In 2007, Don Jackson while at SecureWorks had written about the Gozi Trojan, sharing details on the modularization and monetization strategies utilized by this family of malware. More recently, (04/04/16) Limor Kessem from IBM had also provided some interesting background on Gozi and Nymaim . Correlating the different indicators and samples, we had been able to observe different recent campaigns had started on the 14th, of April with the following campaign dates of interest:
- 2016-04-04 (The outlier in our samples appears to be 04/04/16)
- 2016-04-14
- 2016-04-15
- 2016-04-16
- 2016-04-17
- 2016-04-18
- 2016-04-19
Looking at the sample submission dates and analysis dates of malware samples related I assume 04/04/16 was an initial testing date, while 04/16-04/20/16 Present was the initial campaign. As of writing, these campaigns look to be in the stage of harvesting or reaping their rewards.
Initial analysis with MalNet transforms (querying Proofpoint Malware Threat Intelligence Data) started with the domain Ytugctbfm.com, quickly mapping historical IP addresses related to this domain, historical IP domains related to related IP addresses followed by quick correlation of URL’s requested to destination URLs and intrusion detection signatures which mapped to traffic interacting with this infrastructure.
This action plan executed through MalNet produced the following information, which aided in the creation of additional signatures for deployment within 30 minutes identifying further compromised hosts.
Over 50 related samples
Related IPs
120.141.246.205
59.113.75.77
165.203.213.15
227.62.74.109
106.101.183.217
239.136.53.139
125.39.235.103
54.215.117.195
21.26.242.199
230.69.144.59
210.178.167.198
78.179.168.84
33.38.160.238
69.174.176.249
60.174.111.134
161.122.164.10
77.110.241.82
243.117.178.204
230.72.82.230
141.26.155.248
119.59.205.148
21.45.165.216
106.232.252.86
223.51.119.26
106.56.109.186
9.230.210.22
229.223.128.1
141.165.2.45
125.135.100.83
245.253.222.236
133.43.229.183
35.148.179.188
147.39.46.164
228.26.91.81
77.35.81.113
43.165.89.184
206.177.194.44
146.16.57.61
19.47.79.242
79.143.93.69
210.71.250.92
210.18.162.216
100.136.40.71
97.131.32.147
212.173.21.173
21.221.249.200
59.116.23.197
190.131.254.94
224.233.18.131
154.58.222.139
227.158.126.214
158.164.85.22
42.65.42.11
160.50.210.158
120.143.157.23
53.149.184.23
146.155.144.91
208.104.191.196
61.80.164.23
196.50.238.90
250.234.135.152
120.90.46.148
129.195.44.149
149.190.138.206
56.88.229.228
9.25.147.129
185.38.68.7
78.19.116.135
58.2.112.64
16.128.11.246
226.140.205.75
56.99.132.100
209.157.54.87
172.118.156.144
138.20.62.204
3.214.121.126
20.113.2.244
130.241.49.41
52.191.75.129
169.67.248.157
105.140.116.186
145.102.245.167
156.153.96.47
137.118.129.181
232.240.198.6
34.21.39.163
83.243.165.100
137.149.148.12
131.9.224.53
119.242.38.179
198.105.244.11
198.105.254.11
219.27.82.78
107.68.28.38
34.185.101.206
114.206.141.64
85.143.152.139
137.113.19.102
138.24.203.114
111.27.81.172
110.157.130.69
223.76.87.76
135.160.115.170
128.75.12.17
Related FQDNs
kcrznhnlpw.com
humzka.com
magicacid.com
mlvrkarzbg.com
krlsloeohxex.com
pjhwvateyxy.com
ykyru.com
sexklfcsqwar.com
chhbxra.com
ssksxalx.com
wlefihdmss.com
mbcqjsuqsd.com
jglcrm2015.com
jiupjod.com
npmuzz.com
fwcvujuwup.com
bfpqtkp.com
bnklaq.com
ewbyuppdwn.com
mcwcly.com
viestisete.com
dgehow.com
mrjipg.com
ibjpb.com
apngwen.com
uvflerpoqgj.com
jxpucmzwdl.com
Network based Indicators
- ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)
- ET CURRENT_EVENTS WinHttpRequest Downloading EXE
- ET DNS Excessive NXDOMAIN responses – Possible DNS * Backscatter or Domain Generation Algorithm Lookups
- ET DNS Query to a *.pw domain – Likely Hostile
- ET INFO EXE IsDebuggerPresent Used in Malware Anti-Debugging()
- ET POLICY Binary Download Smaller than 1 MB Likely Hostile
- ET POLICY PE EXE or DLL Windows file download
- ET POLICY exe download via HTTP – Informational
- ETPRO TROJAN Nymaim Checkin 5
- ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (com)
- ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)
- ETPRO TROJAN W32/Nymaim Checkin 6
- ETPRO TROJAN W32/Nymaim Checkin 7
- FILE ET magic PE32
- GPL NETBIOS SMB-DS IPC$ unicode share access
Related Malware Samples
6bf937d6dc6f013ba21432845ba32c9b
a22f5c3ef54e70c7d7949e3da66b5e42
d91de40f26bcd2efe68552724869da2a
da7d299060340656e26bb4efa92bb5a9
397b808123451d4b73f35cdd8963ccfd
93d9b8fd8f55c5374b7197d6e28976f4
a546ca918c710107350ff9aaf18ee1da
378ac244c6dfa42a57478f8b8f981685
9b5c4ee29dc194338829a3ea12de992b
408b6a6c7d91d721fabeaea822136c5b
c5c41a5ed3d4d4749f106a97478497c8
83f9583298d0a2d3ea363678af989201
902e06cca36c59116e2f8668a0f5f35c
4956c110393b2a1a389686042436d54d
11884d5ce9922ed63c059cddca0083a1
3312be0f4b58ea3675190cc485cee607
90ee4f7231f06a3ee12b89ea141f9572
7497cf761155ca5705efb5aebbeef60c
c21b2f424e2f55e49be04edeb8aab91d
03083f7638abd9dbc44325cb394a7b79
b7ba33840898c06c8eadde64e7a650cd
2c17bf8dc2ca8a5509ff577130a21e08
20d66856360264241b66afeb0bcc6399
02f912bdc8ca1bcc874773258586aa52
3d9c34b59c3be014c6c316be0eb636f5
f22e1dc002cd3ad2e7e0e1d8b47b3ab7
a8688b9bfa193963c25e4561f9998cbf
e56f2f631adbc20f022d16a4dbcc10f2
165464e8db9240aef18d970103f11409
d44396cb9e7c4404245e2c731a060fb2
8a2a531c945ae2b47f62f03cc37eb756
d99310a284e3e72f0999a2052c28e318
c1d2fdc7fed32f6ac65ac3da19f36e90
5498ad4951aab02c55b86f7593506e01
1aa636e2a3deb20968bdef3c5039ad64
e897d86ddd8c12142832aad0687f68b9
92da2294bf5f96d07b646c538a160fc6
3906ee82e3f861e37ff706be484315f4
b51f4b8792c38ad781c7c2a00ba5f4ed
996bd00e80d8aaa24be7b303a341a7e9
42adbe7188f65bd6483013b7cc5aa979
505b2c53e1983b625d6f2fc8aed8d13c
a02220783ac3bdb28090b9f3ff4c3a31
44d09eac8cf488000fb8ab3585789b5b
35e5ef048e2bba7f259d072b1d76d022
d731adccc5d6dd4f783dd8aa1a29ae90
d5c78ec63eff5eabec996adb71152eed
7043a5ddbe5f8b477bf84aab7bf6c148
ae57ce7ef337b281ea8a5eb7064d433f
4505413c6aa1e5edfcea670c2fb852cc
This information should help increase indicators may help in fighting against the latest GoziNym campaign.
