The Value of Being Able to Perform Threat Analysis outside the Boundaries of Your Enterprise…
Looking at Dmitry Bestuzhev’s piece about AZORult cryptominer spreading as a fake ProtonVPN installer[1], I took a glance in Augury at what we have for the malware hashes he provided and many are still very low in terms of their detection rate: 6 to 21 out of 39 AV tools detected these hashes today depending on the exact variant.
Augury has complete runtime and static analysis for eleven samples that involve this URL: account.protonvpn[.]store and we did see traffic to the C2 (195.122.229[.]41:80) in our automated runtime analysis over several of the samples.
At least four of the Kaspersky samples have a DNSRR for account.protonvpn[.]store as this same IP address 195.122.229[.]41:80 in addition to some UDP traffic to other IPs on ports 67, 123 and 5355. It’s in Nizhniy Novgorod, Russia, part of a small block 195.122.229.0 – 195.122.229.255 registered to “Mobile TeleSystems PJSC”:
% Information related to '195.122.229.0 - 195.122.229.255' % Abuse contact for '195.122.229.0 - 195.122.229.255' is 'abuse@mtu.ru' inetnum: 195.122.229.0 - 195.122.229.255 netname: STATIC-NAT descr: Mobile TeleSystems PJSC descr: Nizhny Novgorod country: RU admin-c: SND-RIPE tech-c: SND-RIPE tech-c: SND-RIPE status: ASSIGNED PA mnt-by: AS8580-MNT created: 2002-11-21T14:16:26Z last-modified: 2020-02-04T05:46:55Z source: RIPE # Filtered role: SANDY ISP Network Operation Center address: Mobile TeleSystems OJSC Macro-region "Povolje" address: 168a, Gagarina prospect address: Nizhny Novgorod, 603009, Russia phone: +7 831 2728930 fax-no: +7 831 2728998 remarks: trouble: ------------------------------------------------- remarks: trouble: Please report SPAM and Network security issues to remarks: trouble: noc.nnov@mts.ru remarks: trouble: ------------------------------------------------- tech-c: SYZ1-RIPE nic-hdl: SND-RIPE mnt-by: AS8580-MNT created: 2002-03-12T13:25:47Z last-modified: 2016-07-25T06:06:24Z source: RIPE # Filtered abuse-mailbox: noc.nnov@mts.ru % Information related to '195.122.224.0/19AS8580' route: 195.122.224.0/19 descr: Closed Join Stock Company "KOMSTAR-Regiony" descr: Communication Service Centre of the Volga Region Branch in Nizhny Novgorod descr: 46 Ulyanov St. descr: N.Novgorod 603600 descr: Russia origin: AS8580 mnt-by: AS8580-MNT created: 1970-01-01T00:00:00Z last-modified: 2019-07-08T14:20:40Z source: RIPE # Filtered
Some of this activity is in the last few days for the more recent samples, and shows the malware doing HTTP POSTs to http://account.protonvpn[.]store/index.php using a User Agent string of “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)”. This User Agent string appears to be a reliable indicator for identifying AZORult v3.x, and we show 26,280 records in our data that use this User Agent string.
Pivoting off this C2 in a second Augury query reveals the specific network traffic involving this IP from Russia for the last 30 days and we can say for certain that TCP port 445 was open on 20th and 21st of January this year: netbios-ssn, and indeed we also see multiple connections on tcp:445 with a host of wildly disparate IPs from various exotic locations.
At the start of February we observed some possible BitTorrent traffic with an IP in the Denver area that was also compromised, and then on Valentine’s Day we noted TCP port 554 was open on this Russian IP.
Overall, we see a great deal of network traffic involving this Russian IP for the last 30 days, and it would need a lot more analysis to determine if we can see a trace of the miscreant in here, but they are almost certainly in here somewhere:
Why do we care?
Well, first off I love Protonmail and this is a sensible demographic to target (high value data amongst the millions of happy encrypted Protonmail users); so that’s bad.
But also, as attention focuses on the Russian IP (before they move), you can see how Augury gives you the context from the activity outside of your own network visibility. It’s unique and we look forward to bringing you more samples and more insight from IOCs that we run through Augury.
[1] https://securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/