An unusually Swift(tay) malware delivery tactic
February 9, 2017
While doing some background research into recent reporting by Dr Web on a newly identified version of Mirai, we made an interesting discovery. VirusTotal behavioural analyses for the Windows Mirai hashes provided by Dr Web indicated that each sample used HTTP GET requests to download text files from three subdomains on what appeared to be a threat actor controlled site (f4321y[.]com). Each sample also used HTTP GET requests to request the infected hosts IP from pubyun[.]com and, significantly, to download an image file from a Chinese social media site. Interest piqued, we took a look at the file and discovered that it was an image of Taylor Swift carrying an embedded portable executable (PE) file. Examination of the PE indicated that it was a malicious executable named WPD.exe, which was found to be classified as a remote access trojan (RAT).
Figure 1 – Image downloaded by Windows Mirai malware samples.
We decided to dig a little further and examine the passive DNS data for the C2 domain identified by Dr Web. This indicated that it was hosted on and IP address which also hosts another domain (mykings[.]pw) with three subdomains named identically to those on the Windows Mirai C2 domain. Further examination turned up 25 further malware samples which were found to behave very similarly to those identified by Dr Web. All sent HTTP GET request to request host IPs from pubyun[.]com and to download text files from subdomains of mykings[.]pw. Several of these samples were also found to be sending DNS requests to f4321y[.]com. In addition to these behaviors, many of these samples also pulled identical images of Taylor Swift carrying a second malicious PE file from another Chinese social media site. The chart below provides a graphical representation of these connections.
Figure 2 – Link chart of entities involved in malware delivery campaign.
Based on the information we’ve been able to assemble, it appeared likely that whoever was responsible for the Windows Mirai operation identified by Dr Web has also been using linked infrastructure (and pictures of Taylor Swift) to distribute and operate a RAT and at least 25 other malware samples. The scale of this distribution operation was not known at the time of writing, but compilation and signature signing timestamps on many of the malicious files indicated that many of the malicious executables identified were created in February 2017, suggesting that at the time of writing, this element of the distribution operation was relatively recent. It remains to be seen whether any further information on this campaign will Swiftly emerge.
Windows Mirai samples identified by Dr Web
Malware linked to identified C2