Fidelis Threat Advisory #1014
"Bots, Machines, and the Matrix"
In the recent past, a Fidelis XPS user reported seeing detections of what appeared to be botnet-related malware. While that customer was protected, we at General Dynamics Fidelis Cybersecurity Solutions decided to take a closer look. The analysis of the malicious code revealed that it appeared to be Andromeda but the delivery infrastructure looked interesting. Further telemetry from our sensors showed that this server in China was also hosting and distributing many other malicious specimens. Analysis of the data revealed a pattern in the filenames. Our analysts used this pattern to discover other systems distributed across the globe serving up various botnet malware, so far assumed to be used in distinct campaigns but clearly related in this case:
- Beta Bot
- Neutrino Bot
Analysis also showed how attackers continue to benefit from the use of globally-distributed hosting providers to perform their malicious activities. Further, the analysis revealed how attackers are hosting and distributing identical copies of the malware from servers in different countries including China, Poland, Russia, and the United States.
For the period of time researched in this activity, we observed the following targeted sectors in the US:
- Manufacturing / Biotechnology & Drugs
- Professional Services / Engineering
- Information Technology / Telecommunications
- Government / State
Note that our footprint is largely in the Enterprise space and it is possible that we’re seeing spillover from wider campaigns.
The following diagram illustrates the relationship between some of the malicious servers, malware hosted/distributed, and vertical markets:
The following diagram illustrates the relationship between some of the malicious servers, locations, malware hosted/distributed, and malicious servers to which the malware beacons to with POST requests and to download additional malware:
This document uncovers various servers hosting Bots and other related malware, provides a triage analysis of various pieces of malware hosted by these malicious servers, and provides indicators that network defenders can use to protect their networks.
To see the full report and findings, visit the Fidelis Threat Advisory #1014 here.