Blog
/

Ransomware

OT

Thought Leadership

/
April 12, 2022

Efficient Incident Reporting: Darktrace AI Analyst

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Apr 2022
Discover how Darktrace's Cyber AI Analyst accelerates incident reporting to the US federal government, enhancing cybersecurity response times.

On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, included as part of the Congressional Omnibus Appropriations bill. The law requires critical infrastructure owners and operators to quickly notify the Cyber and Infrastructure Security Agency (CISA) of ransomware payments and significant cyber-attacks.

The Cyber Incident Reporting for Critical Infrastructure Act creates two new reporting requirements:

  1. an obligation to report certain cyber incidents to DHS CISA within 72 hours
  2. an obligation to report ransomware payments within 24 hours

Supporting the new law, Darktrace AI accelerates the cyber incident reporting process. Specifically, Darktrace’s Cyber AI Analyst understands the connections among disparate security incidents with supervised machine learning and autonomously writes incident reports in human-readable language using natural language processing (NLP). These Darktrace incident reports allow human analysts to send reports to CISA quickly and efficiently.

In the below real-world attack case study, we demonstrate how Cyber AI Analyst facilitates seamless reporting for critical infrastructure organizations that fall victim to ransomware and malicious data exfiltration. The AI technology, trained on human analyst behavior, replicates investigations at machine speed and scale, surfacing relevant details in minutes and allowing security teams to understand what happened precisely and share this information with the relevant authorities.

The below threat investigation details a significant threat find on a step by step level in technical detail to demonstrate the power and speed of Cyber AI Analyst.

Cyber AI Analyst’s incident report

When ransomware struck this organization, Cyber AI Analyst was invaluable, autonomously investigating the full scope of the incident and generating a natural language summary that clearly showed the progression of the attack.

Figure 1: Cyber AI Analyst reveals the full scope of the attack

In the aftermath of this attack, Darktrace’s technology also offered analyst assistance in mapping out the timeline of the attack and identifying what files were compromised, helping the security team identify anomalous activity related to the ransomware attack.

Figure 2: Cyber AI Analyst showing the stages of the attack chain undergone by the compromised device

With Darktrace AI’s insights, the team easily identified the timeline of the attack, affected devices, credentials used, file shares accessed, files exfiltrated, and malicious endpoints contacted, enabling the customer to disclose the scale of the attack and notify necessary parties.

This example demonstrates how Cyber AI Analyst empowers critical infrastructure owners and operators to swiftly report major cyber-attacks to the federal government. Considering that 72 hours is the reporting period is for significant incidents — and 24 hours for ransomware payments — Cyber AI Analyst is no longer a nice-to-have but a must-have for critical infrastructure.

Attack breakdown: Ransomware and data exfiltration

Cyber AI Analyst delivered the most critical information in an easy-to-read report — with no human touch involved — as shown in the incident report above. We will now break down the attack further to demonstrate how Darktrace’s Self-Learning AI understood the unusual activity throughout the attack lifecycle.

In this double extortion ransomware, attackers exfiltrated data over 22 days. The detections made by Darktrace’s Self-Learning AI, and the parallel investigation by Cyber AI Analyst, were used to map the attack chain and identify how and what data had been exfiltrated and encrypted.

The attack consisted of three general groups of events:

  • Unencrypted FTP (File Transfer Protocol) data exfiltration to rare malicious external endpoint in Bulgaria (May 9 07:23:46 UTC – May 21 03:06:46 UTC)
  • Ransomware encryption of files in network file shares (May 25 01:00:27 UTC – May 30 07:09:53 UTC)
  • Encrypted SSH (Secure Shell) data exfiltration to rare malicious external endpoint (May 29 16:43:37 UTC – May 30 13:23:59 UTC)
Figure 3: Timeline of the attack alongside Darktrace model breaches

First, uploads of internal data to a rare external endpoint in Bulgaria were observed within the networks. The exfiltration was preceded by SMB reads of internal file shares before approximately 450GB of data was exfiltrated via FTP.

Darktrace’s AI identified this threatening activity on its own, and the organization was quickly able to pinpoint what data had been exfiltrated, including files camouflaged by markings such as ‘Talent Acquisition’ and ‘Engineering and Construction,’ and legal and financial documents — suggesting that these were documents of an extremely sensitive nature.

Figure 4: Screenshots showing two model breaches relating to external uploads over FTP
Figure 5: Screenshot showing SMB reads from a file share before FTP upload

Model breaches:

  • Anomalous Connection / Unusual Incoming Data Volume
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / SMB Reads then Writes with Additional Extensions
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / High Volume Server Data Transfer
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / SMB Lateral Movement

Four days following this observed activity, Darktrace’s AI detected the deployment of ransomware when multiple compromised devices began making anomalous SMB connections to file shares that they do not typically access, reading and writing similar volumes to the SMB file shares, as well as writing additional extensions to files over SMB. The file extension comprised a random string of letters and was likely to be unique to this target.

Using Darktrace, the customer obtained a full list of files that had been encrypted. The list included apparent financial records in an ‘Accounts’ file share.

Figure 6: Model breach showing additional extension written to file during ransomware encryption

Model breaches:

  • Anomalous Connection / Unusual Incoming Data Volume
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / SMB Reads then Writes with Additional Extensions
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / High Volume Server Data Transfer
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / SMB Lateral Movement

Simultaneously, uploads of internal data to a rare external endpoint were observed within the network. The uploads were all performed using encrypted SSH/SFTP. In total, approximately 3.5GB of data was exfiltrated this way.

Despite the attacker using an encrypted channel to exfiltrate this data, Darktrace detected anomalous SMB file transfers prior to the external upload, indicating which files were exfiltrated. Here, Darktrace’s ability to go ‘back in time’ proved invaluable in helping analysts determine which files had been exfiltrated, although they were exfiltrated via an encrypted means.

Figure 7: Model breaches showing anomalous SMB activity before upload over SSH

Model breaches:

  • Anomalous Server Activity / Outgoing from Server
  • Compliance / SSH to Rare External Destination
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Device / Anomalous SMB Followed By Multiple Model Breaches
  • Device / Large Number of Model Breaches
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Data Sent To New External Device

How did the attack bypass the rest of the security stack?

Existing administrative credentials were used to escalate privileges within the network and perform malicious activity.

Had Darktrace Antigena been active, it would have actioned a targeted, autonomous response to contain the activity in its early stages. Antigena would have enforced the ‘pattern of life’ on the devices involved in anomalous SMB activity — containing activity such as reading from file shares that are not normally connected, appending extensions to files and blocking outgoing connections to rare external endpoints.

However, in this case, Antigena was not set up to take action – it was configured in Human Confirmation mode. The incident was clearly alerted on by Darktrace, and appeared as a top priority item in the security team’s workflow. However, the security team was not monitoring Darktrace’s user interface, and in the absence of any action taken by other tools, the attack was allowed to progress, and the organization was obligated to disclose the details of the incident.

Streamlining the reporting process

In the modern threat landscape, leaning on AI to stop fast-moving and sophisticated attacks at machine speed and scale is critical. As this attack shows, the technology also helps organizations fulfill reporting requirements in the aftermath of an attack.

New legislation requires timely disclosure; with many traditional approaches to security, organizations do not have the capacity to surface the full details after an attack. On top of this, collating these details can take days or weeks. This is why Darktrace is no longer a nice-to-have but a must-have for critical infrastructure organizations, which are now required to report significant incidents swiftly.

Darktrace’s AI detects malicious activity as it happens and empowers customers to quickly understand the timeline of a compromise, as well as files accessed and exfiltrated by an attacker. This not only prepares organizations to resist the most sophisticated attacks, but also accelerates and radically simplifies the process of reporting the data breach.

Security teams should not have to confront disclosure processes on their own. Attacks happen fast, and their aftermaths are messy – retrospective investigation of lost data can be a futile effort with traditional approaches. With Darktrace, security teams can meet disruptive and sudden attacks with precise and nimble means of uncovering data, as well as detection and mitigation of risk. And, should the need arise, rapid and accurate reporting of events is laid out on a silver platter by the AI.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Justin Fier
SVP, Red Team Operations

Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Sally Kenyon Grant
VP, Darktrace Federal

Sally Kenyon Grant is Vice President of Federal at Darktrace, working with the US Department of Defense, the Intelligence Community and Federal Civilian Agencies.

Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Darktrace Releases 2024 Half-Year Threat Insights
Aug 6, 2024
2
Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats
Aug 27, 2024
3
Darktrace: Microsoft UK Partner of the Year 2024
Jun 27, 2024
4
CDR is just NDR for the Cloud... Right?
Jul 31, 2024
5
What you need to know about the new SEC Cybersecurity rules
Jul 17, 2024

More in this series

No items found.

Blog

/

October 15, 2024

/
No items found.

Navigating buying and adoption journeys for AI cybersecurity tools

Default blog imageDefault blog image

Enterprise AI tools go mainstream

In this dawning Age of AI, CISOs are increasingly exploring investments in AI security tools to enhance their organizations’ capabilities. AI can help achieve productivity gains by saving time and resources, mining intelligence and insights from valuable data, and increasing knowledge sharing and collaboration.  

While investing in AI can bring immense benefits to your organization, first-time buyers of AI cybersecurity solutions may not know where to start. They will have to determine the type of tool they want, know the options available, and evaluate vendors. Research and understanding are critical to ensure purchases are worth the investment.  

Challenges of a muddied marketplace

Key challenges in AI purchasing come from consumer doubt and lack of vendor transparency. The AI software market is buzzing with hype and flashy promises, which are not necessarily going to be realized immediately. This has fostered uncertainty among potential buyers, especially in the AI cybersecurity space.  

As Gartner writes, “There is a general lack of transparency and understanding about how AI-enhanced security solutions leverage AI and the effectiveness of those solutions within real-world SecOps. This leads to trust issues among security leaders and practitioners, resulting in slower adoption of AI features” [1].  

Similarly, only 26% of security professionals report a full understanding of the different types of AI in use within security products.

Given this widespread uncertainty generated through vague hype, buyers must take extra care when considering new AI tools to adopt.  

Goals of AI adoption

Buyers should always start their journeys with objectives in mind, and a universal goal is to achieve return on investment. When organizations adopt AI, there are key aspects that will signal strong payoff. These include:  

  • Wide-ranging application across operations and areas of the business
  • Actual, enthusiastic adoption and application by the human security team  
  • Integration with the rest of the security stack and existing workflows
  • Business and operational benefits, including but not limited to:  
  • Reduced risk
  • Reduced time to response
  • Reduced potential downtime, damage, and disruption
  • Increased visibility and coverage
  • Improved SecOps workflows
  • Decreased burden on teams so they can take on more strategic tasks  

Ideally, most or all these measurements will be fulfilled. It is not enough for AI tools to benefit productivity and workflows in theory, but they must be practically implemented to provide return on investment.  

Investigation before investment

Before investing in AI tools, buyers should ask questions pertaining to each stage of the adoption journey. The answers to these questions will not only help buyers gauge if a tool could be worth the investment, but also plan how the new tool will practically fit into the organization’s existing technology and workflows.  

Figure 1: Initial questions to consider when starting to shop for AI [2].

These questions are good to imagine how a tool will fit into your organization and determine if a vendor is worth further evaluation. Once you decide a tool has potential use and feasibility in your organization, it is time to dive deeper and learn more.  

Ask vendors specific questions about their technology. This information will most likely not be on their websites, and since it involves intellectual property, it may require an NDA.  

Find a longer list of questions to ask vendors and what to look for in their responses in the white paper “CISO’s Guide to Buying AI.”

Committing to transparency amidst the AI hype

For security teams to make the most out of new AI tools, they must trust the AI. Especially in an AI marketplace full of hype and obfuscation, transparency should be baked into both the descriptions of the AI tool and the tool’s functionality itself. With that in mind, here are some specifics about what techniques make up Darktrace’s AI.  

Darktrace as an AI cybersecurity vendor

Darktrace has been using AI technology in cybersecurity for over 10 years. As a pioneer in the space, we have made innovation part of our process.  

The Darktrace ActiveAI Security Platform™ uses multi-layered AI that trains on your unique business operations data for tailored security across the enterprise. This approach ensures that the strengths of one AI technique make up for the shortcomings of another, providing well-rounded and reliable coverage. Our models are always on and always learning, allowing your team to stop attacks in real time.  

The machine learning techniques used in our solution include:

  • Unsupervised machine learning
  • Multiple Clustering Techniques
  • Multiple anomaly detection models in tandem analyzing data across hundreds of metrics
  • Bayesian probabilistic methods
  • Bayesian metaclassifier for autonomous fine-tuning of unsupervised machine learning models
  • Deep learning engines
  • Graph theory
  • Applied supervised machine learning for investigative AI  
  • Neural networks
  • Reinforcement Learning
  • Generative and applied AI
  • Natural Language Processing (NLP) and Large Language Models (LLMs)
  • Post-processing models

Additionally, since Darktrace focuses on using the customer’s data across its entire digital estate, it brings a range of advantages in data privacy, interpretability, and data transfer costs.  

Building trust with Darktrace AI

Darktrace further supports the human security team’s adoption of our technology by building trust. To do that, we designed our platform to give your team visibility and control over the AI.  

Instead of functioning as a black box, our products focus on interpretability and sharing confidence levels. This includes specifying the threshold of what triggered a certain alert and the details of the AI Analyst’s investigations to see how it reached its conclusions. The interpretability of our AI uplevels and upskills the human security team with more information to drive investigations and remediation actions.  

For complete control, the human security team can modify all the detection and response thresholds for our model alerts to customize them to fit specific business preferences.  

Conclusion

CISO’s are increasingly considering investing in AI cybersecurity tools, but in this rapidly growing field, it’s not always clear what to look for.  

Buyers should first determine their goals for a new AI tool, then research possible vendors by reviewing validation and asking deeper questions. This will reveal if a tool is a good match for the organization to move forward with investment and adoption.  

As leaders in the AI cybersecurity industry, Darktrace is always ready to help you on your AI journey.  

Learn more about the most common types of machine learning in cybersecurity in the white paper “CISO’s Guide to Buying AI.”

References

  1. Gartner, April 17, 2024, “Emerging Tech: Navigating the Impact of AI on SecOps Solution Development.”  
  1. Inspired by Gartner, May 14, 2024, “Presentation Slides: AI Survey Reveals AI Security and Privacy Leads to Improved ROI” and NHS England, September, 18, 2020, “A Buyer’s Guide to AI in Health and Care,” Available at: https://transform.england.nhs.uk/ai-lab/explore-all-resources/adopt-ai/a-buyers-guide-to-ai-in-health-and-care/  
Continue reading
About the author
Nicole Carignan
VP of Strategic Cyber AI

Blog

/

October 16, 2024

/

Inside the SOC

Triaging Triada: Understanding an Advanced Mobile Trojan and How it Targets Communication and Banking Applications

Default blog imageDefault blog image

The rise of android malware

Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.

These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].

One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].

Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.

Triada: Background and tactics

First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].

How does Triada work?

Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.

After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].

For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].

How does Triada avoid detection?

Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].

Triada attack overview

Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.

External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.
Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.

Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.

Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.
Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.

On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.

Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.
Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.

These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.

A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.

Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.

Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.

These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.

The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.

Conclusion

Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.

Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.

This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.

Credit to: Justin Torres (Senior Cyber Security Analyst) and Charlotte Thompson (Cyber Security Analyst).

Appendices

Darktrace Model Detections

Model Alert Coverage

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Multiple HTTP POSTS to Rare Hostname

Anomalous Connections / Multiple Failed Connections to Rare Endpoint

Anomalous Connection / Suspicious Expired SSL

Compromise / DGA Beacon

Compromise / Domain Fluxing

Compromise / Fast Beaconing to DGA

Compromise / Sustained SSL or HTTP Increase

Compromise / Unusual Connections to Rare Lets Encrypt

Unusual Activity / Unusual External Activity

AI Analyst Incident Coverage

Unusual Repeated Connections to Multiple Endpoints

Possible SSL Command and Control

Unusual Repeated Connections

List of Indicators of Compromise (IoCs)

Ioc – Type - Description

  • is5jg[.]3zweuj[.]com - Hostname - Triada C2 Endpoint
  • 68u91[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 9yrh7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • 92n7au[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • 4a5x2[.]fs4ah[.]com - Hostname - Triada C2 Endpoint
  • jmll4[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • mrswd[.]wo87sf[.]com - Hostname - Triada C2 Endpoint
  • lptkw[.]s4xx6[.]com - Hostname - Triada C2 Endpoint
  • ya27fw[.]k6zix6[.]com - Hostname - Triada C2 Endpoint
  • w0g25[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • kivr8[.]wd6vy[.]com - Hostname - Triada C2 Endpoint
  • iuwe64[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • qefgn[.]8z0le[.]com - Hostname - Triada C2 Endpoint
  • a6y0x[.]xu0h7[.]com - Hostname - Triada C2 Endpoint
  • wewjyw[.]qb6ges[.]com - Hostname - Triada C2 Endpoint
  • vx9dle[.]n0qq3z[.]com - Hostname - Triada C2 Endpoint
  • 72zf6[.]rxqfd[.]com - Hostname - Triada C2 Endpoint
  • dwq[.]fsdw4f[.]com - Hostname - Triada C2 Endpoint
  • tqq6g[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 1rma1[.]4f8uq[.]com - Hostname - Triada C2 Endpoint
  • 0fdwa[.]7j3gj[.]com - Hostname - Triada C2 Endpoint
  • 5a7en[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • gmcp4[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • g7190[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • goyvi[.]2l2wa[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]ca0qf[.]com - Hostname - Triada C2 Endpoint
  • sv83k[.]bn3avv[.]com - Hostname - Triada C2 Endpoint
  • 9sae7h[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • jpygmk[.]qt7tqr[.]com - Hostname - Triada C2 Endpoint
  • av2wg[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • ugbrg[.]osz1p[.]com - Hostname - Triada C2 Endpoint
  • hw2dm[.]wtws9k[.]com - Hostname - Triada C2 Endpoint
  • kj9atb[.]hai8j1[.]com - Hostname - Triada C2 Endpoint
  • pls9b[.]b0vb3[.]com - Hostname - Triada C2 Endpoint
  • 8rweau[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • wkc5kn[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • v58pq[.]mpvflv[.]com - Hostname - Triada C2 Endpoint
  • zmai4k[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • eajgum[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • mxl9zg[.]kv0pzv[.]com - Hostname - Triada C2 Endpoint
  • ad1x7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • ixhtb[.]s9gxw8[.]com - Hostname - Triada C2 Endpoint
  • vg1ne[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • q5gd0[.]birxpk[.]com - Hostname - Triada C2 Endpoint
  • dycsw[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • a3miu[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • qru62[.]5qwu8b5[.]com - Hostname - Triada C2 Endpoint
  • 3eox8[.]abxkoop[.]com - Hostname - Triada C2 Endpoint
  • 0kttj[.]bddld[.]com - Hostname - Triada C2 Endpoint
  • gjhdr[.]xikuj[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]wm0hd[.]com - Hostname - Triada C2 Endpoint
  • 8.222.219[.]234 - IP Address - Triada C2 Endpoint
  • 8.222.244[.]205 - IP Address - Triada C2 Endpoint
  • 8.222.243[.]182 - IP Address - Triada C2 Endpoint
  • 8.222.240[.]127 - IP Address - Triada C2 Endpoint
  • 8.219.123[.]139 - IP Address - Triada C2 Endpoint
  • 8.219.196[.]124 - IP Address - Triada C2 Endpoint
  • 8.222.217[.]73 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]253 - IP Address - Triada C2 Endpoint
  • 8.222.194[.]254 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]34 - IP Address - Triada C2 Endpoint
  • 8.222.216[.]105 - IP Address - Triada C2 Endpoint
  • 47.245.83[.]167 - IP Address - Triada C2 Endpoint
  • 198.200.54[.]56 - IP Address - Triada C2 Endpoint
  • 47.236.113[.]126 - IP Address - Triada C2 Endpoint
  • 47.241.47[.]128 - IP Address - Triada C2 Endpoint
  • /iyuljwdhxk - URI - Triada C2 URI
  • /gvuhlbzknh - URI - Triada C2 URI
  • /sqyjyadwwq - URI - Triada C2 URI
  • /cncyz3 - URI - Triada C2 URI
  • /42k0zk - URI - Triada C2 URI
  • /75kdl5 - URI - Triada C2 URI
  • /i8xps1 - URI - Triada C2 URI
  • /84gcjmo - URI - Triada C2 URI
  • /fkhiwf - URI - Triada C2 URI

MITRE ATT&CK Mapping

Technique Name - Tactic - ID - Sub-Technique of

Data Obfuscation - COMMAND AND CONTROL - T1001

Non-Standard Port - COMMAND AND CONTROL - T1571

Standard Application Layer Protocol - COMMAND AND CONTROL ICS - T0869

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

Masquerading - EVASION ICS - T0849

Man in the Browser - COLLECTION - T1185

Web Protocols - COMMAND AND CONTROL - T1071.001 -T1071

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

DNS - COMMAND AND CONTROL - T1071.004 - T1071

Fast Flux DNS - COMMAND AND CONTROL - T1568.001 - T1568

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Digital Certificates - RESOURCE DEVELOPMENT - T1587.003 - T1587

References

[1] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[2] https://cyberfraudcentre.com/the-rise-of-the-antidot-android-banking-trojan-a-comprehensive-guide

[3] https://www.zimperium.com/glossary/banking-trojans/

[4] https://www.geeksforgeeks.org/what-is-triada-malware/

[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/

[6] https://www.pcrisk.com/removal-guides/24926-triada-trojan-android

[7] https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

[8] https://securityboulevard.com/2024/02/impact-of-badbox-and-peachpit-malware-on-android-devices/

[9] https://threatpost.com/custom-whatsapp-build-malware/168892/

[10] https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

[11] https://www.virustotal.com/gui/domain/is5jg.3zweuj.com/relations

[12] https://www.virustotal.com/gui/domain/92n7au.uhabq9.com/relations

[13] https://www.virustotal.com/gui/domain/68u91.66foh90o.com/relations

Continue reading
About the author
Justin Torres
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI