Multiple ip addresses are masked under the same MAC address, a cisco device, and 10.3.14.134 begins continuously sending TCP packets of byte-size 54 to these addresses. Both 10.3.14.254 and 10.3.14.1 appear to share this MAC too...10.3.14.254 is the device which begins with this MAC...it is soon adopted by 10.3.14.254 which begins acting as a DNS server for 10.3.14.135...'Simons-Mac' is 10.3.14.135...as indicated by MAC address & dns broadcast traffic (MDNS)
Http traffic shows download of application/exe by 10.3.14.134 from 104.155.4.180. This triggered an alert in the IDS. One of the ips, 91.119.56.0 has triggered an alert in the IDS. This ip seems to have stolen the MAC address of the victims' gateway. Interaction with 54.87.5.88 also triggered the IDS, with 'Cerber Blockchain Query'. Upon inspecting http traffic from 217.12.208.17, an html page was reassembled showing ransomware infection and a bitcoin address to which it was requested money be sent :
1F7siW4UN4dmSjgeRhJBxSdNbaBeoCkSBV
User at 10.3.14.131 seems to have signed up for a bitcoin service which does the following, after inspecting http traffic to 186.2.163.47 :
1. You need to refill your deposit Bitcoin wallet to restore all data<br><br>2. You can choose different exchange markets to buy Bitcoins (see Help)<br><br>3. System will automatically fill up your balance once transaction will be executed.<br><br>4. Use calculator to understand the exact amount, which will be filled to your account. Obviously this is to pay off the ransomware...but wasn't it 10.3.14.134 that was infected? I'm guessing that 134 is the kid's computer, and 131 is the parent angrily agreeing to pay...
With some filtering & by displaying some of the traffic in html format, what I did find for sure was that, the 10.3.14.131 host appeared to be the victim of a redirection (302) which may have lead to its infection of a ransomware known as Spora :
The infection of 10.3.14.131 was evident by the reassembled page I later found asking for bitcoin payment, as it happens, this host had actually viewed a compromised website known as 'Holiner Group', which caused the redirection :
Not only was this host a victim though, as 10.3.14.134 was also at the receiving end of a ransomware, albeit
a 'Cerber' one. The following three images show firstly the downloading of a suspicious exe file believed to be the cause of infection, and a webpage subsequently viewed by the user informing them that their files have been encrypted and payment is required to rescue them :
All in all, a lot of fun! Finally, here are some links to the malwarebytes blog detailing both the Spora & Cerber malware variants :
https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/
https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
No comments:
Post a Comment