Posted February 11, 2013
A recent malware campaign has caught the eye of researchers for what appears to be a focused attack on Russian-speaking targets. The malware was spread via a spam campaign written in Russian which contained a booby-trapped Microsoft Word file.
Using a sample of this malware binary, identified as Win32.Daws, Cyveillance collected data about its behavior using the Cuckoo sandbox system. Cuckoo utilizes a virtualized environment where one can run malicious binaries and observe their behavior without risk of spreading the infection to other systems.
The Win32.Daws sample is alternatively known as “Sanny” from the email address that was used by the attacker. This particular piece of malware is interesting because of its intended target, Russia. Consistent with previous reports, language clues gleaned from sandbox analysis plus the identity of the command and control server, suggest that the attacker is based in South Korea. The C&C server the attacker used was a Korean language bulletin board system. All of the data that an infected node collected would be uploaded as an encoded post to this board along with the name of the infected machine and its IP address. The URL used to upload the victims data to this C&C server also contained a unique string “kbaksan”. We were able to use this string to determine that there are at least two different variants of this malware uploading data to the same location.
What we really wanted to determine is how successful this malware was infecting Russian targets. To do this we gathered all the data that was available from the C&C board. At that time, the data on the board was from a set of 37 unique IP addresses. Each of these IPs represents one infected node of the Sanny botnet. Graphing the geolocation of each IP address by country yielded the following map:
View Known “Sanny” Botted Nodes in a larger map
As far as this narrow sample of data demonstrates, Sanny was fairly sucessful in its targeting Russia. The overwhelming majority of infected computers are located somewhere in Russia. These numbers serve an another example of a recent trend in malware targeting a group or region of the world rather than any target of opportunity. Other recent examples of this would include Stuxnet and Flame. In addition to geographical data, we wanted to see who specifically Sanny infected. We cannot know the identities of any infected users, but from the IP data we can at least generalize about the owner of any particular IP address. Examining the IP owners yielded the following:
The largest group of IPs were with telecom companies that serve as home broadband providers. Two of the botted nodes are computers at the ITAR-TASS state news agency, two are located at Lomonosov Moscow State University (MGU), and one IP belongs to an Antivirus company in Czech Republic. The single mobile network IP address belongs to MTS, a Russian mobile network provider, and is most likely a private laptop connected to a hotspot or tethered to a phone. The lone cable company in the data set was based in the US, most likely a private home computer like the rest in Russia and elsewhere.
In conclusion, the Sanny / Win32.Daws was highly successful in its targeting of Russia and especially Russophones. This is a growing trend in malware and in this particular case, it was within the capabilities of a smaller bad actor rather than a large malware gang or state organization.