In January 2016, Palo Alto Network's Unit 42 released research describing new instances of malware being leveraged by an adversary group previously known as "C0d0so0" or "Codoso." Leveraging this research we conducted retrospective analysis on our cloud haystack, which identified a host that had been compromised all the way back to July 2015. The host was initially discovered actively communicating with the command and control domain www[.]akamie[.]com in December 2015 via the HTTP variant malware described in Unit 42's blog post. To discover all the traffic to the domain, we leveraged passive DNS data via the intelligence cards in the ProtectWise console (Figure 1). This revealed a number of IP addresses to investigate.
Figure 1: Domain intelligence card showing historical resolutions of the command and control domain.
Searching netflow records revealed that the host was in daily communication with the command and control server and that no other hosts were communicating with the identified infrastructure. The size of netflows varied enough to introduce the possibility of command and control activity. After downloading all the PCAPs associated with the malicious activity, we developed a simple Python routine to decode the communications (Figure 2).
import base64 def c2_decode(in_file, out_file): with open(in_file, 'r') as fin: str_b64encoded = fin.read() str_b64decoded = base64.b64decode(str_b64encoded) xor_key = ord(str_b64decoded) decoded_result = '' for c in str_b64decoded[18: ]: decoded_result += chr(ord(c) ^ xor_key) with open(out_file, 'w') as fout: fout.write(decoded_result)
Figure 2: Python routine to decode the malware's network communications.
Analyzing Full PCAP
To interpret the traffic, any HTTP bodies containing base64 encoded data were decoded using the standard base64 alphabet. The decoded traffic revealed a data structure same as described in the aforementioned research:
- The first 18 bytes were used for header information and the remaining were the payload data sent by the malware.
- The payload data was XOR'd with a single byte, located as the least significant byte in the second DWORD of the header structure.
- The variant we encountered did not use any compression for the payload data.
After decoding the network traffic, it was clear the malware was communicating with a repeatable pattern, indicative of beaconing. The malware would typically send survey information about the infected host. The large, suspicious flows were the malware downloading an additional module in an automated fashion, as opposed to any interactive command and control. No additional activity was observed following this download. The full PCAP allowed us to make sense of the traffic and determine the true severity of the communications. In this incident, critical evidence determining the scope of the investigation would be missing had only the logs been retained.
Power of Retrospection
It's not easy for organizations to capture data and store it. Security solutions today take a point-in-time approach, where network analysis is performed by looking at a single point in time. These solutions do not acknowledge that the state of a network may change, with complex threats executing over time. Most organizations retain traffic logs for about two weeks, and even those logs are not full fidelity. Retaining the full PCAP that this organization did proved invaluable determine when the host was infected and the extent of the malware's activity.
Domains www.akamie[.]com IPs 220.127.116.11 18.104.22.168 22.214.171.124 MD5 1af662915fc816e044081b2b302185a0 (Downloaded Module) 8afecc8e61fe3805fdd41d4591710976