FireEye has observed the certificate most recently being served on the following IPs (Table 4):
IP | Hostname | Last Seen |
104.193.252.151:443 |
vds2.system-host[.]net |
2019-04-26T14:49:12 |
185.180.196.35:443 |
customer.clientshostname[.]com |
2019-04-24T07:44:30 |
213.227.155.8:443 | 2019-04-24T04:33:52 | |
94.156.133.69:443 | 2018-11-15T10:27:07 | |
185.174.172.241:443 |
vds9992.hyperhost[.]name |
2019-04-27T13:24:36 |
109.230.199.227:443 | 2019-04-27T13:24:36 |
Table 4: Recent Test Company certificate use
While these IPs have not been observed in any CARBANAK activity, this may be an indication of a common developer or a shared toolkit used for testing various malware. Several of these IPs have been observed hosting Cobalt Strike BEACON payloads and METERPRETER listeners. Virtual Private Server (VPS) IPs may change hands frequently and additional malicious activity hosted on these IPs, even in close time proximity, may not be associated with the same users.
I also parsed an unprotected private key from the source code dump. Figure 4 and Table 5 show the private key parameters at a glance and in detail, respectively.
Figure 4: Parsed 512-bit private key
Field | Value |
bType | 7 |
bVersion | 2 |
aiKeyAlg | 0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm |
Magic | RSA2 |
Bitlen | 512 |
PubExp | 65537 |
Modulus | 0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED 20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8 57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB |
P | 8B 01 8F 7D 1D A2 34 AE CA B6 22 EE 41 4A B9 2C E0 05 FA D0 35 B2 BF 9C E6 7C 6E 65 AC AE 17 EA |
Q | 81 69 AB 3D D7 01 55 7A F8 EE 3C A2 78 A5 1E B1 9A 3B 83 EC 2F F1 F7 13 D8 1A B3 DE DF 24 A1 DE |
Dp | B5 C7 AE 0F 46 E9 02 FB 4E A2 A5 36 7F 2E ED A4 9E 2B 0E 57 F3 DB 11 66 13 5E 01 94 13 34 10 CB |
Dq | 81 AC 0D 20 14 E9 5C BF 4B 08 54 D3 74 C4 57 EA C3 9D 66 C9 2E 0A 19 EA C1 A3 78 30 44 52 B2 9F |
Iq | C2 D2 55 32 5E 7D 66 4C 8B 7F 02 82 0B 35 45 18 24 76 09 2B 56 71 C6 63 C4 C5 87 AD ED 51 DA 2ª |
D | 01 6A F3 FA 6A F7 34 83 75 C6 94 EB 77 F1 C7 BB 7C 68 28 70 4D FB 6A 67 03 AE E2 D8 8B E9 E8 E0 2A 0F FB 39 13 BD 1B 46 6A D9 98 EA A6 3E 63 A8 2F A3 BD B3 E5 D6 85 98 4D 1C 06 2A AD 76 07 49 |
Table 5: Private key parameters
I found a value named PUBLIC_KEY defined in a configuration header, with comments indicating it was for debugging purposes. The parsed values are shown in Table 6.
Field | Value |
bType | 6 |
bVersion | 2 |
aiKeyAlg | 0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm |
Magic | RSA1 |
Bitlen | 512 |
PubExp | 65537 |
Modulus | 0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED 20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8 57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB |
Table 6: Key parameters for PUBLIC_KEY defined in configuration header
Network Based Indicators
The source code and binaries contained multiple Network-Based Indicators (NBIs) having significant overlap with CARBANAK backdoor activity and FIN7 operations previously observed and documented by FireEye. Table 7 shows these indicators along with the associated FireEye public documentation. This includes the status of each NBI as it was encountered (active in source code, commented out, or compiled into a binary). Domain names are de-fanged to prevent accidental resolution or interaction by browsers, chat clients, etc.
NBI | Status | Threat Group Association |
comixed[.]org | Commented out | |
194.146.180[.]40 | Commented out | |
aaaabbbbccccc[.]org | Active |
|
stats10-google[.]com | Commented out | |
192.168.0[.]100:700 | Active |
|
80.84.49[.]50:443 | Commented out |
|
52.11.125[.]44:443 | Commented out |
|
85.25.84[.]223 | Commented out |
|
qwqreererwere[.]com | Active |
|
akamai-technologies[.]org | Commented out | |
192.168.0[.]100:700 | Active |
|
37.1.212[.]100:700 | Commented out |
|
188.138.98[.]105:710 | Commented out | |
hhklhlkhkjhjkjk[.]org |
Compiled |
|
192.168.0[.]100:700 | Compiled |
|
aaa.stage.4463714.news.meteonovosti[.]info | Compiled | DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity |
193.203.48[.]23:800 | Active |
Table 7: NBIs and prevously observed activity
Four of these TCP endpoints (80.84.49[.]50:443, 52.11.125[.]44:443, 85.25.84[.]223, and 37.1.212[.]100:700) were new to me, although some have been documented elsewhere.
Conclusion
Our analysis of this source code dump confirmed it was CARBANAK and turned up a few new and interesting data points. We were able to notify vendors about disclosures that specifically targeted their security suites. The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match, and as they say, if the shoe fits, wear it. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware. The authors mainly refer to the malware as “bot” in the Visual Studio project, filenames, source code comments, output binaries, user interfaces, and manuals.
The breadth and depth of this analysis was a departure from the usual requests we receive on the FLARE team. The journey included learning some Russian, searching through a hundred thousand of lines of code for new information, and analyzing a few dozen binaries. In the end, I’m thankful I had the opportunity to take this request.
In the next post, Tom Bennett takes the reins to provide a retrospective on his and Barry Vengerik’s previous analysis in light of the source code. Part Four of CARBANAK Week is available as well.
...more