Goal: Review and document latest BlackTDS traffic distribution leading to Gootkit banking malware.
Background
While analyzing the BlackTDS traffic distribution, I noticed the BlackTDS iframe leading to the zip archive download that would ultimately download the Gootkit banking malware. Gootkit banking malware gang appears to have started utilizing the BlackTDS for banking malware distribution in addition to the steady stream of spam campaigns (from Mailchip to Mailgun spam abuses), meticulously tracked by @dvk01uk.
3-29-2018: #Malware Traffic Internals:#BlackTDS iframe -> #JavaScript facture[.]zip with JS (quickbooksa[.com/data/Facture_FA03704.zip)
-> PowerShell scr -> #Gootkit banking #malware (anythingpng[.com/data/facture_c04507.pdf)
Gootkit gang also started utilizing BlackTDS loads 😉 pic.twitter.com/LnjfygKv0s— Vitali Kremez (@VK_Intel) March 29, 2018
https://platform.twitter.com/widgets.js
Traffic chain
I. BlackTDS domain redirect:
II. Download zip archive “Facture_FA03704.zip” containing a JavaScript loader
MD5 (Facture_FA03704.zip) = 71345b139166482acaa568ac8816c7bc
III. JavaScript loader “Facture_FA03704.js”:
MD5 (Facture_FA03704.js) = 1b60021baedc3f9201bcdb40e9b87f62
IV. Download Gootkit Binary “Facture_c04507.pdf“:
Domain: anythingpng[.]com/data/facture_c04507.pdf
V. Binary launch through CMD/PowerShell loader in %TEMP%
MD5 (facture_c04507.pdf) = c7c8d584758854bbe0d8e64ef53ae1a8
cmd.exe /C PowerShell “Start-Sleep 280; try{Start-Process %TEMP%\.exe -WindowStyle Hidden} catch{ }
Mutex: “ServiceEntryPointThread”
Additional quick Gootkit anti-analysis:
3-14-2018: #Gootkit #malware anti-analysis tricks |
GetModuleHandle DLL checks | GetUserName |
GetComputerName | CreateMutex | Bios registry |
decoding XOR loops
Mutex: “ServiceEntryPointThread”
Thx: @dvk01uk 🙂
Binary: 0bfd40449c1de10ddaa4d9a85e01b32c pic.twitter.com/OI6CBSh1gl— Vitali Kremez (@VK_Intel) March 14, 2018
Addendum: Indicators of Compromise (IOCs):
Domain:
- hxxps://quickbooksa[.]com/data/Facture_FA03704[.]zip
- anythingpng[.]com/data/facture_c04507[.]pdf
Zip archive “Facture_FA03704.zip“:
- MD5: 71345b139166482acaa568ac8816c7bc
JavaScript Loader “Facture_FA03704.js”:
- MD5: 1b60021baedc3f9201bcdb40e9b87f62
Gootkit Binary “Facture_c04507.pdf”:
- MD5: c7c8d584758854bbe0d8e64ef53ae1a8
Reverse Engineering, Malware Deep Insight 
Pleasant to be going by your web journal again, it has been months for me. Well this article ive been sat tight for consequently long. i need this article to complete my task inside of the staff, and it has same subject together with your article. Much obliged, pleasant offer. Easy Traffic School Online California for Traffic Tickets
LikeLike