Image

Image

"It is believed that the attacks start with an email that asks the recipient to download a RAR archive containing what is purported to be information about a business proposal. These lure documents were hosted on a legitimate website, which may have been previously compromised by Greenbug. The Ismdoor malware is hidden inside the RAR archive using an alternate data stream."As of February 2017, researchers at NCC Group had spotted three versions of Ismdoor, Greenbug's signature trojan. All those forms use timer-queue callbacks to initiate execution after a specific timeframe. Known as timing-based evasion, this is one of the most common evasive behaviors employed by malware today. Each iteration of Ismdoor also adds upon the capabilities of its predecessor(s). For instance, whereas the first version has limited functionality, its successor collects information about a target system. A keylogging feature is available in the third variety. In the attack against the Saudi Arabian organization, Ismdoor used HTTP-based communication with its command and control (C&C) server to open a backdoor on the compromised machine. The malware might have also leveraged this communication to infect computers with additional espionage tools. Such activity makes the trojan easy to spot. In fact, RSA developed two queries that allow sysadmins to detect the malware and its C&C communications.
Image

"All data sent between the bot and the C2 is done using AAAA DNS UDP queries. Data to the C2 is via specially crafted query names and data from the C2 is returned via IPv6 addresses. The bot side of the connection drives all communications."The next layer up acts as a transport for the communications, which are split into "sessions" consisting of five DNS requests and replies. Finally, the third layer contains C&C messages, of which there are at least eight. One of these messages, M:GAC?, retrieves bot commands, which enable Ismdoor's handlers to restart itself, upload files, and remove or execute a keylogger, among other functions.
Image

"While using the DNS as a malware command and control mechanism isn't new, it is fairly rare in the wild. It sheds light on the technical abilities of an attacker who implements and uses it. While most novice coders can figure out how to send and receive HTTP, it takes a far more advanced coder to build a full-featured communications protocol on top of DNS. Using Ismdoor's DNS is significant for a defender because it is highly unlikely that looking at a bunch of DNS traffic for malware commands and/or data exfiltration is a high priority. These types of covert channels exchange data very slowly over many DNS requests and replies, and it is easy to overlook. "The good news with regard to Ismdoor's DNS traffic is that when it sends data to the command and control server it will very likely send invalid characters (e.g. !, &, @) in the subdomains it generates. For example, one of the subdomains from the blog post looks like: TTpDQz8!.0.dr.237735C7DCF34DE59F8E04CB852401B3.malicious.com It contains an '!' character which isn't an allowed character in legitimate subdomains. The attacker's command and control server doesn't care because it is expecting characters like this, but you wouldn’t see these types of domains in benign traffic."While organizations remain on the lookout for invalid characters in the subdomains generated by the malware, Arbor Networks and others will continue to research possible ties linking Ismdoor and Greenbug to Shamoon. There's no definitive connection yet. But as VirusTotal received all known samples of the DNS variant of Ismdoor from Saudi Arabia--the same region that suffered the Shamoon 2 attacks--researchers could establish a link very soon.