Update on GoodMan

I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomwareZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot.

Below is a list of some recent domains being registered to goodmandilaltain@gmail.com:

Domain Registered On
t00lz.biz 4/18/2017
traffic-one.us 4/15/2017
newsbusters.us 4/15/2017
alooki.us 4/14/2017
vicals.net.in 4/3/2017
vicals.ind.in 4/3/2017
vicals.gen.in 4/3/2017
vicals.co.in 4/3/2017
n1shop.net.in 3/31/2017
adobeflashpayer.net.in 3/29/2017
sipasalar.net.in 3/24/2017

t00lz.biz is the newest domain to be registered to goodmandilaltain@gmail.com. Here is an image of the page:

t00lz

Furthermore, many of the newer domains are being hosted at 31.7.63.186. For example:

Domain First Seen Last Seen
vicals.pw 4/10/2017 0:00 4/26/2017 12:00
traffic-one.us 4/25/2017 12:17 4/26/2017 0:00
vicals.ind.in 4/26/2017 0:00 4/26/2017 0:00
vicals.in 4/26/2017 0:00 4/26/2017 0:00
pinktube.pro 4/16/2017 0:00 4/24/2017 22:05
vicals.co.in 4/11/2017 0:00 4/24/2017 17:36
badboys.net.in 4/4/2017 19:18 4/21/2017 18:01
vicals.gen.in 4/14/2017 0:00 4/21/2017 1:01
vicals.net.in 4/5/2017 16:17 4/11/2017 9:58
londaybaz.pro 4/8/2017 9:28 4/9/2017 0:00

I also located a login panel for what could be a TDS on 31.7.63.186:

Login panel

Here is a run that I did on April 6th using the gate anyfucks.biz:

Traffic 1

The request to anyfucks.biz returned a 302 Moved Temporarily and pointed to the RIG exploit kit landing page:

GET 1

IOCs:

  • 89.45.67.239 – anyfucks.biz – GoodMan
  • 94.177.123.96 – bestdoosales.design – RIG exploit kit
  • 179.43.188.170 – ddobnajanu.club – GET /smk/gate.php – ZeusVM drop URL
  • 179.43.188.170 – ddobnajanu.club – GET /smk/config.jpg – ZeusVM configuration URL
  • 89.45.67.239 – anyfucks.biz – GET /admin1/config.jpg – ZeusVM configuration URL

179.43.188.170 appears to be used by the GoodMan actor(s) as they’ve been using it to host various GoodMan domains:

Domain First Seen Last Seen
pinktube.pro 4/26/2017 11:00 4/27/2017 15:14
anythingtds.com 4/7/2017 1:18 4/26/2017 18:49
adobeflashpayer.net.in 3/31/2017 17:29 4/15/2017 21:31
neutrino-waves.biz 4/2/2017 0:00 4/9/2017 2:35
ddobnajanu.club 4/5/2017 21:30 4/8/2017 9:59

Hashes:

SHA256: 833bb209cb5aa6d0c57f4a07b434d3564ca52c4455a30b5ccbaceebffbbc0ff1
File name: bestdoosales.design RIG EK landing page on 040617.txt

SHA256: f5be3eb33c9b6759f3609da0240920184154907f6950e9d885bdf1fd96340e15
File name: bestdoosales.design RIG EK Flash Expoit from 040617.swf

SHA256: 114dacb58a3021f26cc34b8c3ee132e654eb555cc63acbd7e4e064cb90e22eaa
File name: 636nowar.exe
Hybrid-Analysis Report

Malicious Artifacts.zip

According to Cybercrime Tracker the ZeusVM panels for this domain were setup at the following locations:

  • 86.127.137.250 – ddobnajanu.club/smk/cp.php?m=login
  • 178.54.248.165 – ddobnajanu.club/haseeb/cp.php?m=login

You might remember that anyfucks.biz was running a Keitaro TDS and now it appears it was involved in hosting numerous ZeusVM configuration files too.

The next run I did was on April 20th:

Traffic 2

You can see from the list of GoodMan gates at the beginning of this article another domain called alooki.us

Like before anyfucks.biz redirected my host to the RIG exploit landing page via a 302 Moved Temporarily. The payload that it dropped had the file description of “Neighbur Readiness Ransomware”.

IOCs:

  • 89.45.67.239 – anyfucks.biz – GoodMan
  • 86.105.227.14 – alooki.accountant – RIG exploit kit

Hashes:

SHA256: 1477aa570ea05278d40043ba0013dd738656aedfd1db69fbb6f77fd7e056188f
File name: alooki.accountant RIG Exploit Kit landing page from 042017.txt

SHA256: 81f03f9752289260b4007fc1cee12e78225a106dc7d5ad1f02a2a4b549620cce
File name: alooki.accountant RIG Flash Exploit from 042017.swf

SHA256: f69e7e7ea7231315aa7880ec39d14ee41b4fb39c56f45d172a38a47bee5e5883
File name: dkwahkhr.exe
Hybrid-Analysis Report

Malicious Artifacts 2.zip

I did a couple more runs on April 20th, 2017, however I ended up using the GoodMan gate hurtmehard.net. All of my runs using hurtmehard.net resulted in me getting what looks like LatentBot. Below is an image of the traffic I collected on April 20th:

Traffic 3

And here is an image of the GoodMan iframe found on hurtmehard.net:

hurtmehard dot net Good Man Gate

IOCs:

  • 188.215.92.104 – hurtmehard.net – GoodMan
  • 188.225.34.196 – time.equishousing.net – RIG exploit kit (run 1)
  • 188.225.34.196 – one.equishousing.org – RIG exploit kit (run 2)
  • 188.225.36.196 – set.japanbioenergy.com – RIG exploit kit (run 3)
  • 37.72.175.221 – LatentBot C2 traffic via port 80 and 443

Hashes:

SHA256: 0d0904548cbdae888d816d45127603997b4a464b31411bbf1ccb26e10ec7e479
File name: time.equishousing.net RIG EK landing page from 042017.txt

SHA256: 021e5a8ac070ff34aace3b1dbef6ee383f3dbf418c56efda6f4211eb75f0a482
File name: time.equishousing.net RIG Flash Exploit.swf

SHA256: 7d283442cc759e3e21717aa0f37021400e8d70d20ab9a32a2832a3fb80ea9ff0
File name: q4k5g9k6.exe
Hybrid-Analysis Report

2nd Run
SHA256: 6c07b7a17eb9b51885996ba798717d5319f223e92b598781adb7ecce45ee02dc
File name: tnvedfj.exe
Hybrid-Analysis Report

3rd Run
SHA256: a3222208a966b9d88965d629dbe6ad245f606bb46cc4c0427c9de17d9a9b1b75
File name: i0yvp6c4.exe
Hybrid-Analysis Report

Malicious Artifacts 3.zip

The C2 traffic generated some ET alerts:

  • ET TROJAN Win32/Hyteod CnC Beacon
  • ET POLICY HTTP traffic on port 443 (POST)

The payload was dropped in %Temp% and copied to AppData\Local\Microsof\Windows:

There are also some .tmp text files created in %Temp% which contain some encoded data.

There is a detailed FireEye report on LatentBot which can be found HERE. The report shows how the GET requests for .ZIP files are actually modules pretending to be ZIP files. These files are encoded data that are saved into the following subkeys located at HKCU\Software\Google\Update\network\secure:

registry latentbot

Malicious plugins found in the registry

  1. FtUFJu5xP3C = Formgrabber (steals user typed data in forms)
  2. hdtWD3zyxMpSQB = Bot_Engine (base module)
  3. l551X+rNDh3B4A =
  4. QdG8eO0qHI8/Y1G = Send_report
  5.  QdW/DoI2F9J = Security (searches for AV software and tools)
  6. RRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_service (allows remote access to victim’s machine via RDP)
  7. VRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktop

According to the FireEye report the VNC plugin has the following functionality:

•    Implements a keylogger
•    ICMP Requests
•    MBR Wiper
•    Hidden VNC Remote Desktop
•    Manipulate the desktop
•    Intercept mouse events

Additional keys:

registry latentbot 2

HKCU\Software\Google\Common\Rlz\Events

registry latentbot 3

HKCU\Software\Adobe\Adobe Acrobat

I also found an entry in Run which is used for persistence:

Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Until next time!

Other References:

https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: