Tuesday, November 11, 2014

It's Quiet... You should be worried

We are seeing some indicators of some serious malware distribution today. We are starting to see compromised servers popping up all over the US from our partner feeds. We started seeing indicators of a problem yesterday. This may or may not be related to the DarkHotel activity that we have been observing.

We can tell you that we are seeing activity from 85.52.165.157 that is quite suspicious.

Here is the timeline that we have observed so far today from this IP:

8:33AM EST: Host observed at customer site outbound traffic from an internal network. Attempted to connect on port 8080 to 85.52.165.157. When that traffic failed the traffic switched to port 80 and was allowed. Upon looking at the packets we determined that it was a string saying "IMHERE" with another string showing the public IP of the infected host.

8:43AM EST: Host observed with same activity

8:45AM EST: Firewall at organization starts seeing activity from 85.52.165.157 with encoded strings with destination of the public IP of the infected host.

8:51AM EST: Forensics of infected machine started.

9:55AM EST: Submitted binary samples to virustotal and noted 2 detections but no previous reports on this binary.

10:00AM EST: MD5 added to SLC Security Feeds and distributed to clients.

16:04PM EST: Reports started coming in from 92 sensors indicating infections are widespread at customer locations to include Government, Private Entities, Healthcare Entities, Regulated Clients, Covered Entities, Private Individuals (through our SLC Client) and 2 captures indicating DOD source traffic (NIPRNET). We are also seeing reports from some AV vendors of increased activity from this same network.

Looking at the history it may be a good idea to block the orange network identified by RIPE until an alternative or better detection can be realized.

MD5: bb8b6562d6723b04117762e375f3fd2b

Additional Host Involved: 89.137.17.19

No comments:

Post a Comment