Turning Vendor Blog Posts Into Actionable Intelligence (re: Solarbot)

When i see blog posts like these, they make my day. Thanks ESET/Avast!

http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/

The actionable data from them (IMO) is the below:

Filename = *www.facebook.com.exe

HTTP Method = POST
Content-type = application/x-www-form-urlencoded
Content-length < 100
HTTP URI (not domain) = \/[a-z]+\/$

We’re able to use great sites like Virustotal, UrlQuery, Malwr.com, CleanMX, Malc0de.com, and some simple googlefu to build more intelligence around the indicators that were given.

You can then turn around and use this in your environment to detect compromised machines.

dabakhost.be – 81.177.180.60

From VT

2013-08-28 04:15:56 http://dabakhost.be/solbrwq/
2013-08-09 22:40:17 http://dabakhost.be/Loader.exe

From UrlQuery

2013-08-09 04:29:35 http://dabakhost.be/Loader.exe [Russian Federation] 81.177.180.60

From CleanMX

http://privathosting.be/Solar.exe

terra-araucania.cl – 69.73.130.24

From VT

2013-08-28 12:16:00 http://terra-araucania.cl/
2013-08-28 03:57:10 http://terra-araucania.cl/solar/

xyz25.com – 92.243.18.120, 92.243.1.61

From VT

2013-08-16 13:17:33 http://xyz25.com/

From UrlQuery

2013-09-17 15:21:12 http://www.xyz25.com/mf2cqb60hvpg/j12515f1e3xelm6/Image_024-WWW.FACEBOOK.COM.exe
[France] 92.243.1.61

From Malwr.com

1. https://malwr.com/analysis/NjQ0N2YzNTMwMGNkNDJkMTg5ZGI5MjJiMTAyYmYyN2Q/
2. https://malwr.com/analysis/ZjUwZjZiOGJlZTk5NDgyNmE1MmFmM2JjNDAwZDBiODg/
3. https://malwr.com/analysis/MTlmMmQ0YjliNzM0NGQ5MmI4MGI4ZjkzMWVjYjUxNTI/

Some additional activity is seen in Report #2 that may or may not be related…

http://upload.tehran98.com/upme/uploads/91e26a25c62c3cd91.png – 144.76.94.237

GET /upme/uploads/91e26a25c62c3cd91.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: upload.tehran98.com
Connection: Keep-Alive

http://zxc.ao2r9k.com/l1I.php – 95.142.171.14

GET /l1I.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Host: zxc.ao2r9k.com
Cache-Control: no-cache

UA is different than in either of the writeups, showing us that the binary probably isn’t using a static UA.

yandafia.com – 85.25.208.82, 85.25.23.154, 93.190.141.106

From VT

2013-09-19 13:36:43 http://yandafia.com/456.exe
2013-08-31 14:23:37 http://yandafia.com/wp-admin/css/css/css/csx/
2013-07-29 15:00:54 http://yandafia.com/450.exe
2013-07-20 20:08:27 http://yandafia.com/order.php
2013-07-11 01:49:29 http://yandafia.com/

elzbthfntr.com – 37.139.3.132

From VT

2013-08-04 37.139.3.132

alfadente.com.br – 200.234.196.75

From VT

2013-09-26 14:27:10 http://alfadente.com.br/
2013-08-07 03:28:59 http://alfadente.com.br/Image.Skype.29.07.2013.exe
2013-08-04 03:35:25 http://alfadente.com.br/s.exe
2013-08-03 12:29:25 http://alfadente.com.br/i.exe

cmeef.info – 93.174.94.64, 178.238.237.110

From VT

2013-09-26 14:14:29 http://cmeef.info/e6ct/index.php
2013-09-05 15:16:41 http://cmeef.info/
2013-09-05 14:01:06 http://cmeef.info/e6ct/

From there you can build out more domains on the IPs and start building some IOCs for use in your network. Network Analysis is Iterative.

Comments are closed.