After my blog post about Trickbot using fake ips in its config I got some hints about other samples that also use this fake ips (thanks @sisoma2).
- 7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9 [VT]
- 5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334 [VT]
- 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3 [Bazaar]
I looked into all of them and it turned out that every sample is using fake C2 IPs mixed together with real C2 IPs in its config (all IPs inside the <srva> tag are fake).7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
<mcconf>
<ver>2000017</ver>
<gtag>tot12</gtag>
<servs>
<srv>81.91.234.196:443</srv>
<srv>2.179.73.140:443</srv>
<srv>185.160.60.26:443</srv>
<srv>188.133.138.240:443</srv>
<srv>181.211.128.49:443</srv>
<srv>190.107.93.172:443</srv>
<srv>103.194.88.2:443</srv>
<srva>61.212.246.190:9072</srva>
<srva>223.249.170.141:21198</srva>
<srva>215.83.98.226:12302</srva>
<srva>36.54.154.199:44293</srva>
<srva>255.154.152.192:988</srva>
<srva>61.212.246.190:9072</srva>
<srva>223.249.170.141:21198</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
<mcconf>
<ver>100003</ver>
<gtag>rob6</gtag>
<servs>
<srv>102.164.206.129:449</srv>
<srv>103.131.156.21:449</srv>
<srv>103.131.157.102:449</srv>
<srv>103.131.157.161:449</srv>
<srva>24.122.127.151:1190</srva>
<srva>201.210.174.234:32166</srva>
<srva>109.226.10.116:59814</srva>
<srva>177.75.214.131:40102</srva>
<srva>104.27.15.32:5542</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
<mcconf>
<ver>100003</ver>
<gtag>tar3</gtag>
<servs>
<srv>102.164.206.129:449</srv>
<srv>103.131.156.21:449</srv>
<srv>103.131.157.102:449</srv>
<srv>103.131.157.161:449</srv>
<srva>24.122.127.151:1190</srva>
<srva>201.210.174.234:32166</srva>
<srva>109.226.10.116:59814</srva>
<srva>177.75.214.131:40102</srva>
<srva>104.27.15.32:5542</srva>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf>
Additionally the algorithm for converting fake IP into real IP is using different parameters for each sample.
For 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3 [Bazaar] I reimplemented the algorithm again but I’m slowly getting the feeling that a more generic approach is needed and I need to parse the conversion function and extract the parameters.def convert_to_real_ip_update(ip_str):
octets = ip_str.split(".")
o1 = int(octets[0])
o2 = int(octets[1])
o3 = int(octets[2])
o4 = int(octets[3])
new_o1 = (~o3 & 0xFF & 0x9 | o3 & 0xf6) ^ (~o1 & 0xFF & 0x9 | o1 & 0xf6)
new_o2 = (~o4 & 0xff & 0x85 | o4 & 0x7a) ^ (~o3 & 0xff & 0x85 | o3 & 0x7a)
new_o3 = o3 & ~o2 & 0xff | o2 & ~o3 & 0xff
new_o4 = ~o2 & 0xff & new_o2 | o2 & ~new_o2 & 0xff
result = str(new_o1) + "."
result += str(new_o4) + "."
result += str(new_o2) + "."
result += str(new_o3) + ":449"
return result
The next question is if the params for the conversion algorithm change with each sample or if they are tied to the specific gtag or (gtag & version).
So again I’m looking for samples using fake IPs, ideally for the group tags tar3, rob6, rob3, tot12 to find out if the conversion algorithm looks the same or is using different params. If anyone knows some, I would appreciate a hint.
IOCs:77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
81.91.234.196:443
2.179.73.140:443
185.160.60.26:443
188.133.138.240:443
181.211.128.49:443
190.107.93.172:443
103.194.88.2:443
5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449