Malware Delivered! Analyzing Disttrack's Distribution ServerWhile they were collecting files from the third wave of Shamoon 2, Unit 42 threat researchers at Palo Alto Networks discovered something new: a ZIP archive containing files that help Disttrack infect other systems in the target network. The threat actor deploys this archive from a single compromised system on the network once they've logged in with Remote Desktop Protocol (RDP) using legitimate credentials. Currently, it's not clear how the attackers initially compromise that system and gain RDP access. Among other files, the ZIP archive contains files "1.txt" through "400.txt." These are text files that contain a list of hostnames of systems on the network. These are essential to "ok.bat," another file contained in the archive. Unit 42 researchers Robert Falcone and Bryan Lee explain in a blog post:
"The 'ok.bat' batch script runs once per hostname mentioned above. This batch script is responsible for deploying Disttrack on each of these systems on the network. The script begins by copying two files to the 'C:\Windows\temp' folder on the remote system. The two copied files – named 'ntertmgr32.exe' and 'ntertmgr32.bat' – are the Disttrack payload and a batch script used to install the Disttrack payload on the local system, respectively. The 'ok.bat' script uses the PAExec ('pa.exe') application to run the 'ntertmgr32.bat' installation script on the remote system. The batch script also attempts to clear event logs via the Windows built-in 'wevtutil' utility in an attempt to conceal their activities and disrupt incident response and forensic analysis."Once the 'ntertmgr32.bat' batch script installs Disttrack on the local system and the malware executes, it begins to overwrite the MBR and partition tables. It also attempts to spread by logging in to the system, copying itself, and executing on other systems in the same subnet. You can learn more about how Shamoon 2 deploys Disttrack in the video below: https://youtu.be/Yk5ay47yWjw
Connected to Magic Hound?The behavior illustrated above raises an important question: how does Shamoon 2 gain a list of relevant hostnames for "1.txt" through "400.txt"? Unit 42 has traced the ZIP archive back to 45.76.128[.]71. The IP address, which resides in the range of a cloud hosting service, is located on the same Class C IP range as 45.76.128[.]165. This is the location of a command and control server for Magic Hound. Since mid-2016, the Magic Hound campaign has been leveraging Microsoft Office documents with malicious macros to infect systems with two payloads: the Pupy remote administration tool (RAT) and an IRC bot called "MagicHound.Leash." It's believed Magic Hound is focused solely on conducting espionage against victim organizations in the Middle East. Given the two campaigns' focus on entities in Saudi Arabia, use of the same cloud computing service in the same Class C IP range, and abuse of both PowerShell and meterpreter, Falcone and Lee believe the two may be connected. They explain why that's significant:
"If the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the Magic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network information and credentials. This may be further supported by the initial Magic Hound payloads we discovered, Pupy RAT and meterpreter, both of which have these types of capabilities."In other words, a link between Magic Hound and Shamoon 2 means the former would likely collect a list of hostnames on the target network. The latter would then incorporate this information into Disttrack's ZIP archive, which it deploys from a compromised system.