### Battle Against Ursnif Malspam Campaign targeting Japan ###### Ken Sajo: JPCERT/CC Yasuhiro Takeda: Mizuho Financial Group, Inc Yusuke Niwa: Itochu Corporation. ばらまきメール回収の会 ----- ### Agenda ##### 1. Introduction 2. Abstraction of malspam 3. Threat Analysis with diamond model 4. Active Defense 5.Countermeasure against malspam 6. Summary ----- ### 1-1. Who we are ##### ▪ We are members of the community which called ###### “ばらまきメール回収の会“ between individual researcher tracking malspam ##### ▪ This community is consist of CSIRT members at user side and security ###### researchers at vendor side Motivation In order to reduce damages by malspam in Japan Avtivity Overview The organization that receives the malspam quickly share information, analyzes it together, and publicly sends out information necessary for countermeasures. ----- ### 1-2. Today s topic ``` ・ ## Analysis of malspam campaign ・ Analysis of threat actor ・ Countermeasures against malspam ##### Especially we focus on Ursnif malspam campaign in today’s presentation because this campaign has been the most major one since 2017 ``` ----- ### 2. What is malspam? ##### Our definition of malspam Email in Japanese delivered indiscriminately to Japan in order to infect malware. ###### *Malspam leads to infect malware by attachment files or suspicious link ----- ### 2-1. History of malspam inJapan ##### Malspam targeting to Japan |am targeting to Japan|Col2| |---|---| |Year|Campaign| |May. 2014|VAWTRAK| |Oct. 2015|Shifu(AnglerEK)| |Dec. 2015|Bebloh| |Mar. 2016 – Jun. 2019|Ursnif| |Sep. 2019|Emotet| ----- # Ursnif (a.k.a gozi, snifula, ISFB, Papras, Dreambot) ###### ▪ Banking Trojan ▫ It appeared 2006 globally (Japan: 2016) ▫ This malware steals financial accounts at online payment by injecting fake page. ▫ Target is Financial companies account in Japan ▫ This also steals credentials such as email and browser’s data in the host ▪ Infection Route ▫ Email ▫ Web Oth l ----- ### y p p ##### Monthly Trends ``` ばらまきメールの発生回数 ``` ``` ばらまきメールの発生回数 ``` ----- ### y p p ----- ### p ----- ### p ----- ### p p g g g p ##### We classified 4 phases for this campaign overview until fraud remittance 1. Delivery malspam 2. Ursnif download 3. Ursnif infection (delivery webconfig) 4. Fraud Remittance ----- ### p p g p ###### Ursnif Steal Information ###### CutWail C2 ###### Spam+ CutWail Downloader ###### Bank account Bank site etc. Credit card Info WebConfig ###### Ursnif-C2 ###### Manipulation S ###### Web Injection ----- ###### 1.Delivery malspam Bank account Credit card Info Manipulation S ### p p g p ###### Ursnif Spam+ Downloader Steal Information ###### Bank site etc. Web Injection ###### Ursnif-C2 ###### WebConfig ----- ### p p g p ###### 2. Ursnif download ###### CutWail C2 ###### Spam+ CutWail Downloader ###### Bank account Credit card Info Manipulation S ###### Bank site etc. Web Injection ###### Ursnif Steal Information Ursnif-C2 WebConfig ----- ###### CutWail C2 ### p p g p ###### Ursnif Spam+ CutWail Downloader ###### Bank account Credit card Info Manipulation S ###### Bank site etc. Web Injection ###### 3. Ursnif infection (Derivery webconfig) ----- ### p p g p ###### CutWail C2 ###### Spam+ CutWail Downloader ###### Bank account Credit card Info Manipulation S ###### Bank site etc. Web Injection ###### Ursnif Steal Information Ursnif-C2 WebConfig ----- ### p p g p ###### 1.Delivery malspam ###### 3. Ursnif infection (Delivery webconfig) ###### Manipulation S ###### Web Injection ----- ### p p g g g p ##### We guess there are 2 threat actors targeting Japan based on TTPs (Delivery method, Infection process, C2 domain etc.). ##### Group-A ##### ▪ Group-A utilizes attached xls files for Ursnif infection ##### Group-B ##### ▪ Group-B utilizes suspicious URLs for Ursnif infection ----- ### p ----- ### p ----- ### y p p g ##### Characteristics for each group ###### Classification Group-AGroup-A Group-BGroup-B Email Deceived Invoice email Deceived EC / Bank email contents Delivery Only Cutwail Mainly Cutwail Route Attachment xls with Macro js file in link Files (Multi obfuscation) Malware Bebloh + Ursnif(Gozi) Ursnif(Dreambot) Target 3 banks 30 banks, 9 credit card companies |Classification|Group-A Group-A|Group-B Group-B| |---|---|---| |Email contents|Deceived Invoice email|Deceived EC / Bank email| |Delivery Route|Only Cutwail|Mainly Cutwail| |Attachment Files|xls with Macro (Multi obfuscation)|js file in link| |Malware|Bebloh + Ursnif(Gozi)|Ursnif(Dreambot)| ----- ### 3. Threat analysis for malspam campaign ##### TTPs and Threat Actor Analysis based on diamond model ###### Adversary ###### -Target -Division of Role ###### Infrastructure Capabilitiy -Spambot -Maldoc -C2 -Malware |Adver|rsary -Targe| |---|---| ||-Divisi| ||| ----- ### y p ##### Each threat actor has own delivery method. ▪ Group-A ▫ Cutwail-A ▪ Group-B ▫ Web (EK) ▫ Cutwail-A ▫ Cutwail-B ▫ Compromised Email Account ▫ Reply Type ▫ Emotet ----- ### y p ##### Each threat actor has own delivery method. ▪ Group-A ▫ Cutwail-A ▪ Group-B ▫ Web (EK) ▫ Cutwail-A ▫ Cutwail-B ▫ Compromised Email Account ▫ Reply Type ▫ Emotet ----- ### 3.1.1. Cutwail ##### Spambot scatters malspam by threat actor’s order ▪ 2 malwares for Japan have been observed below We called Older one : Cutwail-A Newer one : Cutwail-B Each Cutwail communicates different C2 IP address. ----- ### [Cutwail (a.k.a Pandex, Harebot, Pushdo)] ###### ▪ Spam Bot ▫ It appears 2007 globally (Japan: 2016) ▫ This is currently active (more than 10 years) ▫ Get email contents and target email address from C2 ▫ Directly send over SMTP to mail server ▫ Two C2 servers are still active ▪ Infection Route ▫ Pushdo downloads Cutwail. ▫ Pushdo is delivered as additional payload after Bebloh ----- |Col1|Cutwail-A|Cutwail-B| |---|---|---| |Operation Period|2007 - Current|2017/09 - Current| |Target (2016 - Current)|Japan, Italy, Poland, Germany, Spain|Only Japan| |Infection Volume|10,761 (based on sinkhole observation 2019/03/13 )|| |Delivery Capability (Assumption)|20 million emails per time|300 million emails per time| ###### Mainly URL, Phishing Email Characteristics Attachment file (Rarel attachment file) ----- ### Cutwail-A ##### ▪ This malware appeared in 2007. ▪ Main target is Japan. ▫ Italy, Poland, Germany and Spain. ▪ This malware delivers malspam with attachment xls. ▫ Attachment xls leads to download Bebloh in Japan. ▪ Cutwail-A tries to extend its infrastructure. ▫ We confirmed recent malspam campaign which pretended to be DHL via Ursnif on 29[th] Jul 2019. ----- ### Cutwail-B ##### ・ This malware was created for Japan in Sep. 2017 Ursnif-B dropped Cutwail-B at this period. ・ Malspam by Cutwail-B was distributed only to Japan. ・ Email with URLs that lead to download malware ・ Only phishing email for Japan has been observed since Jan. 2019 ----- ### 3.1.1.3. Delivery capability of malspam by Cutwail ##### Estimate delivery capability by Cutwail based on our observation ###### Cutwail-A Cutwail-B Delivery volume ##### 5,000 malspams 50,000-60,000 ###### per one host malspams Infected hosts 4,000 6,000 Delivery capability 20 million malspams 300 million malspams Number of Infected hosts from Sinkhole: 10 761 (2019/03/13 Time A and B Total) |Col1|Cutwail-A|Cutwail-B| |---|---|---| |Delivery volume per one host|5,000 malspams|50,000-60,000 malspams| |Infected hosts|4,000|6,000| |Delivery capability|20 million malspams|300 million malspams| ----- ### y ----- ### y p ##### Each threat actor has own delivery method. ▪ Group-A ▫ Cutwail-A ▪ Group-B ▫ Web (EK) ▫ Cutwail-A ▫ Cutwail-B ▫ Compromised Email Account ▫ Reply Type ▫ Emotet ----- ### y ----- ### y ##### ▪ Not malspam but also drive-by download attack ▪ Web site was compromised by attacker. ----- ###### ▪ #### Subject ##### Deceived Invoice email in Japanese ###### ▪ #### Contents ##### Text in email is also in Japanese and attached zip archive ###### ▪ #### Infection process ##### Zip archive contains malware ----- ###### ▪ #### Subject ##### Deceived Invoice/delivery service email etc. in Japanese ###### ▪ #### Contents ##### Text in email is also in Japanese and attached zip archive ###### ▪ #### Infection process ##### Attachments gradually change to zip f ----- ###### ▪ #### Subject ##### Deceived Invoice email in Japanese ###### ▪ #### Contents ##### Text in email is also in Japanese and attached xls with macros ###### ▪ #### Infection process ##### Macros which was getting more obfuscated for anti-analysis lead to download Ursnif ----- ###### ▪ #### Subject ##### Deceived confirmation email from EC site in Japanese ###### ▪ #### Contents ##### Malspam was copied original one, this means it’s hard to tell fake email from real one. ###### ▪ #### Infection process ##### f ----- ### p ##### 2019/04〜2019/07 ###### ▪ #### Subject ##### Re:, Fw:, Fw:Jin'in sakugen etc. ###### ▪ #### Contents ##### One word or two word in email attached zip or rar archive ###### ▪ #### Infection process ##### Zip or rar archive contains js or vbs file lead to infect Ursnif. ----- ### p y ##### Attached html file as a replying chain email Malicious URL in html downloads zip archive contains js file leads to Ursnif infection. This method was observed in ----- ##### Emotet delivered Ursnif as a follow-up malware. Ursnif was operated by Group-B Target was not changed. ``` →Group-B utilized a different delivery route via Emotet ``` ----- ### j ###### Deceived the Invoice Poor Japanese Deceived the InvoiceDeceived the Invoice expression Change from link to Email deceived EC attachment file This could be copied genuine one. Reply chain mail Relying on Emotet ----- ### y g ###### Japan, Poland and Italy Target is Japan, Poland, Germany, Spain, Italy Actor delivers to Japan with New botnet for Japan appeared. compromised email account. This delivers phishing email. Japan, Poland and Germany ----- ### Capability ##### 3.1.1 Maldoc analysis 3.1.2 Bebloh analysis 3.1.3 Ursnif analysis ----- ###### Attached Xls with macros Attached Xls with macros Got more obfucated Attached zip archived Bebloh(exe) Changed from URL to URL leads to js attachment file (doc) Zip archive contains js or vbs js in doc leads to Attachment html file leads zip (js) download Ursnif to zip archive contains js file Via Emotet ----- ### p ###### Infect Infect Bebloh→Ursnif Infect Bebloh Bebloh→Ursnif Infect Ursnif Infect Ursnif Infect Ursnif Infect Ursnif Infect Ursnif Infect ``` → ``` ----- ### p ###### Attached zip(exe )(Ursnif) Attached Xls with macros Updated Ursnif version v3 Attached zip archived Bebloh(exe) URL leads to js Changed from URL to attachment file Zip archive contains js or vbs Attachment html file leads to js in doc leads to zip archive contains js file zip (js) download Ursnif Via Emotet ----- ##### y ----- ## y ##### Group-A ##### Cutwail-A infected Bebloh with xls attachment Bebloh infects Ursnif. Obfuscation and anti-analysis have been enhanced since October 2018. ##### Group-B ##### Attacker infects Ursnif mainly from js using various delivery methods. ----- ### 3.2.2.Highly obfuscated approach for attachments ##### 4 sophisticated methods for anti-analysis ###### 1. Multi Obfuscations →Multi usage of Invoke-DOSfuscation/Invoke-Obfuscation 2. Steganography ##### →Invoke-PSImage ###### 3. Inject Bebloh into Explorer.exe ##### →Invoke-ReflectivePEInjection ###### 4. Check Execution Environment (only works Japanese environment) ----- ### 3.2.2.Highly obfuscated approach for attachments ##### 1. Invoke-Obfuscation 2. Invoke-PSImage ----- ### 3.2.2.Highly obfuscated approach for attachments ----- ## Steganography collections ----- ### y ##### Group-A only utilized bebloh as a downloader of Ursnif ``` ・Geofenced technique for Japan ・Not just Ursnif, but Pushdo. ・Detection avoidance of Bebloh and Ursnif ###### Date File Type Infection method Oct. 2018 – Nov. 2018 exe Downloading from URL 18[th] Dec. 2018 – 7[th] May. 2019 dll 17[th] Jun. 2019 Download encrypted Ursnif binary data by XXTEA from Bebloh's C2 and decrypt on terminal 27[th] May. 2019 - 5[th] Jun. 2019 exe ``` |Date|File Type|Infection method| |---|---|---| |Oct. 2018 – Nov. 2018|exe|Downloading from URL| |18th Dec. 2018 – 7th May. 2019 17th Jun. 2019|dll|| ----- ### 3.2.4 Ursnif analysis SerpentKey Date Version BotnetID soft CBA16FFC891E31A5 2018/7/2 - 2018/10/24 version=300016 id=1000 soft=1 2018/10/30 version=300017 id=1000 soft=1 2018/11/6 version=300018 id=1000 soft=1 A0511F7C891131A8 2019/2/18 - 2019/2/20 version=300030 id=1000 soft=1 2019/2/28 version=300035 id=1000 soft=1 ###### ● urlクエリから分かる設定情報(バージョン CBA17F7E892431A1 2019/4/3 version=300036 id=1000 soft=1 2019/4/23 version=300051 id=1000 soft=1 ##### 、ID)を元に分類する2019/5/7 version=300052 id=1000 soft=1 2019/5/27 version=300054 id=1000 soft=1 2019/5/30 version=300055 id=1000 soft=1 2019/6/17 version=300058 id=1000 soft=1 s4Sc9mDb35Ayj8oO 2018/7/18 version=216996 id=201872 soft=1 2018/12/11 - 2018/12/28 version=216996 id=201810 soft=1 2019/1/21 version=216056 id=1000 soft=3 2019/4/15 - 2019/5/21 version=217068 id=1002 soft=1 2019/5/22 version=217068 id=1010 soft=1 2019/6/3 - 2019/6/4 version=217068 id=1002 soft=1 2019/6/12 - 2019/6/19 version=217068 id=1000 soft=1 2019/7/16 version=217068 id=1006 soft=1 |SerpentKey|Date|Version|BotnetID|soft| |---|---|---|---|---| |CBA16FFC891E31A5|2018/7/2 - 2018/10/24|version=300016|id=1000|soft=1| ||2018/10/30|version=300017|id=1000|soft=1| ||2018/11/6|version=300018|id=1000|soft=1| |A0511F7C891131A8 urlクエリ ●|2019/2/18 - 2019/2/20|version=300030|id=1000|soft=1| ||から分かる設定情 2019/2/28|報(バージョ version=300035|ン id=1000|soft=1| |CBA17F7E892431A1 、ID)を|2019/4/3|version=300036|id=1000|soft=1| ||元に分類する 2019/4/23|version=300051|id=1000|soft=1| ||2019/5/7|version=300052|id=1000|soft=1| ||2019/5/27|version=300054|id=1000|soft=1| ||2019/5/30|version=300055|id=1000|soft=1| ||2019/6/17|version=300058|id=1000|soft=1| ||2018/7/18|version=216996|id=201872|soft=1| ||2018/12/11 - 2018/12/28|version=216996|id=201810|soft=1| ||2019/1/21|version=216056|id=1000|soft=3| ||2019/4/15 - 2019/5/21|version=217068|id=1002|soft=1| ||2019/5/22|version=217068|id=1010|soft=1| ||2019/6/3 - 2019/6/4|version=217068|id=1002|soft=1| ||2019/6/12 - 2019/6/19|version=217068|id=1000|soft=1| ----- ### 3.2.4 Ursnif analysis ##### Ursnif-A ##### Ursnif B ##### Ursnif-A ###### id ver ----- ### 3.2.4 Ursnif analysis ###### Infect Ursnif-A from Bebloh. SerpentKey was changed occasionally Date SerpentKey 2016/11 - 2017/02 0WADGyh7SUCs1i2V 2018/03/13-2018/11/06 CBA16FFC891E31A5 2019/01/24-2019/03/06 A0511F7C891131A8 2019/04/23 - CBA17F7E892431A1 We believe that Group-A uniquely developed Ursnif-A for Japan -Compare to other Ursnif, This Ursnif has different config. Version number of Ursnif A is incremented every time malspam was |Date|SerpentKey| |---|---| |2016/11 - 2017/02|0WADGyh7SUCs1i2V| |2018/03/13-2018/11/06|CBA16FFC891E31A5| |2019/01/24-2019/03/06|A0511F7C891131A8| |2019/04/23 -|CBA17F7E892431A1| ----- ### y ##### Infected Dreambot (Ursnif-B) from attachment file SerpentKey = "s4Sc9mDb35Ayj8oO" Provided Crime as as Service We believe Group-B utilized Ursnif-B based on our long- term observation ----- ----- ### p y ###### key=s4Sc9mDb35Ayj8oO key=CBA16FFC891E31A5 key=A0511F7C891131A8 key=0WADGyh7SUCs1i2V key=CBA17F7E892431A1 key=s4Sc9mDb35Ayj8oO key=0123456789ABCDEF key=Gu9foUnsY506KSJ1 ----- ### y ##### C2 domains from 2015 - 2017 were registered specific email address. ----- ### y ##### Characteristics of C2 domain (2019/5-) |ASN|62088| |---|---| |IP|5.8.88.0/24, 5.188.231.0/24| |register|Eranet International Limited| |NameServer|a.dnspod.com| ###### Registrant Organization ###### Wang Wiet MYOB Technology Pty Ltd ----- ### y ##### Webhost downloads Ursnif-B has many domains for one IP address Group-B used FastFlux infra for Ursnif-b’s C2 domain This threat actor used to use DarkCloud, now SandiFlux (a.k.a. BrazzzzersFF) [FastFlux] IP addresses associated with C2 keep changed in short term ----- ##### Ursnif botnet‘s scale Ursnif-A: 90,000 IP (2016) (*based on sinkhole observation) Ursnif-B: 45,848 in Japan out of approx 60,000 (2019/04 SAS2019) ----- ### g p ##### Target list in WebInjectionConfig ▪ Group-A 10 domestic banks and common system used by several domestic banks ▪ Group-B 30 domestic banks, 11 credit card companies, 8 cryptocurrency exchanges and 4 other companies ----- ### j g 18 banks 15 banks 17 banks 10 credit card 11 credit card 11 credit card 3banks +1 13 banks +1 4 banks 16 banks 8 banks 10 credit card 4 cryptocurrency 30 banks exchanges 9 credit card +3 companies 8 cryptocurrency 30 banks exchanges 9 credit card 16 banks +4 companies 8 cryptocurrency 9 credit card exchanges 4 cryptocurrency +4 companies exchanges +3 companies ----- ### y g ##### ■Group-A Target Countries of Cutwail-A - Japan, Italy, Poland, Swiss and Germany ■Group-B WebInjectionConfig in Ursnif-B - Japan, Poland, Italy and Bulgaria ----- ### 3.5.1. Adversary ##### We consider that adversary has an organizational structure. We are not sure that the strength of the connection between each role below. ``` ①Cutwail Operator ②Maldoc Developer ③Malware Developer / Malware User ④Domain Acquirer ``` ----- ### y p ###### Operation Spam+ CutWail CutWail Downloader C2 ``` ①②TA544(NARW Spider) is in charge of delivery malspam. Bank account Bank site etc. Credit card Info Manipulation S ``` ----- ### y p ###### Manipulation S ###### ③ Use Dreambot as a service Link Download Ursnif Steal Information Ursnif-C2 WebConfig ``` ④Use BraZZZerS ``` ----- ### g p y ----- ### g p y ----- ###### 1. Delivery malspam ###### Adversary ### y p TA544 3. Ursnif infection ( delivery webconfig ) behavior Malspam delivery ###### Infra Capability Spambot Cutwail-A `(Also deliver to Italy and Poland )` Malspam Manipulation `・Deceived Invoice` server Actor ID `・Checking target environment` Ursnif C2 Ursnif Version/Build etc. ``` ・Attached macro xls ###### Victim Victim ``` |Adve malspam|ersary TA544| |---|---| |Malspam|delivery C| |(Also deliver t|o Italy and Poland ) M ・Dece ・Attac| |stribution tructions Deliver ・rarely d|target config etc. eliver WebConfig C| |---|---| |n Acto Ursnif Versio|r ID ・Ch n/Build etc.| ###### 2. Ursnif download Adversary TA544 `・Multi obfuscation` Execution `・Usage of Stegano` obfuscated `・Check Environment` powershell ###### Infra Powershell Capability Bebloh C2 Malspam Specific AS Ursnif `・Usage of Bebloh` |Stegano vironment Commun Powe|obfuscat powersh icate by rshell C| |---|---| W b I j ti ----- ### y ###### 1. Delivery malspam Adversary 3. Ursnif infection ( delivery webconfig ) Adversary Distribution Config for Italy, Poland ###### instructions and Bulgaria Malspam delivery Deliver target config etc. ###### Infra Capability Infra C behavior Spambot Cutwail-B ###### 2. Ursnif download ``` ・Obfuscation(Easy) ``` |Malspam|delivery C| |---|---| ||・ Ra ・| |stribution tructions Deliver targ|Config for and Bulga et config etc. C| |---|---| |n Acto Ursnif Versio|r ID n/Build etc.| ###### Victim Adversary Malspam `・` Deceived Rakuten/Bank ``` ・doc/js/vbs ``` Execution obfuscated powershell ###### Infra Powershell Capability |cation(Easy) Commun Powe|obfuscat powersh icate by rshell C| |---|---| FastFlux Dreambot Malspam W b I j ti ----- ##### Not just to defend A technique for taking a step forward and defending better Make it harder for threat actor to attack ###### The Department of Defense defines active defense as: "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.“(US DoD) ----- ### g p ###### Actor Method Period Result A B IoC sharing (Twitter) 2018/06 Stopped for a few month A,B Monitoring Cutwail 2018/12 Early warning and sharing B Acquired C2 domain by DGA 2018/12- Prevented communication 2019/01 to C2 B Sinkhole DGA domain 2019/03 Reduced infected hosts B Coordination of compromised 2019/05-07 Changed deliver method email account A C2 Domain prediction 2019/05-07 Changed deliver method |Actor|Method|Period|Result| |---|---|---|---| |A B|IoC sharing (Twitter)|2018/06|Stopped for a few month| |A,B|Monitoring Cutwail|2018/12|Early warning and sharing| |B|Acquired C2 domain by DGA|2018/12- 2019/01|Prevented communication to C2| |B|Sinkhole DGA domain|2019/03|Reduced infected hosts| |B|Coordination of compromised email account|2019/05-07|Changed deliver method| ----- ### g ##### Group-B ##### Early information sharing against malspam enables each organization to block IoCs by analysis. ``` ・Email subject ・Attachment file information Link information ・Malicious destination This campaign has been stopped for few month, malspam got sophisticated after break ``` ----- ### g ##### Group-B ``` ・We are monitoring malspam sending operation by ##### Cutwail in our bot farm. -Analyzing and decrypting communication protocol to obtain malspam templates ・The biggest advantage is getting malspam info ASAP. (e.g. We can identify the all malspam’s subject with same hash value of attached file. ) ``` ----- ##### Ursnif-B utilized C2 domain by DGA in Dec. 2018. -Analyzed DGA -Preemptively acquired domains and prevent C2 communication. -Identification and notification of infected hosts Campaign has been stopped until Apr. 2019. ----- #### p ``` ・Group-B utilized delivery route via compromised email accounts. ・Extracted source IP from received mail and notified them ##### Mainly old domestic email accounts were compromised. ・This delivery channel has been retired for several months due to continual coordination (60 cases). ``` ----- ``` ・Bebloh’S C2 domains have characteristics. ・Predict the domain of C2 and check if this IP is used for C2 ##### before spreading malspam ・Domain prediction enables continuous monitoring of C2 before spreading malspam. ・Sinkhole implementation for Bebloh DGA domain Malspam campaign targeting Japan stopped since 2019/06 ``` ----- ### 4.5 C2 domain analysis ----- ##### Observation of C2 response contents and response time by pseudo Bebloh access … N/A … Unavailable to download Ursnif … Available to download Ursnif … No name resolution … C2 Down ###### No response at night (JST) ----- ##### Transition of C2 Domains Used in Bebloh DGA ###### Date TLD by DGA 2018/10 – 11 .net, .com 2018/12/18 - 2019/5/07 .net, .com 2019/05/27 - 05/30 .net, .com 2019/06/05 .top, .com 2019/06/17 top com ###### by DGA |Date|TLD by DGA|Col3| |---|---|---| |2018/10 – 11|.net, .com|| |2018/12/18 - 2019/5/07|.net, .com|| |2019/05/27 - 05/30|.net, .com|| |2019/06/05|.top, .com|Acquire domain by DGA| |||| ----- ### g p ##### Malspam from Group-A on 2019/6/17 was the last for Japan. After that, target was changed to Germany, Poland and the US started, mainly in Italy. ----- ### y p ##### No distribution to Japan ##### No distribution to Japan ----- ### y p ----- ### g p ##### ・ Changed delivery route to Emotet from 2019/09 Ursnif's WebInjectionConfig via Ursnif-B and Emotet matches including manipulation server’s information ``` ・Group-B changed malware from Ursnif to Trickbot from Oct. 2019. (Target list Ursnif-B and Trickbot have matches.) ・ The attackers have changed their TTPs and still continue to t t J ``` ----- ### j g ###### Targeted companies in Japan has been added to WebInjectionConfig since 2019/10/15 Japan accounts for around 30% of the total (rcrd = 1571300200126636 for Japan) ----- ### g g ##### Trickbot Varies gtag by malware ・ gtag morXX via Emotet ・ gtag leoXX via Ursnif ・ gtag tinXX via IcedID ・ gtag onoXX via malspam (zip-lnk-vbs) ・ gtag satXX via malspam (xls) However, all gtags have the same WebInjetionConfig The association between the groups of attackers using Trickbot is unclear ----- ### y ###### Type Target 2019/08-10 Reply type (htm) Japan, Poland 2019/09-10 As an Emotet follow-up malware Japan 2019/10-11 Reply type(doc) Germany, Czech Republic 2019/12- doc Czech Republic, Poland, Bulgaria ##### *SerpentKey: Gu9foUnsY 506 KSJ1 is also used in the doc reply type for Germany and Emotet for Japan |Date|Type|Target| |---|---|---| |2019/08-10|Reply type (htm)|Japan, Poland| |2019/09-10|As an Emotet follow-up malware|Japan| |2019/10-11|Reply type(doc)|Germany, Czech Republic| |2019/12-|doc|Czech Republic, Poland, Bulgaria| ----- ### p p ----- ### g p ##### ・ Don’t allow the mail to send to the mailbox. ・ Implement e-mail security products and leverage IoCs ・ If complomised, find Proxy logs with IoCs ・ Catch malspam information quickly and get IoCs ----- #### pp y p ##### Introduce a mail security product Monitoring and blocking operation below ・ Email subject ・ E-mail User-Agent ・ The IP address of the sender of the mail ・ Attachment name ・ Attachment extension ex) Unique User-Agent of Cutwail-B ----- ## y ##### Use IoCs (twitter) ・ Monitor and block outbound traffic through Proxy. ・ Malware download domains are relatively short-lived C2 domains are relatively static Detect Ursnif check-in traffic (domain)/images/(random 150+ strings include /).jpeg # other .avi, .gif, .bmp ----- ### y ``` ・The analysis of the e-mail campaign revealed two groups ##### and their TTPs. ・Analyzing their TTPs can lead to more aggressive defenses. ・ We believe Group-A pulled out of Japan by our active defense. ``` ----- # Any questions? ##### Work with Community **[@58_158_177_102](https://twitter.com/58_158_177_102)** **[@AES256bit @sugimu_sec](https://twitter.com/AES256bit)** **[@wato_dn](https://twitter.com/wato_dn)** **[@hamasho_sec](https://twitter.com/hamasho_sec)** **[@tachi4439](https://twitter.com/tachi4439)** **[@yukitora8](https://twitter.com/yukitora8)** **[@abel1ma](https://twitter.com/abel1ma)** **@waga_tw** **[@catnap707 @autumn_good_35 @Sec_S_Owl](https://twitter.com/catnap707)** -----