Let me first start by thanking everybody who responded to our request for logs. Though many contributors have requested that I withhold attributing the data to them, several folks have given me the opportunity to credit them with their invaluable data, which will be done in the final report.
Since the beginning of March, this threat has grown in scale but not in tactics. In fact, as of May 5th, I have seen no new shellshock scans originating from this group. Since then several other key tactics have changed, making them more difficult to track without having access to compromised machines. Prior to this major change in how they distribute the malware, I was able to collect over 7,000 samples of executables (ELF and PE32), logs, kits, botnet malware generators and controllers, and screenshots from their malware distribution web servers. Unfortunately, a lot of the analysis is a manual process. We have confirmed that the following malware families are in use by this threat actor group.
- MrBlack (Generated with captured MrBlack binary generator)
- Linux: https://www.virustotal.com/en/file/5fd927799a313525eb3bc637114338f11ddfbce39fc2998cff656d1398a8ed35/analysis/1432827376/
- Windows: https://www.virustotal.com/en/file/366537c4a5175d1ebd22bedb35410d3ff27a2f5dc7065a9df0767fe1757faba7/analysis/1432918164/
- Win32/Nitol.A (Generated with captured binary generator)
- Windows: https://www.virustotal.com/en/file/775a8fe1eae8b21b0141066703b064c9e35323a189458c5db183d70f02fda2ad/analysis/
- Win32/Virut.BO (created with captured binary generator)
- Windows: https://www.virustotal.com/en/file/68ca792d5d2d375f7078be85234e315ca5cfdee8392f0b53ae6c5db5b5c9f20f/analysis/1432918816/
- Win32/Virut.BN (Sample captured with generator)
- Windows: https://www.virustotal.com/en/file/5710049dc41902311cd9bec157d0b5cc0e57a684555aa902ef02233996a6a92c/analysis/1432919900/
- Parite.B (Captured en masse from malware distribution points. We have captured a generator but it is missing a critical piece)
- Windows: https://www.virustotal.com/en/file/f9aec22682bda992ae71edbe2eb05e96b8173367561c4842e7218c9f84cb78d1/analysis/1432920294/
We are still collecting logs, specifically anything to do with compromises in Ubiquiti devices and other SOHO routers. Due to sheer number of artifacts collected, my final report on all this activity is still in the works (even with more than 300 man hours of collection, research and analysis behind me). We will continue to update this blog with our findings as well as our finalized release date!
Head Of Security
Incident Response Team (CARISIRT)