Recently we were made aware of a piece of malware being called “Stealer.” I've gone through the Joint Indicator Bulletin on the topic from DHS/NCCIC US CERT/FBI and have written notes that would be very useful for Tenable’s SecurityCenter users who need to see if any of these indicators are on their networks.
From the report: “In December 2013, a group of highly sophisticated hackers targeted a U.S. Company with an unidentified piece of malware that was later identified as ‘Stealer.’ While the exact nature of the attack has not been fully determined, it is known that these hackers were after technical systems manuals maintained by a U.S. Company. The ‘Stealer’ malware was obtained after U.S. Company employees logged into a spoofed web portal that was under the hackers’ control.”
Looking for Created Files
Due to the complexity of this malware it requires multiple files. All these files can be found by leveraging the Nessus plugin 70329. In addition to searching for the existence of the files, a user could search both the Log Correlation Engine (LCE) logs--for evidence of this in the processes execution summary--and the list of running processes that Nessus compiles in its audits. The list of known files is in the following table:
other related files
Looking for Network Traffic
The malware has a single identified Command and Control (C&C) and an upload server. The upload server prefix does change per infected machine, but the domain and communications remain the same. These two servers are identified as:
Host: intel-update.com 21/TCP
Type: FTP traffic
Host: office.windows-essentials.tk 80/TCP
Type: FTP traffic
Organizations who have been logging this sort of network traffic over time can search for communications to, or originating from, either the domains or IP addresses. Also consider auditing this log for anomalies and look for odd communication patterns.
Custom File Hash Searches
Nessus can be used to search for these custom hashes as part of your audits. The following SHA1 hashes have been identified as files known to be associated with the malware. The MD5 hashes are listed above with the file information.
Searching for Rogue Applications
Keep in mind that:
Nessus plugin 74442 identifies any Microsoft Windows Known Bad AutoRuns / Scheduled Tasks.
Nessus plugin 70628 identifies any unique AutoRun settings that are also unique to any other scanned hosts.
Nessus plugin 11154 identifies any network services that are not identifiable. We use this for our customers to send us information about new services, but it is also an excellent way to find malware running their own proprietary protocols.
Nessus plugin 70768 identifies all running processes that have an unknown reputation.
Look in the registry for the modification of entries, or new entries as shown below:
Auditing for the Rogue Service
Nessus records all running services in many different plugins. The main one is plugin 10456 which enumerates all services.
If a Windows LCE client is running on your systems and you have a group policy logging all process execution and service events, you can search your normalized logs.
- Although the report didn't mention the creation of new user accounts specifically, I would find it very surprising if part of the malware expansion did not steal an account or try to crack passwords. As such, you should audit any New_User_Source events for any new trust pair.
- Look for any log anomalies from your systems. Any anomalies in network traffic, detected changes or errors could be your fingerprint of the malware.
- Audit the list of commands that have run on your suspect systems. The LCE summarizes this for each device and each user on a daily basis.