Brian Krebs and the Yugoslavian Business Network - Analyzing Nebula07 Mar 2017
The Rise and Fall of an Empire
Angler, and to a lesser extent, Nuclear, were the predominant exploit kits (EKs) of 2015 and the first half of 2016 before suddenly disappearing early last summer. With plenty of money to be made on the distribution of ransomware and banking trojans, other EKs quickly filled the void. Neutrino and RIG were the first to respond, though Neutrino itself disappeared in September of 2016.
Around the same time, Empire, a privately-sold EK with roots in the more widely-available RIG kit, appeared on the scene, ostensibly to steal a piece of the crimeware pie. Sometimes referred to as RIG-E, Empire delivered a wide variety of payloads during the fall of 2016, including custom ransomware and banking trojans. According to Brad Duncan over at Malware-Traffic-Analysis and Palo Alto Unit42, Empire was often utilized by the EITest campaign, which had previously utilized Angler in great quantities.
Unfortunately for the purveyors of Empire, and fortunately for the rest of us, Empire’s reign was short-lived. Like its predecessors Angler, Nuclear, and Neutrino, Empire itself mysteriously disappeared at the end of December 2016.
While Empire enjoyed only a short period in the sun, RIG itself continues to operate successfully as does Sundown, another exploit kit seeing success in the wake of Angler. Additionally, it seems a new contender has appeared, seeking to take up the slack left by Empire. Seemingly a hybrid of Sundown and Empire, Nebula, first appearing for sale on February 17th, integrated an internal traffic direction system (TDS) seemingly salvaged from the ashes of Empire. For more information, check out Kafeine’s excellent post here.
As a long-overdue exercise in crimeware analysis using OSINT, I decided to take a crack at examining the Nebula EK infrastructure in an attempt to better understand the actors utilizing it and the payloads being delivered. What I found was both amusing and unexpected for an exploit kit so new to the scene.
Tools of the Trade
All of the tools I use to perform this analysis are available either completely free of charge or as full-featured community editions. For visual analysis, I use Paterva Maltego. As data sources used to expand on and add context to the blogs of Kafeine and Brad Duncan mentioned above, I use ThreatCrowd, ThreatMiner, Alienvault OTX, and RiskIQ’s PassiveTotal. All of these offer transforms for Maltego either directly or via other community members.
Brian Krebs: EK Peddler
Analysis begins with a single Nebula EK delivery subdomain provided by Brad Duncan’s analysis of a recent Nebula infection chain: ehpcc.chggannel[.]stream. As a starting point, I dropped the subdomain into PassiveTotal:
Clearly, the subdomain is brand new, having been first seen (and in fact, last seen) on March 2nd, resolving to a Worldstream IP out of the Netherlands. We’ll come back to the IP and the rest of the chggannel domain in a moment. What immediately proved far more interesting to me was the whois record for the domain. Whois pivoting is not always reliable, nor is it always even possible, depending on the registrar used and the OPSEC practices of the actor. Fortunately, in this case, the actors gave us something to work with.
So it seems Brian Krebs has turned to a life of crime and is now a member of the Yugoslavian Business Network? As amusing and unlikely as that is, we likely have a couple of interesting indicators to work from, including a whois name, e-mail, org, and perhaps a phone number. PassiveTotal is a fantastic source for this kind of data and we should be able to pivot on those indicators to learn more, provided the actors have used them with any consistency. Before we move to Maltego and continue exploring, let’s check out the rest of that domain. Looks like there are two other subdomains here, giving us a good starting point to work from:
We’ll go ahead and drop the domain into Maltego and add in the other Nebula domains provided by Brad Duncan’s post. As a first step, we’ll pull in the whois details for all four domains to see whether or not we have consistent indicators to work with:
Sure enough, we’ve definitely got consistent use of the same data for the whois records.
Quickly pivoting through the registrant name, e-mail, org name, and phone number in PassiveTotal show that the e-mail and phone number have the most consistency, as there are obviously some legitimate domains registered by real people named Brian Krebs. There are an identical 114 domains registered with the [email protected][.]com e-mail adress and the same phone number. We’ll go ahead and pivot inside Maltego off the e-mail and pull back all the domains PassiveTotal knows about registered with that address.
Pivoting from these new domains to their IPs by pulling the Passive DNS results from PassiveTotal brings back a whopping one IP. Why? Mr. Krebs seems to be making extensive use of subdomains. The second screenshot shows what happens when we pull in all the subdomains for the domains present, the entity count of the graph nearly triples.
Once more pulling in the IPs via Passive DNS, we see that 300+ domains and subdomains return to only fourteen IPs, in the red-orange color. It should be noted that a few of these IPs are shared webhosts and that the legitimate domains are not displayed on this graph.
Unfortunately, ThreatCrowd, ThreatMiner, and Alientvault OTX all return no results when I attempt to query for malware samples observed at the domains registered by this actor. Further, none of the domains or subdomains host SSL certificates according to PassiveTotal. Accordingly, we’ll wrap up our pivoting here, having exhausted the unique whois indicators provided by the Nebula actors.
Nebula’s Extent and Payloads
In order to clean up the graph and ensure all the data is likely relevant to Nebula, we want to take a look at the registrations from a temporal perspective. Of the 114 domains registered using the farcical Brian Krebs moniker and [email protected][.]com at the time of writing, 12 were registered in May of 2016. All 12 of these domains were also registered under a different whois org name,
ISP. Since February 8th, 2017, 102 domains have been registered under the [email protected][.]com combination, of which 97 used Yugoslavian Business Network as their org name. Curiously, however, the 12 domains registered earlier have active subdomains observed during the recent Nebula campaign.
Little additional information can be gleaned from the OSINT sources I have available to me, but from the analyses performed by Kafeine and Brad Duncan, we know that Nebula leads to a variety of payloads including DiamondFox, Gootkit, Ramnit, and Pitou. With the exception of Pitou, which is a spambot, all of these are bankers. At this time, there is no evidence the Yugoslavian Business Network actors are distributing ransomware via Nebula.
The Yugoslavian Business Network actually has a significant history with the Sundown EK. According to Ed Miles at Zscaler, the first indications of Yugoslavian Business Network involvement with Sundown began in July of 2016. At this time, however, it was unclear how the group, which advertised their coding services in German on forums, was associated with Sundown. By September, Trustwave indicated that the Sundown actors had “outsourced” their DGA work to the Yugoslavian Business Network. By the end of October 2016, Nick Biasini at Cisco’s Talos Intelligence concluded that Yugoslavian Business Network indicators were associated with all Sundown landing pages and that Sundown’s actors were operating a very large domain shadowing and wildcarding operation to power the exploit kit’s spread. Interestingly, he also concluded that the payloads from this operation were exclusively banking trojans.
Given the close historical ties between Sundown and the Yugoslavian Business Network, it is probable that Nebula is simply a new iteration on the existing Sundown exploit kit, operated by the same actors or a closely related group of actors. The willingness of the Yugoslavian Business Network to flaunt their moniker throughout their involvement with Sundown squares with the appearance of that name in the whois records for the Nebula campaign. Additionally, two other calling cards of the YBN appear to be present in the Nebula campaign, the use of subdomains/domain wildcarding and the almost exclusive delivery of banking malware vs. ransomware. Finally, the gang at Digital Shadows has additional details, including tweets from @CryptoInsane and @666_KingCobra (the alleged author of the Terror exploit kit) which seem to indicate that the Nebula source code offered for sale is in fact that of Sundown.
As an alternative hypothesis, it is possible that the Nebula activity I have analyzed here is indicative of a copycat operation, designed to look like the Sundown/YBN activity using the leaked source code. However, I believe that the balance of the evidence supports the original conclusion and that this is probably not a copycat operation.
In a follow-up to this post, I will be detailing the process of using PassiveTotal to set up a public project and the monitor function to track the YBN actor and Nebula campaign. IOCs are provided below. As always, I invite comment, debate, or criticism @swannysec.
Passive Total Project
Alienvault OSX Pulse (Note: Due to an ingestion issue, not all domains/subdomains present)
half-sistergoalindustry[.]pro deficitshoulder.lossicedeficit[.]pw hulbyking[.]stream supportpartner.lossicedeficit[.]pw tafgste[.]stream siberianbangladeshtransport[.]win commissionmice.lossicedeficit[.]pw brabynch[.]stream ovalsharevault[.]info tom-tomchardcomparison[.]club birthlasagnaexplanation[.]info rootym[.]stream knowledgedrugsaturday[.]club qgg.losssubwayquilt[.]pw hmn.losssubwayquilt[.]pw chggannel[.]stream tboapfmsyu[.]stream offertom-tom.commissionlegshoemaker[.]bid bitpurchasetempo[.]loan signaturelilac.commissionlegshoemaker[.]bid decimalyugolead[.]pro commissionlegshoemaker[.]bid mistmessage.commissionlegshoemaker[.]bid losssubwayquilt[.]pw profitwhiskey.commissionlegshoemaker[.]bid suggestiondentistrectangle[.]club bandfactorycroissant[.]bid begoniamistakemeal[.]club facilitiesturkishdipstick[.]info textfatherfont[.]info canfragranceretailer[.]site certificationphilosophy.decimalyugolead[.]pro harborinterestrecorder[.]club pheasantmillisecondenvironment[.]stream jebemtimater[.]xyz retailergreasebottom[.]win transportdrill.facilitiesturkishdipstick[.]info cityacoustic.textfatherfont[.]info foundationspadeinventory[.]club chargerule.textfatherfont[.]info alleyasphaltreport[.]party chefarmadillo.o88kd0e1yehd1s5[.]bid basketballoptionbeat[.]win applyvelvet.o88kd0e1yehd1s5[.]bid decisionpropertytuba[.]site colonsuccesston[.]info herondebtor.o88kd0e1yehd1s5[.]bid maskobjectivebiplane[.]trade handballsupply.hockeyopiniondust[.]club shelfdecreasecapital[.]win creditorclutch.hockeyopiniondust[.]club alligatoremployeelyric[.]club 77e1084e[.]pro basementjudorepairs[.]club greenpvcpossibility[.]tech step-unclecanadapreparation[.]trade birchbudget.hockeyopiniondust[.]club shockadvantagewilderness[.]club distributionjaw.hockeyopiniondust[.]club grasslettuceindustry[.]bid competitionseason.numberdeficitc-clamp[.]site oakcreditorcirculation[.]stream loafmessage.numberdeficitc-clamp[.]site guaranteepartridgeoven[.]pro rkwurghafq4olnz[.]site advantagelamp.numberdeficitc-clamp[.]site improvementdeadlinemillisecond[.]club approveriver.jsffu2zkt5va[.]trade 44a11c539450ac1e13a6bb9728569d34[.]pro dependentswhorl.jsffu2zkt5va[.]trade pumpdifferencecymbal[.]club countrydifferencethumb[.]info fearshareoboe[.]trade debtbaconslip[.]stream penaltyshock.gumimprovementitalian[.]stream barberfifth.hnny1jymtpn2k[.]stream permissionquiversagittarius[.]space closetswissretailer[.]bid e10a12e32de96b60e95e89507e943c14[.]bid priceearthquakepencil[.]bid divingfuelsalary[.]trade swissfacilities.gumimprovementitalian[.]stream brokerbaker.hnny1jymtpn2k[.]stream improvementpaperwriter[.]bid calculatefuel.hnny1jymtpn2k[.]stream possibilityshare.gumimprovementitalian[.]stream transportbomb.gramsunshinesupply[.]club goallicense.shearssuccessberry[.]club purposeguarantee.shearssuccessberry[.]club apologycold.shearssuccessberry[.]club paymentceramic.pheasantmillisecondenvironment[.]stream limitsphere.pheasantmillisecondenvironment[.]stream dancerretailer.shearssuccessberry[.]club instructionscomposition.pheasantmillisecondenvironment[.]stream pyramiddecision.356020817786fb76e9361441800132c9[.]win printeroutput.pheasantmillisecondenvironment[.]stream clickbarber.356020817786fb76e9361441800132c9[.]win refundlentil.pheasantmillisecondenvironment[.]stream boydescription.356020817786fb76e9361441800132c9[.]win handballdisadvantage.harborinterestrecorder[.]club gondoladate-of-birth.harborinterestrecorder[.]club multimediabuild.textfatherfont[.]info buglecommand.textfatherfont[.]info hygienicreduction.brassreductionquill[.]site authorisationmessage.brassreductionquill[.]site rainstormpromotion.gramsunshinesupply[.]club apologycattle.gramsunshinesupply[.]club supplyheaven.gramsunshinesupply[.]club startguarantee.gramsunshinesupply[.]club agendawedge.shoemakerzippersuccess[.]stream profitcouch.shoemakerzippersuccess[.]stream battleinventory.nigeriarefundneon[.]pw mistakefreezer.nigeriarefundneon[.]pw deadlinepelican.shoemakerzippersuccess[.]stream authorizationposition.nigeriarefundneon[.]pw costsswim.nigeriarefundneon[.]pw flycity.7a35a143adde0374f820d92f977a92e1[.]trade dohmbineering[.]stream customergazelle.cyclonesoybeanpossibility[.]bid 7a35a143adde0374f820d92f977a92e1[.]trade invoiceburst.cyclonesoybeanpossibility[.]bid wdkkaxnpd99va[.]site nigeriarefundneon[.]pw distributionstatementdiploma[.]site decreaseclarinet.tom-tomchardcomparison[.]club columnistsalescave[.]xyz bassoonoption.tom-tomchardcomparison[.]club retailersproutalto[.]pro billcoast.tom-tomchardcomparison[.]club cyclonesoybeanpossibility[.]bid cocoacustomer.tom-tomchardcomparison[.]club reductiondramathrone[.]trade jumptom-tomapology[.]bid agesword.alvdxq1l6n0o[.]stream hnny1jymtpn2k[.]stream o88kd0e1yehd1s5[.]bid 356020817786fb76e9361441800132c9[.]win shearssuccessberry[.]club protestcomparisoncolor[.]site bombclick.alvdxq1l6n0o[.]stream gramsunshinesupply[.]club bakermagician.alvdxq1l6n0o[.]stream brassreductionquill[.]site date-of-birthtrout.87692f31beea22522f1488df044e1dad[.]top goodswinter.retailersproutalto[.]pro supportmensuccess[.]bid chooseravioli.87692f31beea22522f1488df044e1dad[.]top potatoemployee.retailersproutalto[.]pro freckleorderromania[.]win asiadeliveryarmenian[.]pro exhaustamusementsuggestion[.]pw pedestrianpathexplanation[.]info retaileraugustplier[.]club phoneimprovement.retailersproutalto[.]pro derpenquiry.87692f31beea22522f1488df044e1dad[.]top spayrgk[.]stream certificationplanet.87692f31beea22522f1488df044e1dad[.]top instructionssaudiarabia.retailersproutalto[.]pro f1ay91cxoywh[.]trade competitorthrillfeeling[.]online cowchange.distributionstatementdiploma[.]site enquiryfootnote.bubblecomparisonwar[.]top transportavenueexclamation[.]club fishsparkorder[.]trade organisationobjective.bubblecomparisonwar[.]top departmentant.distributionstatementdiploma[.]site suggestionburn.distributionstatementdiploma[.]site soldierprice.distributionstatementdiploma[.]site secureconfirmation.bubblecomparisonwar[.]top redrepairs.distributionstatementdiploma[.]site advertiselaura.bubblecomparisonwar[.]top casdfble[.]stream confirmationwoman.decimalyugolead[.]pro excyigted[.]stream beastcancercosts[.]pro appealbarber.decimalyugolead[.]pro nationweekretailer[.]club advisealgebra.decimalyugolead[.]pro detailpanequipment[.]site rectangleapologyfeather[.]trade bubbbble[.]stream visiongazellestock[.]site mxkznekruoays[.]trade debtorgreat-grandmother.bitpurchasetempo[.]loan mandolincamprisk[.]info paymentedge.bitpurchasetempo[.]loan comparisonrequestcrocodile[.]trade cookmorningfacilities[.]bid crabbudgetfahrenheit[.]tech periodicaldecision.bitpurchasetempo[.]loan deliverycutadvantage[.]info strangersharesnowflake[.]top enemyorder.bitpurchasetempo[.]loan passbookresponsibilityflare[.]bid knowledgedoctor.bitpurchasetempo[.]loan governmentsignaturepoint[.]top date-of-birthfender.tboapfmsyu[.]stream jailreduction.edgetaxprice[.]site shoemakerzippersuccess[.]stream invoicegosling.edgetaxprice[.]site lipprice.edgetaxprice[.]site bubblecomparisonwar[.]top applywholesaler.tboapfmsyu[.]stream distributionfile.edgetaxprice[.]site 87692f31beea22522f1488df044e1dad[.]top ehpcc.chggannel[.]stream alvdxq1l6n0o[.]stream peqmk.chggannel[.]stream erafightergoal[.]website lossathleteship[.]site edgetaxprice[.]site factoryslave.erafightergoal[.]website transportseptemberharp[.]club preparationshark.erafightergoal[.]website xgiph47su3ym[.]info tyqan.chggannel[.]stream lossicedeficit[.]pw offertenor.erafightergoal[.]website gumimprovementitalian[.]stream marketdisadvantage.reductiondramathrone[.]trade area-codebobcat.knowledgedrugsaturday[.]club jsffu2zkt5va[.]trade actressheight.knowledgedrugsaturday[.]club librarysuccess.reductiondramathrone[.]trade numberdeficitc-clamp[.]site alcoholproduction.reductiondramathrone[.]trade congoobjective.erafightergoal[.]website hockeyopiniondust[.]club lightdescription.erafightergoal[.]website approvepeak.knowledgedrugsaturday[.]club successcrow.reductiondramathrone[.]trade yewdigital.mxkznekruoays[.]trade domainconsider.mxkznekruoays[.]trade citizenshipquotation.44a11c539450ac1e13a6bb9728569d34[.]pro agendarutabaga.44a11c539450ac1e13a6bb9728569d34[.]pro stationdeadline.improvementdeadlinemillisecond[.]club maracaenquiry.nationweekretailer[.]club brandfloor.improvementdeadlinemillisecond[.]club clausmessage.nationweekretailer[.]club pleasureestimate.permissionquiversagittarius[.]space marginpaint.permissionquiversagittarius[.]space sandlimit.permissionquiversagittarius[.]space experienceiris.permissionquiversagittarius[.]space disadvantagegerman.crabbudgetfahrenheit[.]tech driverknowledge.crabbudgetfahrenheit[.]tech distributionpopcorn.debtbaconslip[.]stream scooterrise.crabbudgetfahrenheit[.]tech dinosaurbudget.fearshareoboe[.]trade canadaenquiry.crabbudgetfahrenheit[.]tech spongedeadline.crabbudgetfahrenheit[.]tech decreaseoil.fearshareoboe[.]trade debtordoor.fearshareoboe[.]trade employercurler.cookmorningfacilities[.]bid increaserock.fearshareoboe[.]trade elbowdebt.cookmorningfacilities[.]bid commissioncooking.comparisonrequestcrocodile[.]trade elizabethcosts.countrydifferencethumb[.]info equipmentdate.comparisonrequestcrocodile[.]trade rulesupport.countrydifferencethumb[.]info marketphilippines.comparisonrequestcrocodile[.]trade cicadareport.countrydifferencethumb[.]info baitfacilities.comparisonrequestcrocodile[.]trade debtordecision.comparisonrequestcrocodile[.]trade lossornament.countrydifferencethumb[.]info reindeerprofit.divingfuelsalary[.]trade outputfruit.divingfuelsalary[.]trade decembercommission.divingfuelsalary[.]trade marginswiss.divingfuelsalary[.]trade clickdecrease.strangersharesnowflake[.]top pricejelly.strangersharesnowflake[.]top barbercomposer.e10a12e32de96b60e95e89507e943c14[.]bid apologyunit.strangersharesnowflake[.]top employerrange.strangersharesnowflake[.]top employergoods.deliverycutadvantage[.]info acknowledgmentinterest.permissionquiversagittarius[.]space fallhippopotamus.deliverycutadvantage[.]info employeegarlic.deliverycutadvantage[.]info angoraadvantage.shelfdecreasecapital[.]win orderbooklet.shelfdecreasecapital[.]win outputvolcano.shelfdecreasecapital[.]win debtorcave.shelfdecreasecapital[.]win budgetdegree.maskobjectivebiplane[.]trade instructionspair.freckleorderromania[.]win equipmentwitness.maskobjectivebiplane[.]trade cardiganopinion.freckleorderromania[.]win forum.freckleorderromania[.]win motherresult.basketballoptionbeat[.]win orangedecision.freckleorderromania[.]win museumcosts.freckleorderromania[.]win apartmentapology.basketballoptionbeat[.]win competitionsunday.freckleorderromania[.]win millisecondpossibility.basketballoptionbeat[.]win c-clamppayment.asiadeliveryarmenian[.]pro phonefall.asiadeliveryarmenian[.]pro productionbanker.alleyasphaltreport[.]party penaltyinternet.asiadeliveryarmenian[.]pro reportbranch.alleyasphaltreport[.]party goodsyellow.alleyasphaltreport[.]party rollinterest.asiadeliveryarmenian[.]pro offeraftershave.alleyasphaltreport[.]party comparisonneed.alleyasphaltreport[.]party explanationlier.asiadeliveryarmenian[.]pro authorizationmale.foundationspadeinventory[.]club birthdayexperience.foundationspadeinventory[.]club sexdebt.competitorthrillfeeling[.]online lossbill.competitorthrillfeeling[.]online dinosaurfall.competitorthrillfeeling[.]online cannoncountdecide.f1ay91cxoywh[.]trade bugleathlete.f1ay91cxoywh[.]trade goalpanda.retaileraugustplier[.]club confirmationaustralian.retaileraugustplier[.]club holidayagenda.retaileraugustplier[.]club jobhate.pedestrianpathexplanation[.]info europin.pedestrianpathexplanation[.]info buysummer.77e1084e[.]pro borrowfield.77e1084e[.]pro shinyflaky.pedestrianpathexplanation[.]info captaincertification.77e1084e[.]pro slippery.pedestrianpathexplanation[.]info deficitairbus.exhaustamusementsuggestion[.]pw penaltydrug.exhaustamusementsuggestion[.]pw environmentbasket.alligatoremployeelyric[.]club blowsalary.alligatoremployeelyric[.]club digitalgoods.alligatoremployeelyric[.]club clerkbird.grasslettuceindustry[.]bid hygienicreduction.casdfble[.]stream disadvantageproduction.casdfble[.]stream deodorantconsider.grasslettuceindustry[.]bid authorisationmessage.casdfble[.]stream hellcustomer.grasslettuceindustry[.]bid equipmentparticle.shockadvantagewilderness[.]club shouldertransport.shockadvantagewilderness[.]club salaryfang.shockadvantagewilderness[.]club descriptionmoon.competitorthrillfeeling[.]online estimatememory.competitorthrillfeeling[.]online
188.209.49[.]151 93.190.141[.]39 188.209.49[.]135 217.23.7[.]15 91.214.71[.]110 185.93.185[.]226 188.209.49[.]49 93.190.137[.]22 93.190.141[.]45 93.190.141[.]166 93.190.141[.]200 45.58.125[.]74 77.81.230[.]141 173.224.121[.]91
Yugoslavian Business Network