Research

Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

As we can see, our website is listed as a target. The syntax for setting parameters in the DDoS SpyEye plugin is type-target-port-time:

  • Type: DDoS SYN attacks against Kaspersky Lab and SpyEye Tracker websites, plus a UDP attack only against Kaspersky Lab. Also SpyEye accepts the Slowloris DDoS attack.
  • Target: web site attacked (Kaspersky Lab and SpyEye Tracker).
  • Port: the destination ports through which attack (443 and 80).
  • Time: the time period in which the attacks are to be made. By default, these values are in seconds for attacks using SYN and UDP protocols. For the Slowloris attack the value is expressed in minutes.
  • But this was not the only surprise! Looking in the other configuration files, specifically in the Custom Connector plugin (customconnector.dll.cfg), I see a domain that looks familiar: http://[DELETE]/~ishigo/sp/main/gate.php

    Custom Connection is a plugin that allows for communication between the zombies and C&C server through gate.php. Looking back at information from previous research, I found a domain (same IP range) with a similar structure, but this was involved in the case Ice IX. The following image is a fragment of the report obtained from an analysis of Ice IX:

    Ishigo is the name of a botmaster who is very active in the cyber-criminal landscape, operating mainly through the crimeware ZeuS, SpyEye and now also experimenting with Ice IX.

    Whether or not this is just a casual attempt to DDoS attack our portal, we will continue to investigate the activities of this and other botmasters. So I’ll keep you posted!

    Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]

    Your email address will not be published. Required fields are marked *

     

    Reports

    Lazarus targets defense industry with ThreatNeedle

    In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

    Sunburst backdoor – code overlaps with Kazuar

    While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

    Lazarus covets COVID-19-related intelligence

    As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

    Sunburst: connecting the dots in the DNS requests

    We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

    Subscribe to our weekly e-mails

    The hottest research right in your inbox