Inside the Dark Web by Adhikari Arun

Author:Adhikari, Arun [Adhikari, Arun]
Language: eng
Format: epub, azw3, pdf
Publisher: Arun Adhikari
Published: 2021-03-23T16:00:00+00:00

Identified TOR-based C&Cs (2)

Another major malware family that uses the Deep Web is CryptoLocker. CryptoLocker refers to a ransomware variant that encrypts victims’ personal documents before redirecting them to a site where they can pay to regain access to their files. CryptoLocker is also smart enough to automatically adjust the payment page to account for a victim’s local language and payment means. TorrentLocker—a CryptoLocker variant—makes use of TOR to host payment sites in addition to employing Bitcoin as form of payment. It shows why the Deep Web appeals to cybercriminals who are willing to make their infrastructures more robust to possible takedowns. The following screenshots are payment pages that the Deep Web Analyzer captured. Both are rendered in different languages, giving us an idea of their intended victims and origin.

Cryptolocker C&C automatically formatted for a victim in Taiwan and Italy http://ndvgtf27xkhdvezr.onion

Breakdown by Victims and Countries

The following example is related to malware that steal confidential information. In our search methodology, we look for prevalent query-string’s parameters in a short and recent time window – allowing us to identify new threats as soon as they appear in the Deep Web.

In this example, two parameters—xu and xd—experienced a surge in popularity over the past week. Xu was associated with more than 1,700 distinct values consisting of binary blobs. Further investigation revealed that xu was used by NionSpy to leak stolen credentials (online banking, etc.) that are then captured by a keylogger and posted to a dropzone in the Deep Web. Xd, meanwhile, was used to register a new infection to the botnet. This registration included information like the victim’s machine name and OS version, communicated in form of a JSON string like the following:

[REDACTED]2xx.onion:80/si.php?xd={“f155”:”MACHINE IP”,”f4336”:”MACHINE NAME”,”f7035”:”5.9.1.1”,”f1121”:”windows”,”f6463”:””,”f2015”:”1”}

By counting the queries associated with the registration, we were able to build a profile of the number of new victims per day, along with the amount of data leaked.

Automated Analysis on Prevalent Query-String Parameters

Number of new Infections (and Leaked data, in bytes) per day.

Finally, worth to mention is a banking Trojan called Dyre that uses I2P as backup options for its C&C infrastructure – normally ran using DGA on the Clear Web. This malware acts as a BHO that MiTMs onlinebanking pages at browser-level. This allows the code to back-connect from the victim to the attacker (similar to a reverse-shell approach) with the goal of granting the attacker the access to the banking portal of its victims. Accordingly to DeWA, this malware campaign introduced, over the last 6 month, 2 new operating servers and currently the number of infected victims using I2P is increased.

Traffic to Dyre’s I2P infrastructure.

References:

[1] http://blog.trendmicro.com/trendlabs-security-intelligence/the-mysterious-mevade-malware/

[2] http://blog.trendmicro.com/trendlabs-security-intelligence/defending-against-tor-using-malwarepart-1/

[3] http://blog.trendmicro.com/trendlabs-security-intelligence/defending-against-tor-using-malwarepart-2/

[4] http://blog.trendmicro.com/trendlabs-security-intelligence/steganography-and-malware-why-andhow/

[5] http://4bpthx5z4e7n6gnb.onion/favicon.ico - Vawtrak / Neverquest C&C

[6] http://ndvgtf27xkhdvezr.onion - Cryptolocker C&C

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.