2013.09.20 | By: Snorre Fagerland
Taken from: http://normanshark.com
Sometimes we come across targeted attacks a bit out of the ordinary. One such campaign I stumbled across the other day while going through some Malware Analyzer G2 screenshots. Contrary to regular malware, targeted malware is often visual, due to the need to social engineer the targeted person into thinking a normal document was opened.
The banner above caught my eye. The Fuerzas Armadas Revolucionarias de Colombia (FARC) coat of arms is an interesting indicator in a malware.
The actual document appears to be a communique from FARC, written March 17th 2013,? to notify media about a bombing attack having taken place March 5th in Buenos Aires. However, the document was included in a self-extracting ZIP file ?Advertencia de las FARC.doc.exe? (md5 93168c2b97452355342000a0fea9b110).
The other file in that archive is where the malicious action is. That file is called system32.exe, and is a Visual Basic executable of a malware family that some call Lybsus. There appears to be a Spanish language connection in many files of this family.
Checking our databases for Lybsus-related files shows that there are hundreds in existence, and used for all sorts of things. Some digging reveals that Lybsus is a freely available crimeware, which also goes by the name ?Prospy Rat?.? As shown below, there?s a Youtube video showing how to configure and use these.
?When run, the malware installs itself and connects to its command-and-control server with some status information.? The server replies with CONECTADO ? connected.
The fact that the malware is so easy to obtain, makes attribution based on it difficult. Instead we?ll focus on the Command & Control servers used by the FARC-themed malware above.
This command & control connection is initiated against the two dynamic DNS domains v1d3nt31.no-ip.org:3000 and v1d3nt32.no-ip.org:3001.
First seen in June 2012, these domains have resolved to a large number of IP addresses over time; typically in ranges belonging to Colombia Movil (AS27831) and Telefonica Moviles Colombia (AS27921).
DynDNS domains are frequently used in malware because they, among other things, do not need to be registered as their own top level domains.? This offers both convenience and better operational security for the attackers. However, these domains do have a history that can be examined, and checking databases for malware connecting to these domains show a number of seemingly related cases:
El ?quiza?s, quiza?s, quiza?s? de las FARC donde se burlan de Colombia.zip
This contains a 3gp video showing a TV report from the FARC/gov?t negotiations in Norway.
Comunicado Conjunto La Habana Julio 9 de 2013.docx.exe
(MD5 cb11d9f25fab381ee5da84b45e147aa6 )
A number of others where we do not have any accompanying lure document also connect to the same servers.
It seems a reasonable assumption that the attackers were attempting to gain information about FARC sympathizers, or possibly about the negotiations themselves. We have no indication as to who are behind these apparent attacks. It could presumably be in the interest of several parties, including the Colombian Government, to enact surveillance against FARC or their followers ? and the availability of off-the-shelf (and free) Spanish-language malware makes the threshold for going this route very low.