In the post U.S. election cycle there was a lot of press coverage regarding the possibility of interference of Russia in the 2016 Presidential elections. Then President-elect Trump downplayed any influence Russia may have had even though the FBI and DHS Joint Action Report on the ongoing Grizzly Steppe Campaign gave very clear evidence of a long-term, sustained effort on the part of a very sophisticated hacking crew that had a deep infrastructure in Russia. A subsequent report issued February 10th by the U.S. Computer Emergency Response Team (U.S. CERT) provided further evidence of this malicious infrastucture.
Fast forward to the Christmas season when many Americans are taking vacations and there is an air of excitement about major upcoming sporting events moving into the new year. At this time a major sporting website began to be subjected to daily attacks by threat actors that appeared to be linked to a Russian-related infrastructure.
This article lays out some of the evidence from the Indicators of Compromise (IOCs) that have been collected through log analysis that substantiates claims that the attacks against the sporting entity website are not Russian state-actors in origin. Instead, the attackers appear to be from a country where the malware authors are using a Simplified Chinese character set. Although the majority of the IOCs register geolocation data that are either Russian or Ukrainian, it appears as though this is a decoy being used by the real threat actor group to build on the current media coverage.
The question becomes: What is the motivation of the real threat actor group? Why are they using a mostly Russian/Ukrainian botnet? What is the interest in gaining access to a sports-related site… Watering hole and botnet recruitment… Data ex-filtration for blackmail or smear campaign purposes?
Let’s let the evidence show us the answer to these questions. These attacks are ongoing as of mid-February; therefore certain facts have been redacted to protect the victims.
Due to very distinctive linkages between IOCs over the course of the past 45 days it has become clear that many of the attacking IPs are linked to a similar malicious infrastructure. I have dubbed the botnet the Audacious Jumper. Figure 1 shows an illustration of the Audacious Jumper based on the data we have aggregated to date.
Attacks have been hitting the sports entity website at an average rate of about 1 per 6 hours; a fairly slow rate. This is often indicative of a threat actor that is trying to stay under the radar through infrequent attempts that may slip through log inspections. The attack method is bruteforce password cracking, presumably to escalate privileges.
Figure 2 shows the aggregate geolocation data from the top 8 countries that have been making user name/password login attempts against the victim site for the period between February 17th and February 24th.
Some of the ISPs hosting the malicious infrastructure identified within Russia include: ufanet.ru, bashtel.ru, Novotelcom, Mart.ru, ERtelcom, and others. There are even IPs coming from the Moscow Branch of the Russian Times. One of the ISPs hosting the malicious infrastructure in the Ukraine is Kyivstar. A VPN service named iPredator operates out of Serbia.
At the same time these attacks have been hitting the sports-related site the security company WordFence has been logging a sharp increase in attacks across their entire ecosystem as shown on Figure 3. Between January 24th and February 18th the number of attacks fluctuated between 30M and 20M per day. Then, beginning on February 18th the number of attacks began to increase to a peak near 60M on February 21st.
During the February 17th to February 24th timeframe Wordfence aggregated geolocation data across their entire ecosystem. Figure 4 provides a screenshot of these data. Note that the number of attacks from Russia are almost twice the number of attacks coming from the U.S., the next most active geolocation source. This might lead a casual observer to conclude that the Threat Actor is from Russia. But, wait, we need to look deeper.
With over 400 IOCs using the same attack method on the sports-related site it is clear that the attacks are targeted. And, as shown on Figure 1, it is apparent that a common infrastructure is being used, which leads us to the conclusion that attacks are coming from the Audacious Jumper botnet. But, it requires a deeper look at the specific IOCs in order to gain some insight into what the attackers motivations might be. We’ll take one URL that appears to be a malware dropper site to illustrate this point: 220.127.116.11.
Figure 5 provides a screenshot of an analysis performed by a user that had uploaded a sample to VirusTotal in September, 2015. But, based on the current Timestamps, we see that this virus is currently active using domains like: fqvkz.mefound.com and miahr.2waky.com, etc.
And, if we scroll down to the bottom of the VirusTotal screen for the 18.104.22.168 IP we see a SHA256 hash for malware that was uploaded in September, 2015. Figure 6 shows the malware hash that we will follow through for this analysis. It is identified with a red arrow.
For those readers not familiar with VirusTotal, it is an aggregator of malware data that was launched in 2004 by Hispasec Sistemas and acquired by Google in 2012. The ratio that you see to the right of the red arrow is the number of antivirus companies that found this malware compared to the number of antivirus companies that are in the system. And, immediately to the right of that ratio we see the Timestamp when that malware sample was uploaded to the VirusTotal database. Then, to the right of the Timestamp we see the SHA256 hash file of the malware. Hereafter in this analysis I’ll refer to this malware as: ‘184-AJ’.
Now, if we drill down into the static and bahavioral analysis of this 184-AJ malware we see that the malware was first uploaded in September 2015, as shown on Figure 7. Further, we can see that it is uploaded as: ‘booter.exe’ and has been designed to infect Windows systems.
Now, if we look at the behavioral analysis of the malware, as shown on Figure 8 we see that this malware is from an older infrastructure and it is making DNS requests to a well-known Chinese search engine ‘baidu’ at the IP address of 22.214.171.124. The reader will also note that there are 3 other IPs that are included in these DNS requests. Further the reader should note that there are multiple DNS requests to a site that has the ‘NBA’ acronym combined with other sequences of numbers and letters. I will dig into the implications of this in a separate, follow-on post.
Now, if we go to that 126.96.36.199 IP address, as shown on Figure 9, we see that it was copyrighted in 2014 by Sogou.com and that it targets Intel 386 or later processors. Further we see that it is even older because the compilation Timestamp is in December of 2009.
A search on that name provides us with another clue from the MalwareFixes.com website. In a May 13, 2015 article Chona Esjay noted the following:
“Sogou.com is a redirect adware that can take over the home page or new tab of affected browser program. Having this on the computer only denotes that adware may have gain control on the computer. This browser hijacking thing aims to replace your search engine with its own due to ads display in their search results. It is an income generating scheme that annoys most computer users who are experiencing it.”
In an earlier post on this site we provided a summary of some of the implications of the Methbot botnet as it pertains to the sports industry, and especially sports entertainment and sports media.
But, here is the kicker. Take a look at Figure 10. In this final figure I’ll provide in this article you can see that the malware being delivered by the 188.8.131.52 IP address is currently very active. And, it has been active throughout the time period shown on Figure 3, above. Now, go back and look at the countries listed in Figure 4. The top three attacking countries are Russia, the U.S. and France; all countries with strong traditions of competitive sports.
In Figure 10 we see that the geolocation of several of the passive DNS replication sites are China (with the Top Level Domain as: .cn). Further, we can see in the sequence of Timestamps that the botnet is still active as of Thursday, February 24th.
At present there are over 400 individual IPs, URLs, domain names and hosts that have been identified in the botnet. Although this is just one thread of evidence that I’ve tracked through for the reader, please note that several of the IPs our team has investigated in the Audacious Jumper Botnet has led back to the same 184.108.40.206 IP address. Sports-related sites are currently under attack as this evidence shows. The IT staff of these sites need to be able to share these IOCs with one another in a trust environment in order to fully understand the motivations and actions of the threat actors and to develop proper courses of action for protecting their networks, teams, leagues and athletes.
Expect to see more information on the Audacious Jumper Botnet in the future as we are able to more fully flesh out the malicious infrastructure of these adversaries. Let’s ask ourselves again: What could be the motivation of this threat actor group? Why would they be going after a sports-related site. Stay tuned.
Readers may contact us for a complete list of the IOCs.