Sinkholing Volatile Cedar DGA Infrastructure
There is currently some buzz about the Volatile Cedar APT activity in the middle east, a group that deploys not only custom built RATs, but usb propagation components, as reported by Check Point [pdf].
One interesting feature of the backdoors used by this group is their ability to first connect to a set of static updater command and control (c2) servers, which then redirect to other c2. When they cannot connect to their hardcoded static c2, they fall back to a DGA algorithm, and cycle through other domains to connect with.
This particular actor’s true impact seemed interesting, so we sinkholed some of their dynamically generated command and control infrastructure. These victim statistics present a somewhat surprising profile. Almost all of these victims are geolocated in Lebanon.
Clearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon. And most of the other checkins appear to be research related. Almost all of the backdoors communicating with sinkholed domains are the main “explosion” backdoor. But, some of the victim systems in Lebanon communicating with our sinkhole are running the very rare “micro” backdoor written up in the paper: “Micro is a rare Explosive version. It can best be described as a completely different version of the Trojan, with similarities to the rest of Explosive “family” (such as configuration and code base). We believe that Micro is actually an old ancestor of Explosive, from which all other versions were developed. As in other versions, this version is also dependent on a self-developed DLL named “wnhelp.dll.” They check in to edortntexplore.info with the URI “/micro/data/index.php?micro=4” over port 443.
While Volatile Cedar certainly does not have a high level of technological prowess, it appears that they have been effective at spreading their malware, much like the Madi APT we reported on mid-2012. Because the group is not known for spearphishing, IT administrators should be aware of their own publicly exposed attack surface like web applications, ftp servers, ssh servers, etc, and ensure they are not vulnerable to SQLi, SSI attacks, and other server side offensive activity.
Kaspersky Verdicts and MD5s: