Verint’s Cyber Research team has recently discovered evidence of a new campaign for a variant of the infamous DNSChanger Trojan, which, as its name implies, alters a computer’s DNS entries to point toward rogue name servers. The new Trojan was identified through alerts in a Verint Threat Protection System (TPS) installation, which were triggered by its behavioral C&C detection engine. The alerts triggered an automatic investigation in TPS, which identified other suspicious domains and combined all related alerts into one security incident.

Using forensic tools, Verint’s Cyber Research determined that this DNSChanger campaign utilizes familiar characteristics and patterns, such as PowerShell scripts, BITS Jobs and communication patterns used in previous campaigns. Further analysis uncovered the initial infection point, related payloads and additional domains and concluded they are all part of the new campaign. Interestingly, the campaign makes use of new domains that were registered on March 2017 and are yet to be linked to DNSChanger.

Previous DNSChanger campaigns have been tightly connected with Adware and PUAs as a source of (re)-infection. The campaign utilizes a file named “fastdatax.exe” and initial analysis suggests this may be the DNSChanger. This file creates the BITS tasks, which make the DNSChanger network connections to download and execute payloads (see below).

We named the current campaign “FastDataX” since it revolves around a software with this name and communicates with FastDataX[dictionary word].info web sites.

The following Blog is a detailed account of the Verint research team’s findings and includes:

  • Initial detection of the malware via behavioral C&C alerts
  • Forensic analysis of infection point
  • Persistence methods
  • Related network traffic analysis
  • List of IOCs

INITIAL DETECTION

The Verint Threat Protection System (TPS) issued several behavioral C&C alerts pertaining to several fastdatax*.info domains and started an automatic investigation:

Verint Threat Protection System – C&C (Behavioral Analysis) Alert
Verint Threat Protection System – Link Analysis

INFECTION POINT

Forensic analysis of the alerted endpoint revealed the following scenario: A user voluntarily downloaded a malicious file from some file-sharing website, after the user double-clicked the file, an .xht file (XHTML, an HTML file which is defined as an XML application) was dropped and executed.

The .xht file included a link to

http[://]ab0cd85de032858b2efc-98b168bd21c640d1dbb3a0f567ddbbfe.r14.cf1.rackcdn.com/kOcQm1koU2hOmFWMxOJbQo0m9p/lpx.html

Also, displayed several images hosted by imgur.com, which are instructions on how to save and execute the downloaded software:

imgur.com images

The execution of the file also triggered a chain of events which lead to the installation of several software bundles which can be categorized as PUP/Adware. Among those were YeaDesktop, PCCleanPlus, X-Madbench and FastDataX. Out of these adware, FastDataX was looking most curious and insidious

As with previous campaigns (which abused applications like Optimizer Pro and System Healer), these Adware are the second stage of infection for DNSChanger.

PERSISTENCE

Several persistence mechanisms were utilized by the installed PUP/Adware:

  • Registry ‘run’ key – abused by such Adware as YeaDesktop
  • Scheduled tasks with the application name, abused by Adware like ‘Pangody’ & X- Madbench. For example and scheduled task named “X-Madbench”, which executes rundll32 “C:\Program Files\X-Madbench\X-Madbench.dll”,SceNcISYvR 
  • Scheduled tasks with random names and GUID that execute DLLs via rundll32. For example, scheduled task named “E3605470-291B-44EB-8648-745EE356599A”
  • Scheduled tasks with random names that executes PowerShell (see more details below)
  • BITS jobs (see more details below)

PowerShell

FastDataX.exe maintains persistence via a scheduled task named “FastDataX”, and an additional scheduled task is created in a GUID structure (7D0A0D47-057F-040C-7E11-7E0D7905117D). This task is comprised of the following PowerShell :

This PS script combines an outgoing GET message to fastdataxster[.]info and a decrypted body. The decrypted response holds execution data and thus can expand the malware’s abilities upon will.

The structure of this PowerShell is similar to a previously analyzed DNSChanger PS script. It should be noted that the domain embedded inside the script is new and was not previously linked to the DNSChanger campaign.

BITS job:

FastdataX also uses BITS (Background Intelligent Transfer Service) jobs which generate HTTP Head messages to fastdataxcast[.]info and fastdataxfire[.]info. We could not find online information regarding these domains or any association between them and the current malware campaign.

That being said, the two types of BITS job are identical to previously analyzed BITS jobs.

The following BITS job is an example of a task recovered from the BITS logs of the infected endpoint and it is used in order to download, install and perform clean-up of the malware payloads.

BITS job to create batch

Changes to the DNS settings

DNSChanger has been using one of three methods in order to change the DNS settings:

  • Modifying the ‘NameServer’ & ‘DHCPNameServer’ settings in the Windows registry, thus replacing the configured servers with new DNS servers (by calling the DhcpNotifyConfigChange (API)
  • Changing the router’s DNS configuration (as analysed by Proofpoint)
  • Editing the local HOSTS file

The ‘FastDatax’ variant of DNSChanger is using the third method. It adds multiple domains (see list in the IOC section of this article) that are used to download additional payloads

NETWORK ANALYSIS

An analysis with Verint’s TPS Network Forensics component, which enables a detailed network analysis, revealed evidence of the malware’s C&C communication:
This enabled the Cyber research team to distinguish between three types of sessions with similar structures:

1. HEAD request sessions to “fastdataxfier[.]info” and “fastdataxcast[.]info”. As discussed above, these are generated by FastDataX BITS jobs:

2. GET request sessions to “fastdataxster[.]info” that were generated by the above mentioned PowerShell script:

3. POST request sessions to “fastdataxient[.]info“, “fastdataxium[.]info” and “fastdataxify[.]info

It should be noted that all the FastDataX domains were resulted to the 81.171.14.67 IP address, which was used in previous DNSChanger campaign.

As can be seen from the above images, the user agents used by the malware are different from each other and are spoofed. Noticeable example for that is a “bug” in generating a user-agent, where the word “user agent” appears twice:

It has a similar traffic structure that was observed in the past and referred to DNSChanger, where parameters contained system information and DNS configuration information.

Below is a list of identified IOCs relating to the FastDataX campaign.

IOCs

Domains/IPs:

Seen on 21-22.06.2017 in Verint TPS
81.171.14.67
fastdataxium[.]info
fastdataxcast[.]info
fastdataxfire[.]info
fastdataxster[.]info
fastdataxient[.]info
fastdataxify[.]info

Related domains:

Domain Passive DNS replication date
fastdataxate.info 2017-07-07
fastdataxsage.info 2017-07-06
fastdataxigy.info 2017-07-05
fastdataxopoly.info 2017-07-05
fastdataxace.info 2017-06-30
fastdataxcube.info 2017-06-27
fastdataxdigita.info 2017-06-27
fastdataxmage.info 2017-06-27
fastdataxmancer.info 2017-06-27
fastdataxmaven.info 2017-06-27
fastdataxpro.info 2017-06-27
fastdataxrunner.info 2017-06-27
fastdataxstar.info 2017-06-27
fastdataxster.info 2017-06-27
fastdataxity.info 2017-06-27
fastdataxality.info 2017-06-27
fastdataxfeed.info 2017-06-25
fastdataxcast.info 2017-06-21
fastdataxfire.info 2017-06-21
fastdataxient.info 2017-06-21
fastdataxify.info 2017-06-21
fastdataxium.info 2017-06-21
fastdataxio.info 2017-06-08

Domains found inside the HOSTS file

agent.wizztrakys[.]com
bestoffersfortoday[.]com
bigpicturepop[.]com
bongadoom[.]com
burningcube[.]ru
csdimonetize[.]com
dl.azalee[.]site
dl.smashdl[.]com
downloadmyhost[.]com
dwl0.wizzlabs[.]com
dwl1.wizzlabs[.]com
getthefilenow[.]com
healthydownload[.]com
installpixel[.]com
internalcampaigntargets[.]com
leading2download[.]com
mess1.wizzmonetize[.]com
titiaredh[.]com
wepcanalyticsystem[.]com
wepcdisplaysystem[.]com
wepcmainsystem[.]com
wizzcaster[.]com

Hashes:

MD5 SHA256 Description
fdfebd2ba002b18eac079a1ac21ef70d 16ea0a1c090e8084cbee7d5b9eb55d07d7db09eb58ee93fe096c9b624d9dae64 Payload downloader (.xht)
a11e1be8f9418f4e075b4c9794bc75f8 a779534bd4110602ef630a0afe8031f931d7fa4f7ef84b3e449d915a60d1b0ea Pangody.dll
8c03a0be7aadec4506fc52c4a507e320 f1eda24967aafc09d82418d8e92a189221bdfe52befa7cbbdb6d8642a8ffd5b8 X-Madbench.dll