Godzilla Loader Trojan
Godzilla Loader is a newly observed trojan that is intended to be used as a downloader for other malware. It has similar functionality to the Emotet trojan, with its creator advertising it on dark web forums as a cheaper alternative to the more established malware.
As it is sold directly to attacker for use in their campaigns, Godzilla Loader can be delivered in whichever way they see fit. However, at the time of publication, there are only unconfirmed reports indicating it is being delivered in spam campaigns as an embedded EXE file contained within Microsoft Office documents.
Once installed, Godzilla Loader will connect to a command and control server specified by the attacker and generate registry entries to maintain persistence. It will then delete Volume Shadow Copies before downloading and installing the intended payload. Newer versions of Godzilla Loader include modules for keylogging, credential theft and network propagation.
- Godzilla loader employs RSA-2048 to verify the identity of the C&C server — that is, the server response is signed, and the client verifies the signature before acting on the server’s orders. In the event of a DNS-level takeover of the C&C domain, the malicious operation will be down but the domain’s new owner will not be able to issue new commands. It’s a neat little feature, but just a teaser for the full hypothetical power of asymmetric crypto in this context; mostly it makes us think, “God help us all if the ingenuity that produced TOR ever goes into the malware business”.
- In the feature list, the author boasts of a double-layered fail-safe for C&C communication. First, if communication with the server is not successful, the malware defaults to its DGA implementation; then, if that’s not successful, either, it checks Twitter for a specific hashtag (which is pseudo-randomly generated depending on the day, similarly to the DGA). The campaign controller can announce new C&C sites by generating the hashtag themselves and tweeting the new C&C domain with this hashtag.
- The latest major version of Godzilla, which has been in development as early as December of last year, is set to include a full plugin Ecosystem — including a propagation module, keylogger module and password stealing module.
Affected Platforms: Microsoft Windows – All versions
Further details – https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/ and https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26677
Indicators Of Compromise
| 103[.]206[.]182[.]70 |
| 104[.]160[.]176[.]241 |
| 104[.]160[.]176[.]61 |
| 104[.]160[.]185[.]211 |
| 104[.]160[.]185[.]215 |
| 107[.]181[.]161[.]221 |
| 109[.]234[.]34[.]47 |
| 109[.]236[.]91[.]143 |
| 11[.]252[.]126[.]176 |
| 110[.]249[.]96[.]191 |
| 13[.]107[.]4[.]50 |
| 131[.]153[.]40[.]196 |
| 138[.]68[.]135[.]94 |
| 141[.]105[.]69[.]251 |
| 144[.]76[.]249[.]26 |
| 144[.]76[.]78[.]199 |
| 149[.]202[.]30[.]123 |
| 149[.]56[.]167[.]227 |
| 151[.]80[.]84[.]15 |
| 154[.]119[.]144[.]116 |
| 154[.]66[.]108[.]172 |
| 154[.]66[.]108[.]68 |
| 154[.]73[.]44[.]18 |
| 159[.]203[.]2[.]200 |
| 16[.]116[.]42[.]192 |
| 162[.]213[.]213[.]146 |
| 163[.]53[.]83[.]132 |
| 168[.]194[.]80[.]70 |
| 173[.]203[.]133[.]20 |
| 173[.]242[.]115[.]87 |
| 177[.]231[.]253[.]158 |
| 178[.]33[.]150[.]78 |
| 178[.]33[.]182[.]138 |
| 178[.]33[.]82[.]5 |
| 183[.]90[.]253[.]3 |
| 184[.]160[.]113[.]13 |
| 184[.]168[.]221[.]53 |
| 185[.]106[.]122[.]62 |
| 185[.]158[.]152[.]64 |
| 185[.]158[.]153[.]100 |
| 185[.]158[.]153[.]165 |
| 185[.]159[.]129[.]9 |
| 185[.]17[.]121[.]49 |
| 185[.]25[.]51[.]118 |
| 185[.]42[.]192[.]194 |
| 185[.]46[.]11[.]73 |
| 185[.]80[.]128[.]223 |
| 185[.]86[.]151[.]205 |
| 186[.]109[.]81[.]79 |
| 188[.]165[.]62[.]46 |
| 191[.]7[.]30[.]30 |
| 192[.]152[.]0[.]136 |
| 192[.]157[.]230[.]81 |
| 192[.]189[.]25[.]108 |
| 192[.]189[.]25[.]142 |
| 192[.]189[.]25[.]143 |
| 192[.]227[.]164[.]149 |
| 193[.]107[.]111[.]164 |
| 193[.]124[.]117[.]86 |
| 194[.]87[.]236[.]113 |
| 195[.]133[.]197[.]70 |
| 195[.]245[.]112[.]184 |
| 202[.]40[.]187[.]110 |
| 202[.]5[.]50[.]55 |
| 207[.]35[.]75[.]110 |
| 213[.]25[.]134[.]75 |
| 217[.]29[.]220[.]255 |
| 219[.]93[.]24[.]2 |
| 220[.]33[.]138[.]188 |
| 24[.]13[.]179[.]247 |
| 36[.]37[.]176[.]6 |
| 37[.]59[.]80[.]96 |
| 43[.]231[.]57[.]105 |
| 43[.]241[.]244[.]187 |
| 46[.]160[.]165[.]31 |
| 47[.]18[.]17[.]114 |
| 5[.]107[.]95[.]27 |
| 5[.]188[.]211[.]10 |
| 5[.]188[.]223[.]104 |
| 5[.]2[.]76[.]29 |
| 5[.]20[.]186[.]52 |
| 5[.]200[.]35[.]126 |
| 50[.]63[.]202[.]62 |
| 54[.]37[.]17[.]19 |
| 60[.]50[.]192[.]171 |
| 64[.]15[.]75[.]83 |
| 64[.]56[.]77[.]209 |
| 74[.]56[.]177[.]32 |
| 78[.]155[.]199[.]119 |
| 78[.]47[.]139[.]102 |
| 79[.]124[.]78[.]83 |
| 82[.]79[.]202[.]214 |
| 82[.]79[.]219[.]253 |
| 85[.]25[.]3[.]13 |
| 89[.]43[.]159[.]106 |
| 92[.]63[.]103[.]179 |
| 93[.]123[.]73[.]33 |
| 94[.]127[.]111[.]14 |
| 94[.]176[.]235[.]31 |
| 94[.]242[.]224[.]229 |
| 78tguyc876wwirglmltm[.]net |
| 89tg7gjkkhhprottity[.]com |
| ach-wie[.]net |
| actt[.]gr |
| adamsflorist[.]co[.]uk |
| adhesivosmartinez[.]es |
| aexp[.]com |
| alsawmala[.]com |
| altarek[.]com |
| andiamoluggage[.]com |
| aperhu[.]com |
| armor-conduite[.]com |
| arpanet1957[.]com |
| ashishubha[.]com |
| autoecoleciammarughi[.]com |
| autopin[.]co[.]uk |
| avbank[.]pro |
| ayurvoyage[.]com |
| bankleumi[.]co[.]uk |
| benderbay[.]com |
| beyondbank[.]com[.]au |
| blackbiz[.]ws |
| breakthroughgaming[.]com |
| buff[.]ly |
| bulsat[.]com |
| cert[.]br |
| chaussures-guadeloupe[.]com |
| checkandzupp[.]com |
| chefmarco[.]it |
| chobiring[.]com |
| cioccolatopaolillo[.]it |
| cisroad[.]com |
| citroenbacchi[.]fr |
| cmet[.]net |
| colorglobe[.]in |
| copynametoo[.]com |
| cvut[.]cz |
| distwoss[.]com |
| dromatom[.]com |
| dublikat[.]one |
| dyncheck[.]com |
| dyretracker[.]com |
| eke[.]no |
| enyahoikuen[.]com |
| ericweb[.]co[.]za |
| esp[.]jp |
| evlilikpsikolojisi[.]com |
| example[.]com |
| faddegon[.]com |
| fambo[.]nl |
| fastrepair-schijndel[.]nl |
| fatt[.]int |
| financeforautos[.]com |
| formbuddy[.]com |
| freshmodel[.]pw |
| geltro[.]pt |
| hostmaze[.]com |
| hostmonster[.]com |
| icaremacsupport[.]co[.]uk |
| ico-investmen[.]com |
| it-daily[.]net |
| jabb[.]im |
| jabber[.]ru |
| kgshrestha[.]com[.]np |
| klinthult[.]com |
| kote[.]ws |
| ksk-fds[.]de |
| ksk-tut[.]de |
| kskbb[.]de |
| kuemejis[.]com |
| l-ardagnole[.]com |
| lycos[.]de |
| lzo[.]com |
| mail[.]ru |
| merahost[.]ru |
| multila[.]com |
| multimedia-bg[.]net |
| multiport[.]com[.]au |
| myexternalip[.]com |
| myjino[.]ru |
| n[.]int |
| nationwide[.]co[.]uk |
| newcontinuum[.]net |
| ovh[.]net |
| painthousegroup[.]com |
| paste[.]ee |
| piatti[.]com |
| pizza24[.]fr |
| podkachka[.]tk |
| spk-goettingen[.]de |
| spk-ts[.]de |
| spotsbill[.]com |
| stadtsparkasse-hilchenbach[.]de |
| suncorpbank[.]com[.]au |
| tag27[.]com |
| teracom[.]co[.]id |
| transfercar24[.]de |
| update-app[.]top |
| vereouvir[.]pt |
| wittinhohemmo[.]net |
| 0[.]0[.]0[.]0[.]1d240c12b038d14[.]b447673@sage-invoice[.]com |
| 0[.]0[.]0[.]0[.]1d2f579d5b6661a[.]2e81f93@lloydsbankdocs[.]co[.]uk |
| 0[.]0[.]0[.]0[.]1d2f707c0b42196[.]6344aa2@rbsdocs[.]co[.]uk |
| 0[.]0[.]0[.]0[.]1d2fbc073d63216[.]34a9d6b4@lloydsconfidential[.]com |
| 0[.]0[.]0[.]0[.]1d2fc9466ae0c24[.]225c827@sage-invoice[.]com |
| 0[.]0[.]0[.]0[.]1d300ca1426c664[.]62965fc@rbsprotected[.]com |
| 0[.]0[.]0[.]0[.]1d31061599fa25a[.]3042491@hrmccommunication[.]co[.]uk |
| 0[.]0[.]0[.]0[.]1d3120709405ec4[.]1314f8d@danskesecuremessage[.]co[.]uk |
| aberkinnuji@thespykiller[.]co[.]uk |
| abuse@bulsat[.]com |
| abuse@hostmaze[.]com |
| abuse@hostsailor[.]com |
| abuse@mtw[.]ru |
| abuse@multimedia-bg[.]net |
| abuse@nayatel[.]com |
| abuse@ovh[.]net |
| abuse@sinet[.]com[.]kh |
| abuse@videotron[.]ca |
| abuseinfo@spectranet[.]in |
| abusenoc@newcontinuum[.]net |
| administrator@local-fax[.]com |
| adminternet@une[.]net[.]co |
| alan@myonlinesecurity[.]co[.]uk |
| alfamale@exploit[.]im |
| americanexpress@welcome[.]aexp[.]com |
| antony@myonlinesecurity[.]co[.]uk |
| benbin77@zloy[.]im |
| benbin@jabber[.]ru |
| cert[.]opl@orange[.]com |
| codexp@lycos[.]de |
| daceballos@hotmail[.]com |
| dexp@lycos[.]de |
| fblanc@citroenbacchi[.]fr |
| gary[.]brooks@hrmccommunication[.]co[.]uk |
| gary[.]terry@rbsprotected[.]com |
| innaput69@gmail[.]com |
| ipadmin@spectranet[.]in |
| jemesn@mail[.]ru |
| kinds@zloy[.]im |
| mail-abuse@cert[.]br |
| mail@mail[.]com |
| message@banklinemail[.]com |
| message@danskesecuremessage[.]co[.]uk |
| message@mail[.]efaxcorporate254[.]top |
| myonlinesecurity[.]co[.]uk@danskesecuremessage[.]co[.]uk |
| myonlinesecurity[.]co[.]uk@hrmccommunication[.]co[.]uk |
| myonlinesecurity[.]co[.]uk@lloydsbankdocs[.]co[.]uk |
| myonlinesecurity[.]co[.]uk@lloydsconfidential[.]com |
| myonlinesecurity[.]co[.]uk@rbsdocs[.]co[.]uk |
| myonlinesecurity[.]co[.]uk@rbsprotected[.]com |
| myonlinesecurity[.]co[.]uk@sage-invoice[.]com |
| nic_tech@megacable[.]com[.]mx |
| no-reply@lloydsbankdocs[.]co[.]uk |
| noc@wicam[.]com[.]kh |
| noreply-target@lloydsconfidential[.]com |
| noreply@companies-house[.]me[.]uk |
| noreply@companieshouses[.]co[.]uk |
| noreply@docusign[.]delivery |
| noreply@lloydsconfidential[.]com |
| noreply@rbsmessage291[.]ml |
| noreply@sage-invoice[.]com |
| noreply@wellsfargomessage55[.]ml |
| pverdugo@cmet[.]net |
| random@gmx[.]com |
| s[.]miloshevich@yandex[.]ru |
| scalebuzz@gmail[.]com |
| secure[.]delivery@rbsdocs[.]co[.]uk |
| service@gov-fax[.]co[.]uk |
| service@sage-invoice[.]com |
| service@sage-invoices[.]com |
| ta@eke[.]no |
| thelaws@exploit[.]im |
| thespykiller[.]co[.]uk@sage-invoice[.]com |
| velma@shawneeweb[.]com |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.