The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
What made these two variants of interest is that, as of April 28, 2016, there are zero (0) antivirus detections of these variants at VirusTotal. On April 29, our team also scanned these variants with two different local antivirus tools running the latest virus signatures and the APT malware was still undetected. Based on compile times in the variants analyzed, it appears that this variant has been around since at least 2013.
Some of the strings in these variants have also been observed in variants of the Bergard APT malware. The Derusbi variants were identified and named by Proofpoint earlier this year.
Our Yara hunting rule that detected these two Derusbi PGV_PVID variants with zero antivirus detections also detected two other variants that are detected by AVs as “Derusbi”. One of the Derusbi PGV_PVID samples that we analyzed shares its command-and-control server with a Rekaf sample identified by Proofpoint, furthering the connection between these families that they established in their post.
Interestingly, at least one of the domains used here is currently registered with the China-based domain broker we identified in the Turbo campaign report. After doing some pivots involving the IP addresses observed in our analysis, we have a trove of very interesting domains, all listed at the bottom of this report. These domains include ones that might purport to represent prominent U.S. defense contractors, media outlets, etc. It has to be noted that we have not identified malware or a campaign that uses these domains, but in our observation, the purpose of registering these domains would be to launch a targeted campaign against the named organization or others that trust them, such as partners and customers. These techniques were widely observed in 2015, in events involving U.S. OPM, Anthem Healthcare, etc.
These domain pivots have also shown us further connections between these PGV_PVID, Rekaf and Bergard variants of Derusbi. The specific indicators are provided later in this post, but the relationship is illustrated with these tables. The dates on these records is worth noting, since it could potentially indicate campaign periods.
Passive DNS relationship
first seen 04-09-2016
last seen 04-19-2016
first seen 04-25-2016
last seen 04-29-2016
* Source DomainTools/Farsight DNSDB
Passive DNS relationship from 121.54.168[.]216
first seen 01-14-2016
last seen 04-02-2016
first seen 01-29-2016
last seen 02-02-2016
first seen 01-03-2016
last seen 01-23-2016
* Source DomainTools/Farsight DNSDB
In this vein, there’s a clear preponderance of popular online services and technologies – variants of Google, Office 365, Virtualbox and VMtools feature in this domain set. It has to be noted that these are technologies that are very popular across a broad set of enterprises and offer a very broad set of opportunities.
All four variants perform an HTTP request that is almost identical, with the exception of the Command & Control server and a small variant in one of the “Referrer” values. Even a 16-digit value in the URL and Cookie was the same. This beacon format and 16-digit value was also observed in the PGV_PVID variants analyzed earlier this year by Proofpoint.
Three of the samples contained the following string of interest: “payload_service_x64.dll”.
These PGV_PVID variants were observed encoding some of its configuration, APIs and other strings with a single-byte XOR key. Some of the keys used are: 0x90, 0xEB and 0x57.
It was also interesting to see how these samples were trying to disguise themselves during entrenchment as valid services in the system to try to confuse incident responders, computer forensics investigators and network administrators. The following screenshots show the Microsoft service management console with the legit and malicious service (malicious service highlighted):
The following is a list of the malware samples analyzed:
Two samples of the network traffic format associated with this threat:
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.