Blog
/

Ransomware

/
February 24, 2021

LockBit Ransomware Analysis: Compromised Credentials

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
24
Feb 2021
Darktrace examines how a LockBit ransomware attack that took place over just four hours was caused by one compromised credential. Read more here.

Lockbit ransomware found

LockBit ransomware was recently identified by Darktrace's Cyber AI during a trial with a retail company in the US. After an initial foothold was established via a compromised administrative credential, internal reconnaissance, lateral movement, and encryption of files occurred simultaneously, allowing the ransomware to steamroll through the digital system in just a few hours.

This incident serves as the latest reminder that ransomware campaigns now move through organizations at a speed that far outpaces human responders, demonstrating the need for machine-speed Autonomous Response to contain the threat before damage is done.

Lockbit ransomware defined

First discovered in 2019, LockBit is a relatively new family of ransomware that quickly exploits commonly available protocols and tools like SMB and PowerShell. It was originally known as ‘ABCD’ due the filename extension of the encrypted files, before it started using the current .lockbit extension. Since those early beginnings, it has evolved into one of the most calamitous strains of malware to date, asking for an average ransom of around $40,000 per organization.

As cyber-criminals level up the speed and scale of their attacks, ransomware remains a critical concern for organizations across every industry. In the past 12 months, Darktrace has observed an increase of over 20% in ransomware incidents across its customer base. Attackers are constantly developing new threat variants targeting exploits, utilizing off-the-shelf tools, and profiting from the burgeoning Ransomware-as-a-Service (RaaS) business model.

How does LockBit work?

In a typical attack, a threat actor will spend days or weeks inside a system, manually screening for the best way to grind the victim’s business to a halt. This phase tends to expose multiple indicators of compromise such as command and control (C2) beaconing, which Darktrace AI identifies in real time.

LockBit, however, only requires the presence of a human for a number of hours, after which it propagates through a system and infects other hosts on its own, without the need for human oversight. Crucially, the malware performs reconnaissance and continues to spread during the encryption phase. This allows it to cause maximal damage faster than other manual approaches.

AI-powered defense is essential in fighting back against these machine-driven attacks, which have the capacity to spread at speed and scale, and often go undetected by signature-based security tools. Cyber AI augments human teams by not only detecting the subtle signs of a threat, but autonomously responding in seconds, quicker than any human can be expected to react.

Ransomware analysis: Breaking down a LockBit attack with AI

Figure 1: Timeline of attack on the infected host and the encryption host. The infected host was the device initially infected with LockBit, which then spread to the encryption host, the device which performed the encryption.

Initial compromise

The attack commenced when a cyber-criminal gained access to a single privileged credential – either through a brute-force attack on an externally facing device, as seen in previous LockBit ransomware attacks, or simply with a phishing email. With the use of this credential, the device was able to spread and encrypt files within hours of the initial infection.

Had the method of infiltration been via phishing attack, a route that has become increasingly popular in recent months, Darktrace/ EMAIL would have withheld the email and stripped the malicious payloads, and so prevented the attack from the outset.

Limiting permissions, the use of strong passwords, and multi-factor authentication (MFA), are critical in preventing the exploitation of standard network protocols in such attacks.

Internal reconnaissance

At 14:19 local time, the first of many WMI commands (ExecMethod) to multiple internal destinations was performed by an internal IP address over DCE-RPC. This series of commands occurred throughout the encryption process. Given these commands were unusual in the context of the normal ‘pattern of life’ for the organization, Darktrace DETECT alerted the security team to each of these connections.

Within three minutes, the device had started to write executable files over SMB to hidden shares on multiple destinations – many of which were the same. File writes to hidden shares are ordinarily restricted. However, the unauthorized use of an administrative credential granted these privileges. The executable files were written to the Windows / Temp directory. Filenames had a similar formatting: .*eck[0-9]?.exe

Darktrace identified each of these SMB writes as a potential threat, since such administrative activity was unexpected from the compromised device.

The WMI commands and executable file writes continued to be made to multiple destinations. In less than two hours, the ExecMethod command was delivered to a critical device – the ‘encryption host’ – shortly followed by an executable file write (eck3.exe) to its hidden c$ share.

LockBit’s script has the capability to check its current privileges and, if non-administrative, it attempts to bypass using Windows User Account Control (UAC). This particular host did provide the required privileges to the process. Once this device was infected, encryption began.

File encryption

Only one second after encryption had started, Darktrace alerted on the unusual file extension appendage in addition to the previous, high-fidelity alerts for earlier stages of the attack lifecycle.

A recovery file – ‘Restore-My-Files.txt’ – was identified by Darktrace one second after the first encryption event. 8,998 recovery files were written, one to each encrypted folder.

An example of Darktrace’s Threat Visualizer showcasing anomalous SMB connections, with model breaches represented by dots.
Figure 2: An example of Darktrace’s Threat Visualizer showcasing anomalous SMB connections, with model breaches represented by dots.

The encryption host was a critical device that regularly utilized SMB. Exploiting SMB is a popular tactic for cyber-criminals. Such tools are so frequently used that it is difficult for signature-based detection methods to identify quickly whether their activity is malicious or not. In this case, Darktrace’s ‘Unusual Activity’ score for the device was elevated within two seconds of the first encryption, indicating that the device was deviating from its usual pattern of behavior.

Throughout the encryption process, Darktrace also detected the device performing network reconnaissance, enumerating shares on 55 devices (via srvsvc) and scanning over 1,000 internal IP addresses on nine critical TCP ports.

During this time, ‘Patient Zero’ – the initially infected device – continued to write executable files to hidden file shares. LockBit was using the initial device to spread the malware across the digital estate, while the ‘encryption host’ performed reconnaissance and encrypted the files simultaneously.

Despite Cyber AI detecting the threat even before the encryption had begun, the security team did not have eyes on Darktrace at the time of the attack. The intrusion was thus allowed to continue and over 300,000 files were encrypted and appended with the .lockbit extension. Four servers and 15 desktop devices were affected, before the attack was stopped by the administrators.

The rise of ‘hit and run’ ransomware

While most ransomware resides inside an organization for days or weeks, LockBit’s self-governing nature allows the attacker to ‘hit and run’, deploying the ransomware with minimal interaction required after the initial intrusion. The ability to detect anomalous activity across the entire digital infrastructure in real time is therefore crucial in LockBit’s prevention.

WMI and SMB are relied upon by the vast majority of companies around the world, and yet they were utilized in this attack to propagate through the system and encrypt hundreds of thousands of files. The prevalence and volume of these connections make them near-impossible to monitor with humans or signature-based detection techniques alone.

Moreover, the uniqueness of every enterprise’s digital estate impedes signature-based detection from effectively alerting on internal connections and the volume of such connections. Darktrace, however, uses machine learning to understand the individual pattern of behavior for each device, in this case allowing it to highlight the unusual internal activity as it occurred.

The organization involved did not have Darktrace’s Autonomous Response technology configured in active mode. If enabled, i would have surgically blocked the initial WMI operations and SMB drive writes that triggered the attack whilst allowing the critical network devices to continue standard operations. Even if the foothold had been established, D would have enforced the ‘pattern of life’ of the encryption host, preventing the cascade of encryption over SMB. This demonstrates the importance of meeting machine-speed attacks with autonomous cyber security, which reacts in real time to sophisticated threats when human security teams cannot.

LockBit has the ability to encrypt thousands of files in just seconds, even when targeting well-prepared organizations. This type of ransomware, with built-in worm-like functionality, is expected to become increasingly common over 2021. Such attacks can move at a speed which no human security team alone can match. Darktrace’s approach, which uses unsupervised machine learning, can respond in seconds to these rapid attacks and shut them down in their earliest stages.

Thanks to Darktrace analyst Isabel Finn for her insights on the above threat find.

Darktrace model detections:

  • Device / New or Uncommon WMI Activity
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous Connection / SMB Enumeration
  • Device / Network Scan – Low Anomaly Score
  • Anomalous Connection / Sustained MIME Type Conversion
  • Anomalous Connection / Suspicious Read Write Ratio
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / Large Number of Model Breaches

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Darktrace Releases 2024 Half-Year Threat Insights
Aug 6, 2024
2
Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats
Aug 27, 2024
3
Darktrace: Microsoft UK Partner of the Year 2024
Jun 27, 2024
4
CDR is just NDR for the Cloud... Right?
Jul 31, 2024
5
What you need to know about the new SEC Cybersecurity rules
Jul 17, 2024

More in this series

No items found.

Blog

/

October 16, 2024

/
No items found.

Navigating buying and adoption journeys for AI cybersecurity tools

Default blog imageDefault blog image

Enterprise AI tools go mainstream

In this dawning Age of AI, CISOs are increasingly exploring investments in AI security tools to enhance their organizations’ capabilities. AI can help achieve productivity gains by saving time and resources, mining intelligence and insights from valuable data, and increasing knowledge sharing and collaboration.  

While investing in AI can bring immense benefits to your organization, first-time buyers of AI cybersecurity solutions may not know where to start. They will have to determine the type of tool they want, know the options available, and evaluate vendors. Research and understanding are critical to ensure purchases are worth the investment.  

Challenges of a muddied marketplace

Key challenges in AI purchasing come from consumer doubt and lack of vendor transparency. The AI software market is buzzing with hype and flashy promises, which are not necessarily going to be realized immediately. This has fostered uncertainty among potential buyers, especially in the AI cybersecurity space.  

As Gartner writes, “There is a general lack of transparency and understanding about how AI-enhanced security solutions leverage AI and the effectiveness of those solutions within real-world SecOps. This leads to trust issues among security leaders and practitioners, resulting in slower adoption of AI features” [1].  

Similarly, only 26% of security professionals report a full understanding of the different types of AI in use within security products.

Given this widespread uncertainty generated through vague hype, buyers must take extra care when considering new AI tools to adopt.  

Goals of AI adoption

Buyers should always start their journeys with objectives in mind, and a universal goal is to achieve return on investment. When organizations adopt AI, there are key aspects that will signal strong payoff. These include:  

  • Wide-ranging application across operations and areas of the business
  • Actual, enthusiastic adoption and application by the human security team  
  • Integration with the rest of the security stack and existing workflows
  • Business and operational benefits, including but not limited to:  
  • Reduced risk
  • Reduced time to response
  • Reduced potential downtime, damage, and disruption
  • Increased visibility and coverage
  • Improved SecOps workflows
  • Decreased burden on teams so they can take on more strategic tasks  

Ideally, most or all these measurements will be fulfilled. It is not enough for AI tools to benefit productivity and workflows in theory, but they must be practically implemented to provide return on investment.  

Investigation before investment

Before investing in AI tools, buyers should ask questions pertaining to each stage of the adoption journey. The answers to these questions will not only help buyers gauge if a tool could be worth the investment, but also plan how the new tool will practically fit into the organization’s existing technology and workflows.  

Figure 1: Initial questions to consider when starting to shop for AI [2].

These questions are good to imagine how a tool will fit into your organization and determine if a vendor is worth further evaluation. Once you decide a tool has potential use and feasibility in your organization, it is time to dive deeper and learn more.  

Ask vendors specific questions about their technology. This information will most likely not be on their websites, and since it involves intellectual property, it may require an NDA.  

Find a longer list of questions to ask vendors and what to look for in their responses in the white paper “CISO’s Guide to Buying AI.”

Committing to transparency amidst the AI hype

For security teams to make the most out of new AI tools, they must trust the AI. Especially in an AI marketplace full of hype and obfuscation, transparency should be baked into both the descriptions of the AI tool and the tool’s functionality itself. With that in mind, here are some specifics about what techniques make up Darktrace’s AI.  

Darktrace as an AI cybersecurity vendor

Darktrace has been using AI technology in cybersecurity for over 10 years. As a pioneer in the space, we have made innovation part of our process.  

The Darktrace ActiveAI Security Platform™ uses multi-layered AI that trains on your unique business operations data for tailored security across the enterprise. This approach ensures that the strengths of one AI technique make up for the shortcomings of another, providing well-rounded and reliable coverage. Our models are always on and always learning, allowing your team to stop attacks in real time.  

The machine learning techniques used in our solution include:

  • Unsupervised machine learning
  • Multiple Clustering Techniques
  • Multiple anomaly detection models in tandem analyzing data across hundreds of metrics
  • Bayesian probabilistic methods
  • Bayesian metaclassifier for autonomous fine-tuning of unsupervised machine learning models
  • Deep learning engines
  • Graph theory
  • Applied supervised machine learning for investigative AI  
  • Neural networks
  • Reinforcement Learning
  • Generative and applied AI
  • Natural Language Processing (NLP) and Large Language Models (LLMs)
  • Post-processing models

Additionally, since Darktrace focuses on using the customer’s data across its entire digital estate, it brings a range of advantages in data privacy, interpretability, and data transfer costs.  

Building trust with Darktrace AI

Darktrace further supports the human security team’s adoption of our technology by building trust. To do that, we designed our platform to give your team visibility and control over the AI.  

Instead of functioning as a black box, our products focus on interpretability and sharing confidence levels. This includes specifying the threshold of what triggered a certain alert and the details of the AI Analyst’s investigations to see how it reached its conclusions. The interpretability of our AI uplevels and upskills the human security team with more information to drive investigations and remediation actions.  

For complete control, the human security team can modify all the detection and response thresholds for our model alerts to customize them to fit specific business preferences.  

Conclusion

CISO’s are increasingly considering investing in AI cybersecurity tools, but in this rapidly growing field, it’s not always clear what to look for.  

Buyers should first determine their goals for a new AI tool, then research possible vendors by reviewing validation and asking deeper questions. This will reveal if a tool is a good match for the organization to move forward with investment and adoption.  

As leaders in the AI cybersecurity industry, Darktrace is always ready to help you on your AI journey.  

CISOs guide to buying AI white paper cover

Download: CISO’s Guide to Buying AI

Learn more about the most common types of machine learning in cybersecurity in the white paper

References

  1. Gartner, April 17, 2024, “Emerging Tech: Navigating the Impact of AI on SecOps Solution Development.”  
  1. Inspired by Gartner, May 14, 2024, “Presentation Slides: AI Survey Reveals AI Security and Privacy Leads to Improved ROI” and NHS England, September, 18, 2020, “A Buyer’s Guide to AI in Health and Care,” Available at: https://transform.england.nhs.uk/ai-lab/explore-all-resources/adopt-ai/a-buyers-guide-to-ai-in-health-and-care/  
Continue reading
About the author
Nicole Carignan
VP of Strategic Cyber AI

Blog

/

October 16, 2024

/

Inside the SOC

Triaging Triada: Understanding an Advanced Mobile Trojan and How it Targets Communication and Banking Applications

Default blog imageDefault blog image

The rise of android malware

Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.

These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].

One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].

Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.

Triada: Background and tactics

First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].

How does Triada work?

Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.

After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].

For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].

How does Triada avoid detection?

Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].

Triada attack overview

Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.

External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.
Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.

Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.

Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.
Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.

On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.

Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.
Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.

These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.

A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.

Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.

Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.

These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.

The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.

Conclusion

Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.

Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.

This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.

Credit to: Justin Torres (Senior Cyber Security Analyst) and Charlotte Thompson (Cyber Security Analyst).

Appendices

Darktrace Model Detections

Model Alert Coverage

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Multiple HTTP POSTS to Rare Hostname

Anomalous Connections / Multiple Failed Connections to Rare Endpoint

Anomalous Connection / Suspicious Expired SSL

Compromise / DGA Beacon

Compromise / Domain Fluxing

Compromise / Fast Beaconing to DGA

Compromise / Sustained SSL or HTTP Increase

Compromise / Unusual Connections to Rare Lets Encrypt

Unusual Activity / Unusual External Activity

AI Analyst Incident Coverage

Unusual Repeated Connections to Multiple Endpoints

Possible SSL Command and Control

Unusual Repeated Connections

List of Indicators of Compromise (IoCs)

Ioc – Type - Description

  • is5jg[.]3zweuj[.]com - Hostname - Triada C2 Endpoint
  • 68u91[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 9yrh7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • 92n7au[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • 4a5x2[.]fs4ah[.]com - Hostname - Triada C2 Endpoint
  • jmll4[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • mrswd[.]wo87sf[.]com - Hostname - Triada C2 Endpoint
  • lptkw[.]s4xx6[.]com - Hostname - Triada C2 Endpoint
  • ya27fw[.]k6zix6[.]com - Hostname - Triada C2 Endpoint
  • w0g25[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • kivr8[.]wd6vy[.]com - Hostname - Triada C2 Endpoint
  • iuwe64[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • qefgn[.]8z0le[.]com - Hostname - Triada C2 Endpoint
  • a6y0x[.]xu0h7[.]com - Hostname - Triada C2 Endpoint
  • wewjyw[.]qb6ges[.]com - Hostname - Triada C2 Endpoint
  • vx9dle[.]n0qq3z[.]com - Hostname - Triada C2 Endpoint
  • 72zf6[.]rxqfd[.]com - Hostname - Triada C2 Endpoint
  • dwq[.]fsdw4f[.]com - Hostname - Triada C2 Endpoint
  • tqq6g[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 1rma1[.]4f8uq[.]com - Hostname - Triada C2 Endpoint
  • 0fdwa[.]7j3gj[.]com - Hostname - Triada C2 Endpoint
  • 5a7en[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • gmcp4[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • g7190[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • goyvi[.]2l2wa[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]ca0qf[.]com - Hostname - Triada C2 Endpoint
  • sv83k[.]bn3avv[.]com - Hostname - Triada C2 Endpoint
  • 9sae7h[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • jpygmk[.]qt7tqr[.]com - Hostname - Triada C2 Endpoint
  • av2wg[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • ugbrg[.]osz1p[.]com - Hostname - Triada C2 Endpoint
  • hw2dm[.]wtws9k[.]com - Hostname - Triada C2 Endpoint
  • kj9atb[.]hai8j1[.]com - Hostname - Triada C2 Endpoint
  • pls9b[.]b0vb3[.]com - Hostname - Triada C2 Endpoint
  • 8rweau[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • wkc5kn[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • v58pq[.]mpvflv[.]com - Hostname - Triada C2 Endpoint
  • zmai4k[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • eajgum[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • mxl9zg[.]kv0pzv[.]com - Hostname - Triada C2 Endpoint
  • ad1x7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • ixhtb[.]s9gxw8[.]com - Hostname - Triada C2 Endpoint
  • vg1ne[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • q5gd0[.]birxpk[.]com - Hostname - Triada C2 Endpoint
  • dycsw[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • a3miu[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • qru62[.]5qwu8b5[.]com - Hostname - Triada C2 Endpoint
  • 3eox8[.]abxkoop[.]com - Hostname - Triada C2 Endpoint
  • 0kttj[.]bddld[.]com - Hostname - Triada C2 Endpoint
  • gjhdr[.]xikuj[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]wm0hd[.]com - Hostname - Triada C2 Endpoint
  • 8.222.219[.]234 - IP Address - Triada C2 Endpoint
  • 8.222.244[.]205 - IP Address - Triada C2 Endpoint
  • 8.222.243[.]182 - IP Address - Triada C2 Endpoint
  • 8.222.240[.]127 - IP Address - Triada C2 Endpoint
  • 8.219.123[.]139 - IP Address - Triada C2 Endpoint
  • 8.219.196[.]124 - IP Address - Triada C2 Endpoint
  • 8.222.217[.]73 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]253 - IP Address - Triada C2 Endpoint
  • 8.222.194[.]254 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]34 - IP Address - Triada C2 Endpoint
  • 8.222.216[.]105 - IP Address - Triada C2 Endpoint
  • 47.245.83[.]167 - IP Address - Triada C2 Endpoint
  • 198.200.54[.]56 - IP Address - Triada C2 Endpoint
  • 47.236.113[.]126 - IP Address - Triada C2 Endpoint
  • 47.241.47[.]128 - IP Address - Triada C2 Endpoint
  • /iyuljwdhxk - URI - Triada C2 URI
  • /gvuhlbzknh - URI - Triada C2 URI
  • /sqyjyadwwq - URI - Triada C2 URI
  • /cncyz3 - URI - Triada C2 URI
  • /42k0zk - URI - Triada C2 URI
  • /75kdl5 - URI - Triada C2 URI
  • /i8xps1 - URI - Triada C2 URI
  • /84gcjmo - URI - Triada C2 URI
  • /fkhiwf - URI - Triada C2 URI

MITRE ATT&CK Mapping

Technique Name - Tactic - ID - Sub-Technique of

Data Obfuscation - COMMAND AND CONTROL - T1001

Non-Standard Port - COMMAND AND CONTROL - T1571

Standard Application Layer Protocol - COMMAND AND CONTROL ICS - T0869

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

Masquerading - EVASION ICS - T0849

Man in the Browser - COLLECTION - T1185

Web Protocols - COMMAND AND CONTROL - T1071.001 -T1071

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

DNS - COMMAND AND CONTROL - T1071.004 - T1071

Fast Flux DNS - COMMAND AND CONTROL - T1568.001 - T1568

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Digital Certificates - RESOURCE DEVELOPMENT - T1587.003 - T1587

References

[1] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[2] https://cyberfraudcentre.com/the-rise-of-the-antidot-android-banking-trojan-a-comprehensive-guide

[3] https://www.zimperium.com/glossary/banking-trojans/

[4] https://www.geeksforgeeks.org/what-is-triada-malware/

[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/

[6] https://www.pcrisk.com/removal-guides/24926-triada-trojan-android

[7] https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

[8] https://securityboulevard.com/2024/02/impact-of-badbox-and-peachpit-malware-on-android-devices/

[9] https://threatpost.com/custom-whatsapp-build-malware/168892/

[10] https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

[11] https://www.virustotal.com/gui/domain/is5jg.3zweuj.com/relations

[12] https://www.virustotal.com/gui/domain/92n7au.uhabq9.com/relations

[13] https://www.virustotal.com/gui/domain/68u91.66foh90o.com/relations

Continue reading
About the author
Justin Torres
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI