Fidelis Threat Advisory #1014. Document Status: 1.0 Last Revised:

Transcription

1 Fidelis Threat Advisry #1014 Bts, Machines, and the Matrix Dec 12, 2014 Dcument Status: 1.0 Last Revised: Executive Summary In the recent past, a Fidelis XPS user reprted seeing detectins f what appeared t be btnet-related malware. While that custmer was prtected, we at General Dynamics Fidelis Cybersecurity Slutins decided t take a clser lk. The analysis f the malicius cde revealed that it appeared t be Andrmeda but the delivery infrastructure lked interesting. Further telemetry frm ur sensrs shwed that this server in China was als hsting and distributing many ther malicius specimens. Analysis f the data revealed a pattern in the filenames. Our analysts used this pattern t discver ther systems distributed acrss the glbe serving up varius btnet malware, s far assumed t be used in distinct campaigns but clearly related in this case: - Andrmeda - Beta Bt - Neutrin Bt - NgrBt/DrkBt Analysis als shwed hw attackers cntinue t benefit frm the use f glbally-distributed hsting prviders t perfrm their malicius activities. Further, the analysis revealed hw attackers are hsting and distributing identical cpies f the malware frm servers in different cuntries including China, Pland, Russia, and the United States. Fr the perid f time researched in this activity, we bserved the fllwing targeted sectrs in the US: - Manufacturing / Bitechnlgy & Drugs - Prfessinal Services / Engineering - Infrmatin Technlgy / Telecmmunicatins - Gvernment / State Nte that ur ftprint is largely in the Enterprise space and it is pssible that we re seeing spillver frm wider campaigns. This dcument uncvers varius servers hsting Bts and ther related malware, prvides a triage analysis f varius pieces f malware hsted by these malicius servers, and prvides indicatrs that netwrk defenders can use t prtect their netwrks. Users are granted permissin t cpy and/r distribute this dcument in its riginal electrnic frm and print cpies fr persnal use. This dcument cannt be mdified r cnverted t any ther electrnic r machine-readable frm in whle r in part withut prir written apprval f Fidelis Security Systems, Inc. While we have dne ur best t ensure that the material fund in this dcument is accurate, Fidelis Security Systems, Inc. makes n guarantee that the infrmatin cntained herein is errr free. Cpyright 2014 General Dynamics Fidelis Cybersecurity Slutins Rev Threat Advisry #1014 Page 1 f 16 Bts, Machines, and the Matrix

2 Threat Overview The threat activity bserved in the past weeks against varius targets in ur custmer base has shwn patterns that allwed us t discver multiple servers hsting and distributing malicius sftware (Bts). As it is knwn by the netwrk defenders and the security cmmunity, it is imprtant t defend against these attacks since systems infected with these malicius specimens culd be used fr credential theft, Distributed Denial f Service Attacks, spreading malware, lateral prpagatin, etc. This is f great cncern as the first stage attack cntinues t bypass netwrk security defenses infecting user s cmputers that beacn t malicius servers t dwnlad r create the secnd stage malware int the victim systems. Sme f the main Bt types f malware detected thrugh this research include: - Andrmeda Andrmeda is a mdular bt that dwnlads mdules and updates frm its cmmand and cntrl (C&C) server during executin. The malware has bth anti-vm and anti-reversing features. Its cde is bfuscated t make it mre difficult fr malware reverse engineers t analyze and antivirus tls t detect. Andrmeda bt features include: self-prpagatin, injectin int trusted prcesses t hide itself, netwrk traffic encryptin, dwnlad and installatin f files/malware, frm grabber, keylgger, ring3 rtkit, prxy, etc. Features like frm grabber, rtkit, and prxy are delivered t the malware in the frm f mdules that are then laded int the victim system after the malware makes a cnnectin with its C&C. It appears that in 2012, sme f the mdules were sld fr $500 (frm grabber), $300 (Ring3 rtkit), and $200 (keylgger). - DrkBt/NgrBt DrkBt is a mdified IRCBt that is very similar in features t NgrBt. DrkBt has a lader and a mdule. The bt includes the fllwing features: prcess injectin, hard drive wiping, etc. Different frm NgrBt, DrkBt uses mdified IRC cmmands. Sme f the cmmands supprted include:!die,!dl,!http.inj,!lgins,!rc,!speed,!ssyn,!stp,!up, and!udp. NgrBt can als be remtely cntrlled via Internet-Relay-Chat (IRC) prtcl. It has capabilities t jin different IRC channels t perfrm varius attacks accrding t the IRC-based cmmands frm the C&C server. Its cde is bfuscated t make it mre difficult fr malware reverse engineers t analyze and antivirus tls t detect. NgrBt features include: self-prpagatin (e.g. thrugh USB remvable drives, scial netwrking sites, and messaging clients), prcess injectin, hard drive wiping, blcking access t multiple antivirus/security vendr websites, denial f service attacks, credentials stealing (usernames and passwrds), dwnlad and execute file, etc. Sme f the cmmands supprted are: ~pu, ~dw, ~http.inj, ~lgins, ~rc, ~speed, ~ssyn, ~stp, and ~udp. - Beta Bt It is said that Beta bt started ut as an HTTP bt. The Bt is als knwn by sme security vendrs as Trjan.Neurevt. Its cde is bfuscated t make it mre difficult fr malware reverse engineers t analyze and antivirus tls t detect. Beta bt features include: anti-vm and anti-reversing, self-prpagatin, rtkit, prcess injectin, blcking access t multiple antivirus/security vendr websites, AV-disabling, frm grabbing, dwnlad and executin f files, terminatin f cmpeting malware cmmunicatins by terminating their prcesses r blcking their cde injectins, and denial f service. It appears that Threat Advisry #1014 Page 2 f 16 Bts, Machines, and the Matrix

3 in May 2013, the pre-built bt culd be purchase fr $320-$500, and $20 fr variant rebuilds fr thse requiring cnfiguratin changes. Accrding t nline research, Beta Bt sales are being handled by Lrd Hurn, althugh betamnkey appears t be the authr. The fllwing image was fund during nline research: - Neutrin The Neutrin bt was advertised as an HTTP stress-testing tl. It has sme f the fllwing features: anti-vm and anti-reversing/debugging, denial f service (HTTP/TCP/UDP fld), keylgger, cmmand shell, credential stealing, self-spreading, etc. It appears at sme pint the bt was sld fr $550 (Builder), $200 (Full set including Bt and Admin Panel), and $20 (Update). Online research revealed the fllwing cntact infrmatin fr this bt: n3utrin@kaddafi[.]me / n3utrin@xmpp[.]jp / n3utrin.blg[.]cm. The fllwing images were fund during nline research: Threat Advisry #1014 Page 3 f 16 Bts, Machines, and the Matrix

4 The fllwing table prvides infrmatin abut sme f the servers hsting and distributing malware and sme f the filename patterns discvered: Last Observed IP Lcatin Filename Pattern December [.]7 China and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe nut[2_digits][single character][2_digits].exe December [.]45 Pland bet[2_digits][single character][2_digits].exe bnew[2_digits][single character][2_digits].exe nut[2_digits][single character][2_digits].exe [3_digits][single character][1_digit].exe [2_digits][single character][1_digit].exe December [.]62 US (Amazn) and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe bnew[2_digits][single character][2_digits].exe dq[2_digits][single character][2_digits].exe dqnew[2_digits][single character][2_digits].exe nut[2_digits][single character][2_digits].exe Nvember [.]47 China and[2_digits][single character][2_digits].exe and[single character][1_digit].exe bet[2_digits][single character][2_digits].exe bet[1_r_2_digits].exe bet[single character][1_digit].exe nut[2_digits][single character][2_digits].exe Nvember [.]184 China and[2_digits][single character][2_digits].exe and[2_digits].exe and[2_digits][single character].exe bet[2_digits][single character][2_digits].exe bet[2_digits].exe ng[2_digits].exe nut[2_digits][single character][2_digits].exe nut[2_digits].exe nut[2_digits][single character].exe zpm[2_digits][single character].exe Nvember [.]44 Pland 3307[2_digits][single character][2_digits].exe and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe bnew[2_digits][single character][2_digits].exe Threat Advisry #1014 Page 4 f 16 Bts, Machines, and the Matrix

5 Nvember [.]73 US (Amazn) Nvember [.]154 US (Amazn) Nvember [.]62 US (Amazn) and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe bnew[2_digits][single character][2_digits].exe nut[2_digits][single character][2_digits].exe and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe nut[2_digits][single character][2_digits].exe 3307[2_digits][single character][2_digits].exe and[2_digits][single character][2_digits].exe bet[2_digits][single character][2_digits].exe bnew[2_digits][single character][2_digits].exe Octber [.]44 China and[2_digits][single character][2_digits].exe and[2_digits].exe bet[2_digits][single character].exe bet[2_digits].exe nut[2_digits].exe Octber [.]241 Russia and[2_digits].exe ng[2_digits]exe nut[2_digits][single character][2_digits].exe nut[2_digits].exe Octber [.]124 US (Amazn) bnew[2_digits].exe ng[2_digits].exe nut[2_digits].exe zpm[2_digits].exe The fllwing table prvides infrmatin abut the relatinship between the malicius servers, detectin names by antivirus tls, and vertical market affected (based n unique hashes and detectins): IP Lcatin Generic AV detectin Vertical Market/Specializatin [.]7 China Wrm.Win32.Ngrbt Prfessinal Services/Engineering Wrm.Win32.Drkbt Threat Advisry #1014 Page 5 f 16 Bts, Machines, and the Matrix

6 Backdr.Win32.Ruskill Trjan.Win32.Yakes Trjan.Win32.Munchies [.]45 Pland Backdr.Win32.Andrm Trjan.Win32.Lethic Trjan.Win32.Inject Trjan.Win32.Munchies Trjan.Win32.Yakes [.]62 US (Amazn) Backdr.Win32.Andrm Wrm.Win32.Ngrbt Wrm.Win32.Drkbt Backdr.Win32.Ruskill Trjan.Win32.Lethic Trjan.Win32.Yakes Trjan.Win32.Munchies [.]47 China Backdr.Win32.Andrm Trjan.Win32.Betabt Wrm.Win32.Drkbt Backdr.Win32.Ruskill Trjan.Win32.Neurevt Wrm.Win32.Ngrbt Trjan- Spy.Win32.SpyEyes Trjan- Spy.Win32.Zbt Backdr.Win32.Azbreg Trjan.Win32.Badur Trjan.Win32.Inject Trjan.Win32.Sharik Trjan.Win32.Yakes Trjan- Dwnlader.Win32.Agent Trjan- Drpper.Win32.Injectr [.]184 China Backdr.Win32.Andrm Wrm.Win32.Ngrbt Backdr.Win32.Ruskill Trjan.Win32.Badur Trjan.Win32.Inject Trjan.Win32.Yakes Trjan.Win32.Sysn Manufacturing/Healthcare Manufacturing/Healthcare/Gvernment [.]44 Pland Backdr.Win32.Andrm Wrm.Win32.Ngrbt Trjan.Win32.Badur Trjan.Win32.Yakes [.]73 US (Amazn) Backdr.Win32.Andrm Trjan.Prxy.Win32.Lethic Wrm.Win32.Ngrbt Gvernment Threat Advisry #1014 Page 6 f 16 Bts, Machines, and the Matrix

7 Trjan.Win32.Badur Trjan.Win32.Inject [.]154 US (Amazn) Backdr.Win32.Andrm Backdr.Win32.Ruskill Trjan.Win32.Yakes [.]44 China Backdr.Win32.Andrm Wrm.Win32.Ngrbt Backdr.Win32.Ruskill Trjan.Win32.Badur Trjan.Win32.Yakes [.]241 Russia Backdr.Win32.Andrm Wrm.Win32.Ngrbt Trjan.Win32.Badur Trjan.Win32.Yakes Gvernment [.]124 US (Amazn) Backdr.Win32.Andrm Wrm.Win32.Ngrbt Trjan.Win32.Badur Wrm.Win32.Hamweq Trjan.Win32.Sysn Risk Assessment A bt malware has features like anti-reversing, credential stealing/keystrke lgging/frm grabbing, DNS changer, prcess injectin, antivirus prcess killing, blcking f security related websites, backdr, and thers. They als have features t spread themselves thrugh USB remvable drives, scial netwrking sites, and messaging clients. In additin, they culd als infiltrate the netwrk when the victim user visits a website hsting a brwser explit. Once the attacker gains cntrl, the infected system culd be used t launch Distributed Denial f Service attacks, spread the bt t ther victims, dwnlad mre advanced malware t perfrm lateral prpagatin, etc. The attackers (Bt Masters/Herders) culd als rent their btnets t ther cybercriminals. Indicatrs and Mitigatin Strategies This sectin presents infrmatin abut sme f the servers we have bserved hsting and distributing malware, filename patterns, as well as a triage analysis f varius pieces f malware bserved delivered by these servers - Servers bserved hsting and distributing malware: [.] [.] [.] [.] [.] [.] [.] [.] [.] [.] [.] [.]62 Threat Advisry #1014 Page 7 f 16 Bts, Machines, and the Matrix

8 [.]128 - Sme f the filename patterns bserved: [.]7/and40a70.exe [.]7/bet40a71.exe [.]7/ng40a71.exe [.]45/37a1.exe [.]62/330740a71.exe [.]62/bnew40a71.exe [.]45/109a7.exe [.]45/51a5.exe [.]45/62.exe [.]184/ng33.exe [.]184/zpm39a.exe [.]45/141a1.exe [.]112/98.exe [.]124/zpm37.exe [.]62/bnew40a85.exe [.]7/nut40a71.exe [.]62/dqnew40a81.exe [.]44/and33.exe [.]112/330740x.exe [.]128/37extra.exe [.]241/ng38a.exe - Triage analysis f varius pieces f malware bserved delivered by servers mentined in this reprt: (Please nte that the activity in this sectin has been recrded per initial file infectin and nt individually per file dwnladed and executed by the initial malware under investigatin) Andrmeda MD5: 036eb11a5751c77bc c8e5 This file was bserved hsted in the fllwing servers: [.]44/and37.exe (China) [.]184/and37.exe (China) [.]73/and37.exe (US) File infrmatin: File Name: and37.exe File Size: bytes MD5: 036eb11a5751c77bc c8e5 SHA1: c6966d9557a9d5ffbbcd7866d45eddff30a9fd99 PE Time: 0x5431A1E4 [Sun Oct 05 19:54: UTC] PEID Sig: Micrsft Visual C++ 8 Sectins (4): Name Entrpy MD5.text d9ac5c3c1853a62535bb42fe25.rdata e0faee1b5962f3b0e7ef0cd07b07d90.data d36a05bbbfdab643e78f1b1dad4.rsrc da4653b7fcb4ee a2ed The malware appears t implement anti-reversing techniques preventing its executing inside a virtual machine envirnment (VME). This malware is believed t be a variant frm the Andrmeda Bt malware family. When the file was executed in a Windws 7 system, the fllwing activity was bserved: Dmain: Reslved IP: POST request: GET request: File dwnladed: Full path and name: Prcess injectin: a2kiaymster14902[.]cm [.]248 (China) /bla02/gate.php [.]62/and40a90.exe (US) b62391f3f7cbdea f60f3930f (msitygyd.exe) C:\PrgramData\msitygyd.exe C:\Windws\SysWOW64\msiexec.exe Threat Advisry #1014 Page 8 f 16 Bts, Machines, and the Matrix

9 Beta Bt MD5: 9e8b203f487dfa85dd47e32b3d24e24e This file was bserved hsted in the fllwing servers: /betw9.exe (China) /bet4.exe (US) File infrmatin: File Name: betw9.exe File Size: bytes MD5: 9e8b203f487dfa85dd47e32b3d24e24e SHA1: de6a4d53b5265f8cddf08271d17d845f58107e82 PE Time: 0x B [Sat Sep 13 19:21: UTC] PEID Sig: Micrsft Visual C++ 8 Sectins (4): Name Entrpy MD5.text e347b4bb29e39a97c5803db1ee53321.rdata d4fc093dc013fa7d86bee7b85c0f9.data daa66602eb4a3aa8effd3a287efbf7.rsrc 6.1 9b2a41b9bc48ccff04effe10bb0fb839.rsrc da4653b7fcb4ee a2ed The malware did nt appear t implement anti-reversing techniques and prperly executed inside a VME. This malware is believed t be a variant frm the Beta Bt malware family. When the file was executed in a Windws XP system, the fllwing activity was bserved: Dmain: Reslved IP: POST request: GET request: File dwnladed: Full path and name: GET request: File dwnladed: Full path and name: Made a cpy itself t: Hash f file cpy: b.9thegamejuststarted14k9[.]cm [.]74 (China) /direct/mail/rder.php?id= [.]184/ng40a54.exe (China) fe8c978f05f3a83af7c8905f94f71213 (mxbrwtqjjvk.exe) %TEMP%\mxbrwtqjjvk.exe [.]184/and40a54.exe (China) b4d6c0e3bc2ecda983161f (cmqgvyqtpkh.exe) %TEMP%\cmqgvyqtpkh.exe %CmmnPrgramFiles%\CreativeAudi\ldhkkangs.exe 9e8b203f487dfa85dd47e32b3d24e24e Registry entrenchment: Key: Value Name: Value Data: Key: Value Name: Value Data: HKEY_LOCAL_MACHINE\SOFTWARE\Micrsft\Windws\CurrentVersin\Run CreativeAudi C:\Prgram Files\Cmmn Files\CreativeAudi\ldhkkangs.exe HKEY_CURRENT_USER\Sftware\Micrsft\Windws\CurrentVersin\Run CreativeAudi C:\Prgram Files\Cmmn Files\CreativeAudi\ldhkkangs.exe Threat Advisry #1014 Page 9 f 16 Bts, Machines, and the Matrix

10 Prcess Injectin: C:\Prgram Files\Internet Explrer\iexplre.exe Screensht f the registry activity: Screensht shwing a handle f the malware in the iexplrer.exe prcess: Neutrin Bt MD5: 463f d0391add327c1270d7fe6 This file was bserved hsted in the fllwing servers: [.]184/nut40a52.exe (China) [.]45/nut40a52.exe (Pland) File infrmatin: File Name: nut40a52.exe File Size: bytes MD5: 463f d0391add327c1270d7fe6 SHA1: a87c5b6a588ef4b351ce1a3a0fe2b035e685e96c PE Time: 0x546D0881 [Wed Nv 19 21:15: UTC] PEID Sig: Micrsft Visual C++ 8 Sectins (4): Name Entrpy MD5.text fe50af0b54ed ea6b9e7178b.rdata ff7c660e83eeff9a7db4abf0ceab04.data 5.74 e19f755461a bd1e8e rsrc dac81db1ae19c69e8a2b7e5311 The malware appears t implement anti-reversing techniques preventing it frm prperly executing inside a VME. In a bare-metal system, the malware wrked prperly. This malware is believed t be a variant frm the Neutrin Bt malware family. When the file was executed in a Windws 7 system, the fllwing activity was bserved: Dmain: Reslved IP: POST request: Data: nutqlfkq123a10[.]cm [.]140 (China) /newfiz3/tasks.php ping=1 Threat Advisry #1014 Page 10 f 16 Bts, Machines, and the Matrix

11 Server respnse: png POST request: /newfiz3/tasks.php Data: getcmd=1&uid=[remved]&s=win+7+enterprise+(x64) &av=symantec+endpint+prtectin&nat=yes&versin=3.2.1 &serial=[remved]&quality=0 POST request: /newfiz3/tasks.php Data: taskexec=1&task_id= GET request: File dwnladed: Full name: Made a cpy itself t: Hash f file cpied: Created file: File hash: Created file: File hash: Created file: File hash: Created file: File hash: [.]62/330740a91.exe b21e4c8f73151d7b0294a3974fe a91.exe %APPDATA%\Raming\WIN-S0MT3UJUS2O\splww64.exe 463f d0391add327c1270d7fe6 C:\PrgramData\bett2f00\hemxccape.exe 9cf7d079713fdf715131e16b144d3f52 C:\PrgramData\msitygyd.exe 2983d957d4cdd cfaf21147d07 %TEMP%\ exe 72380a9fcf7486bb731606d4f4c13f27 %TEMP%\ exe f220f0a48885bafc29b31fb7228cc4bb USB drive infectin: Created file: Full path and name: File cntents: Created file: Full path and name: Nte: c1fa3e4ee1e2e5b088bc657b0b5a3b8e [USB_DRIVE]\autrun.inf [autrun] OPEN=WinSystemKB001.exe actin=run 463f d0391add327c1270d7fe6 [USB_DRIVE]\WinSystemKB001.exe This is a cpy f riginal file executed. Registry entrenchment: Key: Value Name: Value Data: Key: Value Name: Value Data: HKCU\Sftware\Micrsft\Windws\CurrentVersin\Run A C:\PrgramData\bett2f00\hemxccape.exe HKCU\Sftware\Micrsft\Windws\CurrentVersin\Run splww64.exe %APPDATA%\Raming\WIN-S0MT3UJUS2O\splww64.exe Key: HKLM\SOFTWARE\Micrsft\Windws\CurrentVersin\Plicies\Explrer\Run Value Name: Threat Advisry #1014 Page 11 f 16 Bts, Machines, and the Matrix

12 Value Data: Prcess Injectin: C:\PrgramData\msitygyd.exe C:\Windws\SysWOW64\WerFault.exe Screensht shwing a handle f the malware in the WerFault.exe prcess: Screensht f related prcesses running in the victim system: Andrmeda Bt MD5: 13475d0fdba8dc7a648b57b10e8296d5 This file was bserved hsted in the fllwing servers: [.]47/and40a37.exe (China) [.]73/and40a37.exe (US) File infrmatin: File Name: and40a37.exe File Size: bytes MD5: 13475d0fdba8dc7a648b57b10e8296d5 SHA1: feed5337c0a3b1fd55c78a976fbd a22e1 PE Time: 0x54636BD2 [Wed Nv 12 14:16: UTC] PEID Sig: Micrsft Visual C++ 8 Sectins (4): Name Entrpy MD5.text 6.42 c93f36300bb882b4671b7ef0a8bd4fba.rdata af9f1d8e50e49fdf Threat Advisry #1014 Page 12 f 16 Bts, Machines, and the Matrix

13 .data b24669aa9245cef2358a9d76dab97be.rsrc f0f11c aa0e65f04b95ed208 The malware appears t implement anti-reversing techniques preventing it frm prperly executing inside a VME. In a bare-metal system, the malware wrked prperly. This malware is believed t be a variant frm the Andrmeda Bt malware family. When the file was executed in a Windws 7 system, the fllwing activity was bserved: Dmain: Reslved IP: POST request: Made a cpy itself t: Hash f file cpied: a2kiaymster14902[.]cm [.]248 (China) /bla02/gate.php C:\PrgramData\msitygyd.exe 13475d0fdba8dc7a648b57b10e8296d5 Registry entrenchment: Key: HKLM\SOFTWARE\Micrsft\Windws\CurrentVersin\Plicies\Explrer\Run\ Value name: Value data: C:\PrgramData\msitygyd.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Ww6432Nde\Micrsft\Windws\ CurrentVersin\Plicies\Explrer\Run Value name: Value data: C:\PrgramData\msitygyd.exe Prcess Injectin: C:\Windws\SysWOW64\msiexec.exe The malware appears t have rtkit functinality. The hidden WinDefend service pints t the fllwing DLL: C:\Prgram Files (x86)\windws Defender\mpsvc.dll. The system was fund t have a valid mpsvc.dll file under the C:\Prgram Files\Windws Defender\ directry. The fllwing screensht shw GMER detecting the hidden service: The fllwing is a summary f all the dmains and IPs bserved during the analysis f the selected malware: a2kiaymster14902[.]cm [.]248 (China) Threat Advisry #1014 Page 13 f 16 Bts, Machines, and the Matrix

14 [.]62/and40a90.exe (US) b.9thegamejuststarted14k9[.]cm [.]74 (China) [.]184/ng40a54.exe / [.]184/and40a54.exe (China) nutqlfkq123a10[.]cm [.]140 (China) Fr infrmatin abut hashes related t this activity, please lk at the spreadsheet enclsed with this reprt which cntains relatinships between servers and hashes. Further Analysis And Crrelatin The fllwing diagram illustrates the relatinship between sme f the malicius servers, malware hsted/distributed, and vertical markets: Threat Advisry #1014 Page 14 f 16 Bts, Machines, and the Matrix

15 The fllwing diagram is based n the analysis/executin f sme f the malware hsted and distributed by the malicius servers. It illustrates the relatinship between sme f the malicius servers, lcatins, malware hsted/distributed, and malicius servers t which the malware beacns t with POST requests and t dwnlad additinal malware: The Fidelis Take This paper highlights campaigns that has cmprmised systems at significant enterprises wrldwide, utilizing varius bt malware. We are publishing these indicatrs s thers in the security research cmmunity can mnitr fr this activity and ptentially crrelate against ther campaigns and tls that are being investigated. General Dynamics Fidelis advanced threat defense prduct, Fidelis XPS, detects all f the activity dcumented in this paper. Further, we will cntinue t fllw this specific activity and actively mnitr the ever-evlving threat landscape fr the latest threats t ur custmers security. Threat Advisry #1014 Page 15 f 16 Bts, Machines, and the Matrix

16 References 1. Neutrin Bt (aka MS:Win32/Kasidet), June 2014: Renting a Zmbie Farm: Btnets and the Hacker Ecnmy, August 2014: 3. DrkBt, a Twin Btnet f NgrBt, August 2014: 4. Big Bx LatAm Hack (1st part - Betabt), January 2014: 5. A Gd Lk at the Andrmeda Btnet, April 2014: 6. CVE and Andrmeda A Massive HSBC themed campaign, June 2014: 7. Beta Bt A Cde Review, Nvember 2013: 8. Athena, A DDS Malware Odyssey, Nv 2013: 9. Andrmeda Btnet Gets an Update, July 2013: New Cmmercial Trjan #INTH3WILD: Meet Beta Bt, May 2013: A new bt n the market: Beta Bt, May 2013: Andrmeda Btnet Resurfaces, March 2013: Fled by Andrmeda, March 2013: Btnets Die Hard - Owned and Operated Defcn 20: July 2012: Enbdy-Btnets-Die-Hard.PDF.pdf 15. A Chat With NGR Bt, June 2012: Analysis f ngrbt, August 2011: Threat Advisry #1014 Page 16 f 16 Bts, Machines, and the Matrix