{"id":5870,"date":"2017-01-18T22:53:20","date_gmt":"2017-01-18T22:53:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-75\/"},"modified":"2017-01-18T22:53:20","modified_gmt":"2017-01-18T22:53:20","slug":"news-75","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-75\/","title":{"rendered":"The curious case of a Sundown EK variant dropping a Cryptocurrency Miner (updated)"},"content":{"rendered":"<p><em>This post was authored by\u00a0<span class=\"s2\">@<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">hasherezade<\/a>\u00a0and\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/author\/jeromesegura\/\" target=\"_blank\">J\u00e9r\u00f4me Segura<\/a><\/span><\/em><\/p>\n<p>We recently\u00a0encountered an atypical case of Sundown EK in the wild &#8211; usually the landing page is\u00a0obfuscated, but in this case there was plain JavaScript. The exploit was dropping some malicious payloads that we took for further analysis. It turned out that they are also atypical by many means. In this article, we will describe the details of our investigation.<\/p>\n<h3>Exploit Kit<\/h3>\n<p><em>[Edit] SpiderLabs has <a href=\"https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Terror-Exploit-Kit--More-like-Error-Exploit-Kit\/\" target=\"_blank\">written<\/a> about this EK and calls it Terror EK.<\/em><\/p>\n<p>This exploit kit has a different serving infrastructure than what we are used to seeing, but it is\u00a0essentially the same Sundown EK codebase that we know.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Sundown_Variant_.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15932\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Sundown_Variant_.png\" alt=\"sundown_variant_\" width=\"1082\" height=\"176\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Sundown_Variant_.png 1082w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Sundown_Variant_-300x49.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Sundown_Variant_-600x98.png 600w\" sizes=\"auto, (max-width: 1082px) 100vw, 1082px\" \/><\/a><\/p>\n<p>In comparison, here&#8217;s a fresh <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/updated-sundown-exploit-kit-uses-steganography\/\" target=\"_blank\">Sundown EK, using steganography<\/a>\u00a0where we can see that both EKs share the same Flash exploit.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Fresh_Sundown.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15931\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Fresh_Sundown.png\" alt=\"fresh_sundown\" width=\"1069\" height=\"141\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Fresh_Sundown.png 1069w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Fresh_Sundown-300x40.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/Fresh_Sundown-600x79.png 600w\" sizes=\"auto, (max-width: 1069px) 100vw, 1069px\" \/><\/a><\/p>\n<p>The landing page for this variant has almost no obfuscation, which was a bit of an <a href=\"https:\/\/twitter.com\/HenriNurmi\/status\/816676151603105793\" target=\"_blank\">oddity<\/a>:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/code.png\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15935\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/code.png\" alt=\"code\" width=\"728\" height=\"624\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/code.png 728w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/code-300x257.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/code-600x514.png 600w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/a><\/p>\n<p>The infrastructure for pushing this EK\u00a0relies on a few domains all hosted on the same IP address:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/149.202.164.86.png\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15934\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/149.202.164.86.png\" alt=\"149-202-164-86\" width=\"927\" height=\"799\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/149.202.164.86.png 927w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/149.202.164.86-300x259.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/149.202.164.86-600x517.png 600w\" sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/a><\/p>\n<p>The payload URL (<em>pastetext.biz<\/em>) is also tied to\u00a0the same EK distributor, hinting at a single actor operation.<\/p>\n<h3>Payload &#8211; Cryptocurrency miner<\/h3>\n<p><em>Analyzed samples<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/3826017cc19f829ccc17893803de42028cd1ebbd99dad24ab9ed984c9dae57b8\/analysis\/\" target=\"_blank\">0f597c738f2e1a58c03a69f66825fa80<\/a> &#8211; original sample, dropped by EK (UPX packed)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/30ba2cbe1202a96258d605d7318d1775d616b4bf3dcabd155b531128464daa2d\/analysis\/1483749344\/\" target=\"_blank\">22e4113fb0a9d136a56988f7a10c46b8<\/a>\u00a0 &#8211; payload (miner) &#8211; UPX packed\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/541888040a3c01902d646ba13a8d48bdf5d18da917820e1b06075beed205fd55\/analysis\/1483676986\/\" target=\"_blank\">9f2c0ae3cb7ae032bd66f025fcb93f03<\/a> &#8211; payload (miner) &#8211; UPX layer removed<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><em>Behavioral analysis<br \/> <\/em><\/p>\n<p>The application does not use any special trick in order to hide itself. It only tries to misguide the user with\u00a0a process name. In the analyzed case it was called &#8220;Windows Backup&#8221;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15940\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployes.png\" alt=\"loader_deployes\" width=\"745\" height=\"51\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployes.png 745w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployes-300x21.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployes-600x41.png 600w\" sizes=\"auto, (max-width: 745px) 100vw, 745px\" \/><\/p>\n<p>We can see it establishing some internet connection:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15941\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployed.png\" alt=\"loader_deployed\" width=\"518\" height=\"165\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployed.png 518w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/loader_deployed-300x96.png 300w\" sizes=\"auto, (max-width: 518px) 100vw, 518px\" \/><\/p>\n<p>The network communication is pretty straightforward\u00a0&#8211; everything goes in the clear.<\/p>\n<p>First, the application connects to Pastebin an retrieves the stored note that seems to be set of parameters for some application. Looking at the link and keywords, we can easily guess that it is related to mining cryptocurrency:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15939\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin_conn.png\" alt=\"pastebin_conn\" width=\"584\" height=\"265\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin_conn.png 584w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin_conn-300x136.png 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/p>\n<p>Then, it logs itself into the service using login: &#8216;lovemonero2.worker@hotmail.com&#8217; and a password &#8216;x&#8217;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15938\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/login.png\" alt=\"login\" width=\"888\" height=\"201\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/login.png 888w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/login-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/login-600x136.png 600w\" sizes=\"auto, (max-width: 888px) 100vw, 888px\" \/><\/p>\n<p><em>Unpacking<\/em><\/p>\n<p>The initial sample is a 64bit PE file. During the initial assessment we found that it is packed by UPX, so I\u00a0removed this layer using a standard UPX decompressor. As a result, I got the following PE file &#8211; with 3 resources:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15905\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/layout.png\" alt=\"layout\" width=\"1018\" height=\"452\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/layout.png 1018w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/layout-300x133.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/layout-600x266.png 600w\" sizes=\"auto, (max-width: 1018px) 100vw, 1018px\" \/><\/p>\n<p>I started from having a look at the recources, because often they contains (encrypted) payloads. In current case, all of them had structure reminding PE files &#8211; just slightly obfuscated:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15906\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/resources.png\" alt=\"resources\" width=\"706\" height=\"325\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/resources.png 706w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/resources-300x138.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/resources-600x276.png 600w\" sizes=\"auto, (max-width: 706px) 100vw, 706px\" \/><\/p>\n<p>See the suspicious string from the dumped resource file:<\/p>\n<pre>M.\"Uijt!qsphsbn!dboopu!cf!svo!jo!EPT!npef  <\/pre>\n<p>It reminds of the string typical for the DOS stub:<\/p>\n<pre>L.!This program cannot be run in DOS mode  <\/pre>\n<p>It was easy to deduce what method of obfuscation was used there &#8211; to each ASCII character value 1 was added. Knowing this, it was easy to write a decrypting function, i.e.:<\/p>\n<pre>def decode(data):  \u00a0\u00a0\u00a0 maxlen = len(data)  \u00a0\u00a0\u00a0 key = 1  \u00a0\u00a0\u00a0 decoded = bytearray()  \u00a0\u00a0\u00a0 for i in range(0, maxlen):  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dec = (data[i] - key) &amp; 0xFF  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 decoded.append(dec)   \u00a0\u00a0\u00a0 return decoded  <\/pre>\n<p>As a result we got 3 PE files (each of them starts after the data appended at the beginning):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15922\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decrypt_result.png\" alt=\"decrypt_result\" width=\"708\" height=\"323\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decrypt_result.png 708w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decrypt_result-300x137.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decrypt_result-600x274.png 600w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/p>\n<p>Two of them were legitimate DLLs: MSVCR120.dll &#8211; 32bit and 64bit versions. The remaining PE file was the real payload &#8211; again UPX compressed. It got it unpacked without any problems with the help of the original tool:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15907\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/upx_d.png\" alt=\"upx_d\" width=\"672\" height=\"166\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/upx_d.png 672w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/upx_d-300x74.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/upx_d-600x148.png 600w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/p>\n<p><em>Curious links<\/em><\/p>\n<p>A fast look at the strings referenced by the binary, revealed various commands, explaining the tool&#8217;s purpose:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15909\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands.png\" alt=\"commands\" width=\"889\" height=\"480\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands.png 889w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands-300x162.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands-600x324.png 600w\" sizes=\"auto, (max-width: 889px) 100vw, 889px\" \/><\/p>\n<p>We can easily guess that it is meant for mining some cryptocurrency (the default guess is Bitcoin &#8211; but is it really?).<\/p>\n<p>As well as some curious links:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15908\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/links.png\" alt=\"links\" width=\"826\" height=\"833\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/links.png 826w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/links-150x150.png 150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/links-297x300.png 297w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/links-595x600.png 595w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/p>\n<p>Following the links lead me to a Pastebin account for a user called &#8220;LoveMonero&#8221;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15914\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin1.png\" alt=\"pastebin1\" width=\"858\" height=\"444\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin1.png 858w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin1-300x155.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pastebin1-600x310.png 600w\" sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/p>\n<p>And more interestingly, to his Github account:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15911\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github.png\" alt=\"github\" width=\"1013\" height=\"918\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github.png 1013w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github-300x272.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github-600x544.png 600w\" sizes=\"auto, (max-width: 1013px) 100vw, 1013px\" \/><\/p>\n<p><em>The name of the user &#8211; LoveMonero &#8211; suggests that this application is not used to mine Bitcoins, but another cryptocurrency &#8211; <a href=\"https:\/\/en.wikipedia.org\/wiki\/Monero_(cryptocurrency)\" target=\"_blank\">Monero<\/a>. This choice makes sense, because the pool of bitcoins is more and more saturated &#8211; and nowadays mining them is much more difficult\u00a0 and resource-consuming than it was in the past, when this currency was still young.<\/em><\/p>\n<p>He stored there not only the sourcecode of the tool, but also links with parameters (same as at Pastebin and in the binary)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15919\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_upd.png\" alt=\"github_upd\" width=\"981\" height=\"191\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_upd.png 981w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_upd-300x58.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_upd-600x117.png 600w\" sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><\/p>\n<p>The file was edited just 4 hours ago &#8211; it means it is still fresh and actively maintained.<\/p>\n<p>In the same repo, we can find even the links from where the malware was downloaded during the campaign!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15918\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_link.png\" alt=\"github_link\" width=\"532\" height=\"437\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_link.png 532w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/github_link-300x246.png 300w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\" \/><\/p>\n<p>We can see that it is exactly the same link that was used by the Exploit Kit:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15942\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/refs.png\" alt=\"refs\" width=\"773\" height=\"36\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/refs.png 773w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/refs-300x14.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/refs-600x28.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/refs-767x36.png 767w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\" \/><\/p>\n<p>Linked executables:<\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/d3c4869b76c30563c93b6d6e880369c3cd8fd8045161e7f32f5ef8e797103248\/analysis\/\" target=\"_blank\">hxxp:\/\/158.69.86.203\/downloadupdate.exe <\/a><\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/a67834b5878ab89771df09956534ee376e0c451e1b92a244febcf3e9c102d879\/analysis\/\" target=\"_blank\">hxxp:\/\/158.69.86.203\/downloadupdate2.exe <\/a><\/li>\n<\/ul>\n<p>As we can find out, the project is based on an\u00a0opensource tool for mining cryptocurrencies: <a href=\"https:\/\/github.com\/tsiv\/ccminer-cryptonight\">ccminer-cryptonight<\/a>. However, there are some modifications.<\/p>\n<p>Fetching the repository, we can find all the commits starting from 20-th November 2016:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15920\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/project_start.png\" alt=\"project_start\" width=\"603\" height=\"103\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/project_start.png 603w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/project_start-300x51.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/project_start-600x102.png 600w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/p>\n<p>The initial e-mail: <em>davidgreenwoodjazz@gmail.com<\/em> (used also for <a href=\"http:\/\/domainbigdata.com\/gmail.com\/mj\/7E9YfgGbQGAbDZkaS7rtI_gcDQ1sQHOUMcpP6UZg4b0\" target=\"_blank\">domains registration<\/a>) was changed to the familiar name &#8211; <em>lovemonero<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15921\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/real_email.png\" alt=\"real_email\" width=\"820\" height=\"75\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/real_email.png 820w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/real_email-300x27.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/real_email-600x55.png 600w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/p>\n<p>Inside the code we can find the same string that are referenced in the dropped payload, confirming the guess that this code is related to the dropped application:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15926\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/util_c.png\" alt=\"util_c\" width=\"799\" height=\"316\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/util_c.png 799w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/util_c-300x119.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/util_c-600x237.png 600w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/p>\n<p>From the binary:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15925\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/methods.png\" alt=\"methods\" width=\"1149\" height=\"393\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/methods.png 1149w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/methods-300x103.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/methods-600x205.png 600w\" sizes=\"auto, (max-width: 1149px) 100vw, 1149px\" \/><\/p>\n<p>However, the stored source code doesn&#8217;t seems to be complete.<\/p>\n<h3>Conclusion<\/h3>\n<p>This campaign looks strange to us\u00a0due to the fact that it has been prepared in an extremely careless way. There were\u00a0a lot of traces stored in the application as well as the Github profile.<\/p>\n<p>Since the release of some opensource code of DDoS tools (Mirai) and ransomware (HiddenTear, Eda2) we can see the trend, that more and more novices are trying their luck in cybercrime. This application is yet another example of this tendency.<\/p>\n<h3>IOCs:<\/h3>\n<p><span style=\"text-decoration: underline\">Domains<\/span>:<\/p>\n<p><em>empowernetwork1.us<\/em><br \/> <em>empowernetwork2.us<\/em><br \/> <em>empowernetwork3.us<\/em><br \/> <em>empowernetwork4.us<\/em><br \/> <em>empowernetwork5.us<\/em><br \/> <em>empowernetwork6.us<\/em><br \/> <em>empowernetwork7.us<\/em><br \/> <em>empowernetwork8.us<\/em><br \/> <em>empowernetwork9.us<\/em><br \/> <em>empowernetwork1.biz<\/em><br \/> <em>empowernetwork2.biz<\/em><br \/> <em>empowernetwork3.biz<\/em><br \/> <em>empowernetwork4.biz<\/em><br \/> <em>website1.empowernetworkpackage.biz<\/em><br \/> <em>website2.empowernetworkpackage.biz<\/em><br \/> <em>website3.empowernetworkpackage.biz<\/em><br \/> <em>website4.empowernetworkpackage.biz<\/em><br \/> <em>website5.empowernetworkpackage.biz<\/em><br \/> <em>website6.empowernetworkpackage.biz<\/em><br \/> <em>website7.empowernetworkpackage.biz<\/em><br \/> <em>website8.empowernetworkpackage.biz<\/em><br \/> <em>website9.empowernetworkpackage.biz<\/em><br \/> <em>website1.empowernetworksolutions.biz<\/em><br \/> <em>website2.empowernetworksolutions.biz<\/em><br \/> <em>website3.empowernetworksolutions.biz<\/em><br \/> <em>website4.empowernetworksolutions.biz<\/em><br \/> <em>website5.empowernetworksolutions.biz<\/em><br \/> <em>website6.empowernetworksolutions.biz<\/em><br \/> <em>website7.empowernetworksolutions.biz<\/em><br \/> <em>website8.empowernetworksolutions.biz<\/em><br \/> <em>website9.empowernetworksolutions.biz<\/em><br \/> <em>empirenetworksol.com<\/em><br \/> <em>kitempowernetwork.com<\/em><br \/> <em>empowernetworkpackage.com<\/em><br \/> <em>empowernetworksolutions.com<br \/> pastetext.biz<br \/> empowernetworkads.com<br \/> <\/em><\/p>\n<p><span style=\"text-decoration: underline\">IPs:<\/span><\/p>\n<p><em>149.202.164.86<br \/> <\/em><em>158.69.87.196<br \/> 158.69.86.203<\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner\/' title='The curious case of a Sundown EK variant dropping a Cryptocurrency Miner (updated)'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2014\/03\/photodune-6963431-bitcoin-concept-m.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>A strange variant or copycat of Sundown EK drops an unexpected payload that we decided to look deeper into.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/bitcoin\/\" rel=\"tag\">bitcoin<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/crypto\/\" rel=\"tag\">crypto<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/monero\/\" rel=\"tag\">monero<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sundown-ek\/\" rel=\"tag\">Sundown EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sundownek\/\" rel=\"tag\">sundownek<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner\/' title='The curious case of a Sundown EK variant dropping a Cryptocurrency Miner (updated)'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10490,10537,4503,10538,10539,10540],"class_list":["post-5870","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-bitcoin","tag-crypto","tag-cybercrime","tag-monero","tag-sundown-ek","tag-sundownek"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=5870"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5870\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=5870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=5870"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=5870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}