Building on a Malware Report - Pirrit

News — Dec 21, 2017 — Published by Aaron Gee-Clough, King & Union

Amit Serper at Cybereason recently posted an analysis of some Mac OS X malware called Pirrit. (here: https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware- adware-still-active ) The analysis was well done and included a few useful indicators you could use to look for Pirrit activity. Specifically, he included the detail that the install script for the malware points to a URL: http://t[.]46sdzf3zdg1dxg2[.]us/download/hjfgkdvuewree?uu=1 . We decided to see what we could dig up on the t[.]46sdzf3zdg1dxg2[.]us domain ourselves to see if we could go further and find some related pieces of information. (Note: Amit obscured the names and email addresses in his report, a practice we will continue.)

So we created a graph in Avalon that covered the time period of this calendar year, put that domain into it, and asked it for the full Enrichment. We got this:

Which is quite a lot of information (393 new things, to be precise).

Let’s start from the t[.]46sdzf3zdg1dxg2[.]us domain again and see what we can find. So let’s select that node in the graph, and look at its neighbors and details.

A few interesting things jump out here: First, we can confirm the comment that Amit noticed that they registered this domain with their real name (which we’ve blocked out; we’ll come back to this name below). Also, there are a few other related URLs that have been reported by other threat lists and/or VirusTotal.

Now, that line going down to the right also points somewhere interesting:

In this case, the domain we’ve been looking at resolves to 52.42.225.210. That is an AWS IP that has a bunch of other domains (the square icons) pointing to it and several VirusTotal submissions (the "bug" icons) that tried to talk with that IP also. If you click around the domains, it seems that they are all Macintosh-themed sites (your[.]macsettopversion[.]top, btg[.]getnewrealmac[.]info, etc), which fits the theme of this being a Macintosh-targeted piece of malware.

Going back to our original view, we can now add some color to more clearly see what’s happening with the other clusters of information. I’ve marked the AWS IP in green and all the domains that point to it in red (humor me, it’s December).

With that, you can see that even the large satellite clusters are based around that AWS IP. The domains at the center of every cluster all point back to the AWS IP in the middle. That’s an important detail to keep in mind: That one IP is really important in this whole arrangement.

Now let’s look at that big cluster on the left. The domain at the center of the cluster is t[.]installwizz[.]com. It’s privately registered, with a different registrar (Enom) than the initial domain, and it has an impressive number of VirusTotal submissions pointing to it. Clicking through those, they are almost all Macintosh files again, many flagged by the Antivirus engines as "Pirrit", which is consistent with what we’ve been looking at so far.

The other cluster is the domain in the top right, which is t[.]silvinst[.]com. It’s also privately registered with the same registrar as installwizz (Enom). It has mostly URLs pointing to it, which are links from VirusTotal. If you look at them more closely, they all point to a variation of "hxxp://t[.]silvinst[.]com/download/download?<some more stuff>". This doesn’t say much to me aside from the possibility that it’s a downloader for software, so we’ll file this bit of information away for the moment.

Let’s return to the original domain and the registrant that wasn’t privacy-protected. We can check to see if that registrant registered any other domains in this graph. To do that, we go back to the original t[.]46sdzf3zdg1dxg2[.]us domain, click on the menu to the right of the name, and select "add as node". That gives us this:

This adds that name as a new node in the graph and automatically connects all nodes on the graph that also have that attribute (the "registrant" name). In this case, there is another domain that was registered with that real name: npl[.]getmacmedia[.]us, which, like almost all of the domains in this analysis, points back to that one central AWS IP.

So, to sum up: Starting from one domain name and its query in the Avalon system, we’ve confirmed multiple elements in the Cybereason report (the open registrant, that multiple domains involved with this malware point to the same IP, that this all seems tied to Pirrit & OSX). We’ve also built a good set of domains and IPs that are probably involved in this actor/organization.

Finally, what do you do with this information? Assuming you want to search/block it, there are two paths you can take: you can look for this data on your local hosts or on your network/SIEM data. For either case, you’d make an export in the Avalon system and feed that exported data to your internal tools. In this case, after a bit more research, there is one IP we would probably exclude from the export: nel.macitinstall.com was seen resolving to 69.64.147.10, which belongs to defense.net. They are a DDoS mitigation company and so are likely not part of the actor’s infrastructure themselves. If we were planning on blocking things based on this graph, we would add the "no-export" tag to this IP, because it probably has valid customers on it along with the mac malware.

About King & Union

King & Union is a cybersecurity company based in Alexandria, Va., that has built and designed Avalon, a cyber analysis collaboration platform. Visit King & Union at kingandunion.com or email info@kingandunion.com for more information.

Contacts:

John Cassidy
john@kingandunion.com

Brent Wrisley
brent@kingandunion.com