🕒 Reading Time: 2 minutesLet me first start by thanking everybody who responded to our request for logs. Though many contributors have requested that I withhold attributing the data to them, several folks have given me the opportunity to credit them with their invaluable data, which will be done in the final report.
Since the beginning of March, this threat has grown in scale but not in tactics. In fact, as of May 5th, I have seen no new shellshock scans originating from this group. Since then several other key tactics have changed, making them more difficult to track without having access to compromised machines. Prior to this major change in how they distribute the malware, I was able to collect over 7,000 samples of executables (ELF and PE32), logs, kits, botnet malware generators and controllers, and screenshots from their malware distribution web servers. Unfortunately, a lot of the analysis is a manual process. We have confirmed that the following malware families are in use by this threat actor group.
- MrBlack (Generated with captured MrBlack binary generator)
- Linux: https://www.virustotal.com/en/file/5fd927799a313525eb3bc637114338f11ddfbce39fc2998cff656d1398a8ed35/analysis/1432827376/
- Windows: https://www.virustotal.com/en/file/366537c4a5175d1ebd22bedb35410d3ff27a2f5dc7065a9df0767fe1757faba7/analysis/1432918164/
- Win32/Nitol.A (Generated with captured binary generator)
- Windows: https://www.virustotal.com/en/file/775a8fe1eae8b21b0141066703b064c9e35323a189458c5db183d70f02fda2ad/analysis/
- Win32/Virut.BO (created with captured binary generator)
- Windows: https://www.virustotal.com/en/file/68ca792d5d2d375f7078be85234e315ca5cfdee8392f0b53ae6c5db5b5c9f20f/analysis/1432918816/
- Win32/Virut.BN (Sample captured with generator)
- Windows: https://www.virustotal.com/en/file/5710049dc41902311cd9bec157d0b5cc0e57a684555aa902ef02233996a6a92c/analysis/1432919900/
- Parite.B (Captured en masse from malware distribution points. We have captured a generator but it is missing a critical piece)
- Windows: https://www.virustotal.com/en/file/f9aec22682bda992ae71edbe2eb05e96b8173367561c4842e7218c9f84cb78d1/analysis/1432920294/
Regards,
Zachary Wikholm Head Of Security Incident Response Team (CARISIRT) sirt@cari.net CARI.net