many of the artifacts above.The file contains the following notable strings:---Begin Notable Strings---CompanyNameKamsky Co, .LtdFileDescriptionVote_ControllerFileVersion49, 0, 0, 0InternalNameMDL_170329_x86_V06Lv3LegalCopyrightCopyright2017LegalTrademarksOriginalFileNameVote_ControllerPrivateBuildProductNameKamsky ColdFearProductVersion17, 0, 0, 0---End Notable Strings--- 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70aDetails
AntivirusNo matches found. Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Relationships
DescriptionThis artifact is 64bit Windows dynamic library file which shares many of the same characteristics and name (Vote_Controller.dll) as 42682D4A78FE5C2EDA988185A344637D above.When this library is loaded it will look for the file 'udbcgiut.dat' in C:\WINDOWS. If 'udbcgiut.dat' is not found, the file will attempt connections to the same ten IP addresses described under 'rdpproto.dll' above.One notable difference with this variant is that it uses the Windows Management Instrumentation (WMI) process to recompile the Managed Object Format (MOF) files in the WMI repository. At runtime, the malware will enumerate the drivers located in the registry at HKLM\Software\WBEM\WDM.These files are then recompiled by invoking wmiprvse.exe through svchost.exe: "C:\Windows\system32\wbem\wmiprvse.exe -Embedding".MOF files are written in a SQL-like language and are run (compiled) by the operating system when a predetermined event takes place. Recent malware variants have been observed modifying the MOF files within the system registry to run specific commands and create persistency on the system.Of note, the paravirtual SCSI driver for VMWare Tools is also located in HKLM\Software\WBEM\WDM within a virtual image. When this driver is recompiled by the malware, VMWare Tools no longer works. It cannot be determined if this is an intentional characteristic of the malware to hinder analysis, or simply a symptom of the method used to establish persistence. 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3Tagstrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a malicious PE32 executable. When executed, the artifact sets up the service, 'Network UDP Trace Management Service'.To set up the service, the program drops a dynamic library, 'UDPTrcSvc.dll' into the %System32% directory.Next, the following registry keys are added:---Begin Registry Keys---HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Type Value: 20HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Start Value: 02HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ImagePath Value: "%SystemRoot%\System32\svchost.exe -k mdnetuse"HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: DisplayName Value: "Network UDP Trace Management Service"HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ObjectName Value: "LocalSystem"HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc\Parameters Name: ServiceDll Value: "%SystemRoot%\System32\svchost.exe -k mdnetuse"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\mdnetuse---End Registry Keys---The service is started by invoking svchost.exe.After writing 'UDPTrcSvd.dll' to disk, the program drops two additional files. Similar to 5C3898AC7670DA30CF0B22075F3E8ED6 above, the program writes the file 'udbcgiut.dat' to the victim's profile at %AppData/Local/Temp%. A second file is written to the victim's profile in the %AppData/Local/VirtualStore/Windows% directory and identified as 'MSDFMAPI.INI'. 'MSDFMAPI.INI' is also written to C:\WINDOWS. More information on the content of these files is below.61E3571B8D9B2E9CCFADC3DDE10FB6E1 attempts the same outbound connections as 5C3898AC7670DA30CF0B22075F3E8ED6, however the file does not contain any of the public SSL certificates referenced above. cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8fTagsbackdoortrojan Details
Antivirus
Yara Rules
ssdeep MatchesNo matches found. PE Metadata
PE Sections
Relationships
DescriptionThis artifact is a malicious 32bit Windows dynamic library. 'UDPTrcSvc.dll' is identified as the 'Network UDP Trace Management Service'. The following description is provided:---Begin Service Description---Network UDP Trace Management Service Hosts TourSvc Tracing. If this service is stopped, notifications of network trace will no longer function and there might not be access to service functions. If this service is disabled, notifications of and monitoring to network state will no longer function.---End Service Description---The service is invoked with the command, 'C:\Windows\System32\svchost.exe -k mdnetuse'.When the service is run a modification to the system firewall is attempted, 'cmd.exe /c netsh firewall add portopening TCP 0 "adp"'.Unlike many of the files listed above that use a public certificate from naver.com, 'UDPTrcSvc.dll' uses a public SSL certificate from google.com. 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7Tagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep Matches
Relationships
Description'MSDFMAPI.INI' is written to C:\WINDOWS and to %UserProfile\AppData\Local\VirtualStore\Windows%. During analysis, two NULL characters were written to the file. The purpose of the file has not been determined. d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39Details
AntivirusNo matches found. Yara RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis artifact contains a similar public SSL certificate from naver.com, similar to many of the files above. The payload of the file appears to be encoded with a password or key. No context was provided with the file's submission. Relationship Summary
RecommendationsCISA would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops. Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to CISA at 1-888-282-0870 or soc@us-cert.gov. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA/US-CERT's homepage at www.us-cert.gov. |
Revisions
April 10, 2019: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.