swannysec Musings on InfoSec

Brian Krebs and the Yugoslavian Business Network - Analyzing Nebula



The Rise and Fall of an Empire

Angler, and to a lesser extent, Nuclear, were the predominant exploit kits (EKs) of 2015 and the first half of 2016 before suddenly disappearing early last summer. With plenty of money to be made on the distribution of ransomware and banking trojans, other EKs quickly filled the void. Neutrino and RIG were the first to respond, though Neutrino itself disappeared in September of 2016.

Around the same time, Empire, a privately-sold EK with roots in the more widely-available RIG kit, appeared on the scene, ostensibly to steal a piece of the crimeware pie. Sometimes referred to as RIG-E, Empire delivered a wide variety of payloads during the fall of 2016, including custom ransomware and banking trojans. According to Brad Duncan over at Malware-Traffic-Analysis and Palo Alto Unit42, Empire was often utilized by the EITest campaign, which had previously utilized Angler in great quantities.

Unfortunately for the purveyors of Empire, and fortunately for the rest of us, Empire’s reign was short-lived. Like its predecessors Angler, Nuclear, and Neutrino, Empire itself mysteriously disappeared at the end of December 2016.

Nebula Appears

While Empire enjoyed only a short period in the sun, RIG itself continues to operate successfully as does Sundown, another exploit kit seeing success in the wake of Angler. Additionally, it seems a new contender has appeared, seeking to take up the slack left by Empire. Seemingly a hybrid of Sundown and Empire, Nebula, first appearing for sale on February 17th, integrated an internal traffic direction system (TDS) seemingly salvaged from the ashes of Empire. For more information, check out Kafeine’s excellent post here.

As a long-overdue exercise in crimeware analysis using OSINT, I decided to take a crack at examining the Nebula EK infrastructure in an attempt to better understand the actors utilizing it and the payloads being delivered. What I found was both amusing and unexpected for an exploit kit so new to the scene.

Tools of the Trade

All of the tools I use to perform this analysis are available either completely free of charge or as full-featured community editions. For visual analysis, I use Paterva Maltego. As data sources used to expand on and add context to the blogs of Kafeine and Brad Duncan mentioned above, I use ThreatCrowd, ThreatMiner, Alienvault OTX, and RiskIQ’s PassiveTotal. All of these offer transforms for Maltego either directly or via other community members.

Brian Krebs: EK Peddler

Analysis begins with a single Nebula EK delivery subdomain provided by Brad Duncan’s analysis of a recent Nebula infection chain: ehpcc.chggannel[.]stream. As a starting point, I dropped the subdomain into PassiveTotal:

Nebula1

Clearly, the subdomain is brand new, having been first seen (and in fact, last seen) on March 2nd, resolving to a Worldstream IP out of the Netherlands. We’ll come back to the IP and the rest of the chggannel domain in a moment. What immediately proved far more interesting to me was the whois record for the domain. Whois pivoting is not always reliable, nor is it always even possible, depending on the registrar used and the OPSEC practices of the actor. Fortunately, in this case, the actors gave us something to work with.

Nebula2

So it seems Brian Krebs has turned to a life of crime and is now a member of the Yugoslavian Business Network? As amusing and unlikely as that is, we likely have a couple of interesting indicators to work from, including a whois name, e-mail, org, and perhaps a phone number. PassiveTotal is a fantastic source for this kind of data and we should be able to pivot on those indicators to learn more, provided the actors have used them with any consistency. Before we move to Maltego and continue exploring, let’s check out the rest of that domain. Looks like there are two other subdomains here, giving us a good starting point to work from:

Nebula3

We’ll go ahead and drop the domain into Maltego and add in the other Nebula domains provided by Brad Duncan’s post. As a first step, we’ll pull in the whois details for all four domains to see whether or not we have consistent indicators to work with:

Nebula4

Sure enough, we’ve definitely got consistent use of the same data for the whois records.

Nebula5

Quickly pivoting through the registrant name, e-mail, org name, and phone number in PassiveTotal show that the e-mail and phone number have the most consistency, as there are obviously some legitimate domains registered by real people named Brian Krebs. There are an identical 114 domains registered with the [email protected][.]com e-mail adress and the same phone number. We’ll go ahead and pivot inside Maltego off the e-mail and pull back all the domains PassiveTotal knows about registered with that address.

Nebula6

Nebula7

Pivoting from these new domains to their IPs by pulling the Passive DNS results from PassiveTotal brings back a whopping one IP. Why? Mr. Krebs seems to be making extensive use of subdomains. The second screenshot shows what happens when we pull in all the subdomains for the domains present, the entity count of the graph nearly triples.

Nebula8

Nebula9

Once more pulling in the IPs via Passive DNS, we see that 300+ domains and subdomains return to only fourteen IPs, in the red-orange color. It should be noted that a few of these IPs are shared webhosts and that the legitimate domains are not displayed on this graph.

Nebula10

Unfortunately, ThreatCrowd, ThreatMiner, and Alientvault OTX all return no results when I attempt to query for malware samples observed at the domains registered by this actor. Further, none of the domains or subdomains host SSL certificates according to PassiveTotal. Accordingly, we’ll wrap up our pivoting here, having exhausted the unique whois indicators provided by the Nebula actors.

Nebula’s Extent and Payloads

In order to clean up the graph and ensure all the data is likely relevant to Nebula, we want to take a look at the registrations from a temporal perspective. Of the 114 domains registered using the farcical Brian Krebs moniker and [email protected][.]com at the time of writing, 12 were registered in May of 2016. All 12 of these domains were also registered under a different whois org name, ISP. Since February 8th, 2017, 102 domains have been registered under the Krebs/[email protected][.]com combination, of which 97 used Yugoslavian Business Network as their org name. Curiously, however, the 12 domains registered earlier have active subdomains observed during the recent Nebula campaign.

Little additional information can be gleaned from the OSINT sources I have available to me, but from the analyses performed by Kafeine and Brad Duncan, we know that Nebula leads to a variety of payloads including DiamondFox, Gootkit, Ramnit, and Pitou. With the exception of Pitou, which is a spambot, all of these are bankers. At this time, there is no evidence the Yugoslavian Business Network actors are distributing ransomware via Nebula.

Conclusions

The Yugoslavian Business Network actually has a significant history with the Sundown EK. According to Ed Miles at Zscaler, the first indications of Yugoslavian Business Network involvement with Sundown began in July of 2016. At this time, however, it was unclear how the group, which advertised their coding services in German on forums, was associated with Sundown. By September, Trustwave indicated that the Sundown actors had “outsourced” their DGA work to the Yugoslavian Business Network. By the end of October 2016, Nick Biasini at Cisco’s Talos Intelligence concluded that Yugoslavian Business Network indicators were associated with all Sundown landing pages and that Sundown’s actors were operating a very large domain shadowing and wildcarding operation to power the exploit kit’s spread. Interestingly, he also concluded that the payloads from this operation were exclusively banking trojans.

Given the close historical ties between Sundown and the Yugoslavian Business Network, it is probable that Nebula is simply a new iteration on the existing Sundown exploit kit, operated by the same actors or a closely related group of actors. The willingness of the Yugoslavian Business Network to flaunt their moniker throughout their involvement with Sundown squares with the appearance of that name in the whois records for the Nebula campaign. Additionally, two other calling cards of the YBN appear to be present in the Nebula campaign, the use of subdomains/domain wildcarding and the almost exclusive delivery of banking malware vs. ransomware. Finally, the gang at Digital Shadows has additional details, including tweets from @CryptoInsane and @666_KingCobra (the alleged author of the Terror exploit kit) which seem to indicate that the Nebula source code offered for sale is in fact that of Sundown.

As an alternative hypothesis, it is possible that the Nebula activity I have analyzed here is indicative of a copycat operation, designed to look like the Sundown/YBN activity using the leaked source code. However, I believe that the balance of the evidence supports the original conclusion and that this is probably not a copycat operation.

In a follow-up to this post, I will be detailing the process of using PassiveTotal to set up a public project and the monitor function to track the YBN actor and Nebula campaign. IOCs are provided below. As always, I invite comment, debate, or criticism @swannysec.

IOCs

Passive Total Project

https://passivetotal.org/projects/80ab2f3f-e08f-f86a-fade-6f9d3f8a12c6

Alienvault OSX Pulse (Note: Due to an ingestion issue, not all domains/subdomains present)

Domains/subdomains

half-sistergoalindustry[.]pro
deficitshoulder.lossicedeficit[.]pw
hulbyking[.]stream
supportpartner.lossicedeficit[.]pw
tafgste[.]stream
siberianbangladeshtransport[.]win
commissionmice.lossicedeficit[.]pw
brabynch[.]stream
ovalsharevault[.]info
tom-tomchardcomparison[.]club
birthlasagnaexplanation[.]info
rootym[.]stream
knowledgedrugsaturday[.]club
qgg.losssubwayquilt[.]pw
hmn.losssubwayquilt[.]pw
chggannel[.]stream
tboapfmsyu[.]stream
offertom-tom.commissionlegshoemaker[.]bid
bitpurchasetempo[.]loan
signaturelilac.commissionlegshoemaker[.]bid
decimalyugolead[.]pro
commissionlegshoemaker[.]bid
mistmessage.commissionlegshoemaker[.]bid
losssubwayquilt[.]pw
profitwhiskey.commissionlegshoemaker[.]bid
suggestiondentistrectangle[.]club
bandfactorycroissant[.]bid
begoniamistakemeal[.]club
facilitiesturkishdipstick[.]info
textfatherfont[.]info
canfragranceretailer[.]site
certificationphilosophy.decimalyugolead[.]pro
harborinterestrecorder[.]club
pheasantmillisecondenvironment[.]stream
jebemtimater[.]xyz
retailergreasebottom[.]win
transportdrill.facilitiesturkishdipstick[.]info
cityacoustic.textfatherfont[.]info
foundationspadeinventory[.]club
chargerule.textfatherfont[.]info
alleyasphaltreport[.]party
chefarmadillo.o88kd0e1yehd1s5[.]bid
basketballoptionbeat[.]win
applyvelvet.o88kd0e1yehd1s5[.]bid
decisionpropertytuba[.]site
colonsuccesston[.]info
herondebtor.o88kd0e1yehd1s5[.]bid
maskobjectivebiplane[.]trade
handballsupply.hockeyopiniondust[.]club
shelfdecreasecapital[.]win
creditorclutch.hockeyopiniondust[.]club
alligatoremployeelyric[.]club
77e1084e[.]pro
basementjudorepairs[.]club
greenpvcpossibility[.]tech
step-unclecanadapreparation[.]trade
birchbudget.hockeyopiniondust[.]club
shockadvantagewilderness[.]club
distributionjaw.hockeyopiniondust[.]club
grasslettuceindustry[.]bid
competitionseason.numberdeficitc-clamp[.]site
oakcreditorcirculation[.]stream
loafmessage.numberdeficitc-clamp[.]site
guaranteepartridgeoven[.]pro
rkwurghafq4olnz[.]site
advantagelamp.numberdeficitc-clamp[.]site
improvementdeadlinemillisecond[.]club
approveriver.jsffu2zkt5va[.]trade
44a11c539450ac1e13a6bb9728569d34[.]pro
dependentswhorl.jsffu2zkt5va[.]trade
pumpdifferencecymbal[.]club
countrydifferencethumb[.]info
fearshareoboe[.]trade
debtbaconslip[.]stream
penaltyshock.gumimprovementitalian[.]stream
barberfifth.hnny1jymtpn2k[.]stream
permissionquiversagittarius[.]space
closetswissretailer[.]bid
e10a12e32de96b60e95e89507e943c14[.]bid
priceearthquakepencil[.]bid
divingfuelsalary[.]trade
swissfacilities.gumimprovementitalian[.]stream
brokerbaker.hnny1jymtpn2k[.]stream
improvementpaperwriter[.]bid
calculatefuel.hnny1jymtpn2k[.]stream
possibilityshare.gumimprovementitalian[.]stream
transportbomb.gramsunshinesupply[.]club
goallicense.shearssuccessberry[.]club
purposeguarantee.shearssuccessberry[.]club
apologycold.shearssuccessberry[.]club
paymentceramic.pheasantmillisecondenvironment[.]stream
limitsphere.pheasantmillisecondenvironment[.]stream
dancerretailer.shearssuccessberry[.]club
instructionscomposition.pheasantmillisecondenvironment[.]stream
pyramiddecision.356020817786fb76e9361441800132c9[.]win
printeroutput.pheasantmillisecondenvironment[.]stream
clickbarber.356020817786fb76e9361441800132c9[.]win
refundlentil.pheasantmillisecondenvironment[.]stream
boydescription.356020817786fb76e9361441800132c9[.]win
handballdisadvantage.harborinterestrecorder[.]club
gondoladate-of-birth.harborinterestrecorder[.]club
multimediabuild.textfatherfont[.]info
buglecommand.textfatherfont[.]info
hygienicreduction.brassreductionquill[.]site
authorisationmessage.brassreductionquill[.]site
rainstormpromotion.gramsunshinesupply[.]club
apologycattle.gramsunshinesupply[.]club
supplyheaven.gramsunshinesupply[.]club
startguarantee.gramsunshinesupply[.]club
agendawedge.shoemakerzippersuccess[.]stream
profitcouch.shoemakerzippersuccess[.]stream
battleinventory.nigeriarefundneon[.]pw
mistakefreezer.nigeriarefundneon[.]pw
deadlinepelican.shoemakerzippersuccess[.]stream
authorizationposition.nigeriarefundneon[.]pw
costsswim.nigeriarefundneon[.]pw
flycity.7a35a143adde0374f820d92f977a92e1[.]trade
dohmbineering[.]stream
customergazelle.cyclonesoybeanpossibility[.]bid
7a35a143adde0374f820d92f977a92e1[.]trade
invoiceburst.cyclonesoybeanpossibility[.]bid
wdkkaxnpd99va[.]site
nigeriarefundneon[.]pw
distributionstatementdiploma[.]site
decreaseclarinet.tom-tomchardcomparison[.]club
columnistsalescave[.]xyz
bassoonoption.tom-tomchardcomparison[.]club
retailersproutalto[.]pro
billcoast.tom-tomchardcomparison[.]club
cyclonesoybeanpossibility[.]bid
cocoacustomer.tom-tomchardcomparison[.]club
reductiondramathrone[.]trade
jumptom-tomapology[.]bid
agesword.alvdxq1l6n0o[.]stream
hnny1jymtpn2k[.]stream
o88kd0e1yehd1s5[.]bid
356020817786fb76e9361441800132c9[.]win
shearssuccessberry[.]club
protestcomparisoncolor[.]site
bombclick.alvdxq1l6n0o[.]stream
gramsunshinesupply[.]club
bakermagician.alvdxq1l6n0o[.]stream
brassreductionquill[.]site
date-of-birthtrout.87692f31beea22522f1488df044e1dad[.]top
goodswinter.retailersproutalto[.]pro
supportmensuccess[.]bid
chooseravioli.87692f31beea22522f1488df044e1dad[.]top
potatoemployee.retailersproutalto[.]pro
freckleorderromania[.]win
asiadeliveryarmenian[.]pro
exhaustamusementsuggestion[.]pw
pedestrianpathexplanation[.]info
retaileraugustplier[.]club
phoneimprovement.retailersproutalto[.]pro
derpenquiry.87692f31beea22522f1488df044e1dad[.]top
spayrgk[.]stream
certificationplanet.87692f31beea22522f1488df044e1dad[.]top
instructionssaudiarabia.retailersproutalto[.]pro
f1ay91cxoywh[.]trade
competitorthrillfeeling[.]online
cowchange.distributionstatementdiploma[.]site
enquiryfootnote.bubblecomparisonwar[.]top
transportavenueexclamation[.]club
fishsparkorder[.]trade
organisationobjective.bubblecomparisonwar[.]top
departmentant.distributionstatementdiploma[.]site
suggestionburn.distributionstatementdiploma[.]site
soldierprice.distributionstatementdiploma[.]site
secureconfirmation.bubblecomparisonwar[.]top
redrepairs.distributionstatementdiploma[.]site
advertiselaura.bubblecomparisonwar[.]top
casdfble[.]stream
confirmationwoman.decimalyugolead[.]pro
excyigted[.]stream
beastcancercosts[.]pro
appealbarber.decimalyugolead[.]pro
nationweekretailer[.]club
advisealgebra.decimalyugolead[.]pro
detailpanequipment[.]site
rectangleapologyfeather[.]trade
bubbbble[.]stream
visiongazellestock[.]site
mxkznekruoays[.]trade
debtorgreat-grandmother.bitpurchasetempo[.]loan
mandolincamprisk[.]info
paymentedge.bitpurchasetempo[.]loan
comparisonrequestcrocodile[.]trade
cookmorningfacilities[.]bid
crabbudgetfahrenheit[.]tech
periodicaldecision.bitpurchasetempo[.]loan
deliverycutadvantage[.]info
strangersharesnowflake[.]top
enemyorder.bitpurchasetempo[.]loan
passbookresponsibilityflare[.]bid
knowledgedoctor.bitpurchasetempo[.]loan
governmentsignaturepoint[.]top
date-of-birthfender.tboapfmsyu[.]stream
jailreduction.edgetaxprice[.]site
shoemakerzippersuccess[.]stream
invoicegosling.edgetaxprice[.]site
lipprice.edgetaxprice[.]site
bubblecomparisonwar[.]top
applywholesaler.tboapfmsyu[.]stream
distributionfile.edgetaxprice[.]site
87692f31beea22522f1488df044e1dad[.]top
ehpcc.chggannel[.]stream
alvdxq1l6n0o[.]stream
peqmk.chggannel[.]stream
erafightergoal[.]website
lossathleteship[.]site
edgetaxprice[.]site
factoryslave.erafightergoal[.]website
transportseptemberharp[.]club
preparationshark.erafightergoal[.]website
xgiph47su3ym[.]info
tyqan.chggannel[.]stream
lossicedeficit[.]pw
offertenor.erafightergoal[.]website
gumimprovementitalian[.]stream
marketdisadvantage.reductiondramathrone[.]trade
area-codebobcat.knowledgedrugsaturday[.]club
jsffu2zkt5va[.]trade
actressheight.knowledgedrugsaturday[.]club
librarysuccess.reductiondramathrone[.]trade
numberdeficitc-clamp[.]site
alcoholproduction.reductiondramathrone[.]trade
congoobjective.erafightergoal[.]website
hockeyopiniondust[.]club
lightdescription.erafightergoal[.]website
approvepeak.knowledgedrugsaturday[.]club
successcrow.reductiondramathrone[.]trade
yewdigital.mxkznekruoays[.]trade
domainconsider.mxkznekruoays[.]trade
citizenshipquotation.44a11c539450ac1e13a6bb9728569d34[.]pro
agendarutabaga.44a11c539450ac1e13a6bb9728569d34[.]pro
stationdeadline.improvementdeadlinemillisecond[.]club
maracaenquiry.nationweekretailer[.]club
brandfloor.improvementdeadlinemillisecond[.]club
clausmessage.nationweekretailer[.]club
pleasureestimate.permissionquiversagittarius[.]space
marginpaint.permissionquiversagittarius[.]space
sandlimit.permissionquiversagittarius[.]space
experienceiris.permissionquiversagittarius[.]space
disadvantagegerman.crabbudgetfahrenheit[.]tech
driverknowledge.crabbudgetfahrenheit[.]tech
distributionpopcorn.debtbaconslip[.]stream
scooterrise.crabbudgetfahrenheit[.]tech
dinosaurbudget.fearshareoboe[.]trade
canadaenquiry.crabbudgetfahrenheit[.]tech
spongedeadline.crabbudgetfahrenheit[.]tech
decreaseoil.fearshareoboe[.]trade
debtordoor.fearshareoboe[.]trade
employercurler.cookmorningfacilities[.]bid
increaserock.fearshareoboe[.]trade
elbowdebt.cookmorningfacilities[.]bid
commissioncooking.comparisonrequestcrocodile[.]trade
elizabethcosts.countrydifferencethumb[.]info
equipmentdate.comparisonrequestcrocodile[.]trade
rulesupport.countrydifferencethumb[.]info
marketphilippines.comparisonrequestcrocodile[.]trade
cicadareport.countrydifferencethumb[.]info
baitfacilities.comparisonrequestcrocodile[.]trade
debtordecision.comparisonrequestcrocodile[.]trade
lossornament.countrydifferencethumb[.]info
reindeerprofit.divingfuelsalary[.]trade
outputfruit.divingfuelsalary[.]trade
decembercommission.divingfuelsalary[.]trade
marginswiss.divingfuelsalary[.]trade
clickdecrease.strangersharesnowflake[.]top
pricejelly.strangersharesnowflake[.]top
barbercomposer.e10a12e32de96b60e95e89507e943c14[.]bid
apologyunit.strangersharesnowflake[.]top
employerrange.strangersharesnowflake[.]top
employergoods.deliverycutadvantage[.]info
acknowledgmentinterest.permissionquiversagittarius[.]space
fallhippopotamus.deliverycutadvantage[.]info
employeegarlic.deliverycutadvantage[.]info
angoraadvantage.shelfdecreasecapital[.]win
orderbooklet.shelfdecreasecapital[.]win
outputvolcano.shelfdecreasecapital[.]win
debtorcave.shelfdecreasecapital[.]win
budgetdegree.maskobjectivebiplane[.]trade
instructionspair.freckleorderromania[.]win
equipmentwitness.maskobjectivebiplane[.]trade
cardiganopinion.freckleorderromania[.]win
forum.freckleorderromania[.]win
motherresult.basketballoptionbeat[.]win
orangedecision.freckleorderromania[.]win
museumcosts.freckleorderromania[.]win
apartmentapology.basketballoptionbeat[.]win
competitionsunday.freckleorderromania[.]win
millisecondpossibility.basketballoptionbeat[.]win
c-clamppayment.asiadeliveryarmenian[.]pro
phonefall.asiadeliveryarmenian[.]pro
productionbanker.alleyasphaltreport[.]party
penaltyinternet.asiadeliveryarmenian[.]pro
reportbranch.alleyasphaltreport[.]party
goodsyellow.alleyasphaltreport[.]party
rollinterest.asiadeliveryarmenian[.]pro
offeraftershave.alleyasphaltreport[.]party
comparisonneed.alleyasphaltreport[.]party
explanationlier.asiadeliveryarmenian[.]pro
authorizationmale.foundationspadeinventory[.]club
birthdayexperience.foundationspadeinventory[.]club
sexdebt.competitorthrillfeeling[.]online
lossbill.competitorthrillfeeling[.]online
dinosaurfall.competitorthrillfeeling[.]online
cannoncountdecide.f1ay91cxoywh[.]trade
bugleathlete.f1ay91cxoywh[.]trade
goalpanda.retaileraugustplier[.]club
confirmationaustralian.retaileraugustplier[.]club
holidayagenda.retaileraugustplier[.]club
jobhate.pedestrianpathexplanation[.]info
europin.pedestrianpathexplanation[.]info
buysummer.77e1084e[.]pro
borrowfield.77e1084e[.]pro
shinyflaky.pedestrianpathexplanation[.]info
captaincertification.77e1084e[.]pro
slippery.pedestrianpathexplanation[.]info
deficitairbus.exhaustamusementsuggestion[.]pw
penaltydrug.exhaustamusementsuggestion[.]pw
environmentbasket.alligatoremployeelyric[.]club
blowsalary.alligatoremployeelyric[.]club
digitalgoods.alligatoremployeelyric[.]club
clerkbird.grasslettuceindustry[.]bid
hygienicreduction.casdfble[.]stream
disadvantageproduction.casdfble[.]stream
deodorantconsider.grasslettuceindustry[.]bid
authorisationmessage.casdfble[.]stream
hellcustomer.grasslettuceindustry[.]bid
equipmentparticle.shockadvantagewilderness[.]club
shouldertransport.shockadvantagewilderness[.]club
salaryfang.shockadvantagewilderness[.]club
descriptionmoon.competitorthrillfeeling[.]online
estimatememory.competitorthrillfeeling[.]online

IPs

188.209.49[.]151
93.190.141[.]39
188.209.49[.]135
217.23.7[.]15
91.214.71[.]110
185.93.185[.]226
188.209.49[.]49
93.190.137[.]22
93.190.141[.]45
93.190.141[.]166
93.190.141[.]200
45.58.125[.]74
77.81.230[.]141
173.224.121[.]91

Whois E-mail

Whois Name

Brian Krebs

Whois Organization

Yugoslavian Business Network

Whois Phone

96311273808008


Author: John D. Swanson - Contact me at [email protected]
Opinions are my own and do not reflect those of my employer.
© 2017. All rights reserved.     Atom Feed