Jump to content

Library/plugin for Malware obscuring HTTP GET/POST data


ticarpi

Recommended Posts

Hi all,
Wasn't sure if there was a better location for posting this - happy to be corrected...

As a SOC Analyst I deal will lots of malware/PUPs. Recently we have seen a lot of (probably) PUPs sending data using a particular pattern.
I want to be able to decode it to check if any of the data is exfiltrated data from the client networks.

In short:
[+] Have any of you seen this format for data being sent via HTTP POST or GET requests?
[+] Do you recognise it as using a particular library/substitution/method?
[+] Can you advise how I can decode it?

I'm pretty sure it's just a plain substitution cipher, with pairs of characters matching a-z, A-Z, 0-9 (plus some symbols)
I've seen 68 different char pairs with a fairly normal frequency distribution.

I can't post the data from our client network in case it is confidential, but through Googling I've found a variety of samples on malware sites and on VirusTotal.
Here are some to see if they jog anyone's memory:
From some example URIs like this one it is the encoded parameter "cd="
(hxxp://start.mysearchdial.com/results.php?f=4&a=tele0101&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztB0C0BtBzzzz0CyEzz0FyDtN0D0Tzu0CyByEyEtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=1449225458&ir=)

More examples:
2XzuyEtN2Y1L1QzutDtDtCzyyCyCyCtBzztDyDtAtDtCzztCtN0D0Tzu0SyCzytDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R
2XzuyEtN2Y1L1QzutAzzyCtDyByB0ByEzytBzztDyD0B0ByEtN0D0Tzu0SyBtDzytN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R
2XzuyEtN2Y1L1QzuzyyE0D0EzztDtB0A0A0DyE0ByDzy0AtDtN0D0Tzu0CyDyEzytN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q
2XzuyEtN2Y1L1Qzu0Ezzzy0Azz0FyB0FyC0Dzz0AyBtDyCzztN0D0Tzu0SyByDyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R
2XzuyEtN2Y1L1Qzu0B0CyByBtAyByDzy0B0D0EyBzztDyC0FtN0D0Tzu0CyDtAtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q

It is interesting to note that some of the POST data from our logs is much longer than these samples, but always uses the same sets of character pairs.

 

Many thanks for your help!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.