Reversed C2 traffic from China

Published: 2018-05-11. Last Updated: 2018-05-11 11:53:06 UTC
by Remco Verhoef (Version: 1)
1 comment(s)

For the past few months, we've seen some intriguing data coming from 3 separate ip addresses from within China. The payload of this traffic seems to be generated by well known remote access tooling njRAT and Gh0st and destined to their C2 server. Normally you would not expect any C2 traffic in honeypots, except in the case of ip address reusal where you got an ip address which has been used as C2 before. As we have catched this traffic in multiple honeytraps, someone must be scanning the internet with this payload. There are many different destination ports targeted, so far we have seen ports 991, 1050, 1122, 1177, 1188, 1190, 1199, 3460, 12345, 1627, 3311, 5552, 5568, 8484, 8844, 8899, 33369, 42091.

The ip addresses we have seen so far are 61.240.145.3, 61.240.145.4 and 61.240.145.5. Those ip addresses have a webserver running, containing the message: "Y-Team is a network security team, which focus on internet-wide network attack events." with contact information.  It seems that they are searching for active C2 servers. 

The payloads that have being used are interesting and similar to other njRAT payloads:

lv|'|'|SGFja2VkXzYx|'|'|DG-69JK87|'|'|root|'|'|2018-02-06|'|'|AKM|'|'|Windows 7 SP1|'|'|Yes|'|'|0.6|'|'|577|'|'||'|'|',[endof]
lv|'|'|bmtfc3VydmlsbGVuY2VfYTE4|'|'|RS-X4FA66|'|'|root|'|'|2018-02-06|'|'|DPRK|'|'|Red Star OS X|'|'|Yes|'|'|1.0|'|'|577|'|'||'|'|',[endof]

If you extract the interesting parts of the payload:

bmtfc3VydmlsbGVuY2VfYTE4 nk_survillence_a18 (this is a unique identifier for the encrypted system, combined of the name of the campaign and a identifier)
SGFja2VkXzYx SGFja2VkXzYx -> Hacked_61 (this is also a campaign identifier)
DG-69JK87 computer name
root user name
2018-02-06 date modified of the malware
DPRK locale

Yes 

report if there is a camera available

0.6 and 1.0 malware version

 

Another payload we've seen is the base64 encoded string: a2ltam9uZ3VuaXN2ZXJ5aGFwcHk=, which decodes to kimjongunisveryhappy.

The payloads contain a lot of references to North Korea, like nk_survillence_a18, DPRK (Democratic People's Republic of Korea), Red Star OS X (which is the North Korean OS that looks like Apple OS X). Y-Team is doing efforts to make the traffic appear to be generated by an infected North Korean machine. 

Besides our honeytraps, AbuseIPDB contains entries with the same traffic.

Previously, we have seen the same hosts scanning with different payloads:

* /?CAVIT (scanning for Trend Micro OSCE clients on port 12345) 
* /bins.sh on port 80
* /select.sh on port 8081
* /NetSyst81.dll on port 4545

Do you have extra information regarding this diary? Or do you have different views? Please let us know.

References
[*] https://success.trendmicro.com/solution/1037975-checking-the-connection-between-the-server-and-osce-clients-in-officescan-osce 
[*] https://finance.yahoo.com/news/north-korea-secret-red-star-os-looks-exactly-221502098.html?guccounter=1
[*] http://blog.huntergregal.com/2014/12/malware-reversing-part-i-introduction.html
[*] http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf

Keywords:
1 comment(s)

Comments

We've been seeing NJRat threat traffic from those IPs on port 9090 and Gh0st traffic on 8000, 8080 and 443 for quite some time. Previous tagged/blocked data has contained references to the DPRK, root account and RedStar 3.0, but is now referencing Windows 7 and root? Makes no sense.

The "Statement of Harmless Internet Scan" and the numeric account to qq.com doesn't exactly help instill any level of comfort.


...<.|Tu.&....E.....@.0.Q.=.........#....T..D.P.9..C..lv|'|'|SGFja2VkXzYx|'|'|DG-69JK87|'|'|root|'|'|2018-02-06|'|'|AKM|'|'|Windows.7.SP1|'|'|Yes|'|'|0.6|'|'|577|'|'||'|'|',[endof]

Diary Archives