Research

Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

As we can see, our website is listed as a target. The syntax for setting parameters in the DDoS SpyEye plugin is type-target-port-time:

  • Type: DDoS SYN attacks against Kaspersky Lab and SpyEye Tracker websites, plus a UDP attack only against Kaspersky Lab. Also SpyEye accepts the Slowloris DDoS attack.
  • Target: web site attacked (Kaspersky Lab and SpyEye Tracker).
  • Port: the destination ports through which attack (443 and 80).
  • Time: the time period in which the attacks are to be made. By default, these values are in seconds for attacks using SYN and UDP protocols. For the Slowloris attack the value is expressed in minutes.
  • But this was not the only surprise! Looking in the other configuration files, specifically in the Custom Connector plugin (customconnector.dll.cfg), I see a domain that looks familiar: http://[DELETE]/~ishigo/sp/main/gate.php

    Custom Connection is a plugin that allows for communication between the zombies and C&C server through gate.php. Looking back at information from previous research, I found a domain (same IP range) with a similar structure, but this was involved in the case Ice IX. The following image is a fragment of the report obtained from an analysis of Ice IX:

    Ishigo is the name of a botmaster who is very active in the cyber-criminal landscape, operating mainly through the crimeware ZeuS, SpyEye and now also experimenting with Ice IX.

    Whether or not this is just a casual attempt to DDoS attack our portal, we will continue to investigate the activities of this and other botmasters. So I’ll keep you posted!

    Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]

    Your email address will not be published. Required fields are marked *

     

    Reports

    APT trends report Q3 2021

    The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

    Lyceum group reborn

    According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

    GhostEmperor: From ProxyLogon to kernel mode

    While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

    Subscribe to our weekly e-mails

    The hottest research right in your inbox