Malware traffic analysis is a crucial method for capturing malicious activity within network traffic. I decided to use a Qakbot-infected spambot campaign as an example. First, itâs important to understand the following:
- Qakbot: An active banking trojan.
- Cobalt Strike: A commercial penetration testing tool. Unfortunately, pirated versions of Cobalt Strike have been leaked.
- Spambot activity distributing QakBot.
By default, ntopng monitors real-time network traffic, but it can also read and process pcap standard packet files by directing the interface to them.
Analyzing Network Traffic
First, start ntopng and open the specified pcap file:
Copy
sudo ntopng -i 2020-12-07-Qakbot-with Cobalt Strike-and-Spambot-activity.pcapYou can access ntopng via the web GUI:
Copy
http://localhost:3000 or http://<server_ip>:3000ntopng will prompt you to enter a username and password. After logging in, you will see an interface overview indicating that the selected interface is a pcap dump and displaying the pcap file name:
A quick glance at the traffic summary icons reveals that ntopng has detected multiple issues:
At this point, instead of checking traffic warnings or errors, I navigate to the âHost Mapâ from the âMapâ menu and select âAlert Trafficâ from the dropdown filter menu. This view provides an overview of hosts with alerts. The host map displays hosts on the x-axis (servers with alerts) and y-axis (clients). Note: A host can be both a server and/or a client. The size of the circles is proportional to the number of alertsâlarger circles indicate hosts with more alerts. The filter dropdown also includes other useful filters, such as âTraffic Ratioâ or âDNS Requests vs. Responses.â
Next, I focus on the largest circle, located in the upper-left corner, as this host has approximately 170 alerts. Hovering over it reveals the IP address 10.12.7.101. Clicking the circle opens the host information page:
From the image above, we can gather the following information:
1. The host is a Windows 8 client.
2. The host has a security score of 19,905 as a client, which is quite high for a single host. ntop uses a scoring system to assess security risks or protocol-related issues. For example, malicious data in a stream increases the hostâs score by 210, while suspicious data adds 200. Generally, a score above 1,000 indicates a problem, while a score below 100 suggests everything is fine. The score serves as an indicator of potential issues.
3. Out of 634 traffic flows from this host, 168 triggered alerts. This means that approximately one-fourth of the traffic is problematic, which is highly unusual.
For this host, 152 SMTP (or SMTPS) flows were recorded. This suggests that the user connected to numerous different SMTP servers, which is also highly unusual for a client. A typical user might have 5 to 10 different email accounts, leading to around 10+ SMTP flows, but 152 SMTP connections are abnormal.
Now, letâs examine the alerts generated by ntopng. Clicking the warning icon opens the flow alerts in the host view:
I sorted the list by score to identify the highest-scoring alerts.
Letâs take a closer look at the first error, âTLS Certificate Self-Signed.â We can drill down by clicking the magnifying glass icon:
Again, we see a lot of information about the traffic flow. For security analysis, we focus on three highlighted items:
1. The extracted URL requested by the client, http://amajai-technologies.world/, looks suspicious at first glance. Doesnât it resemble akamaitechnologies.com? Similar domains are often overlooked in daily operations and pose a real cybersecurity threat.
2. The TLS certificate is self-signedâa red flag. No reputable or professional service would use a self-signed certificate for external/Internet communication. Additionally, the TLS issuer and subject fields are empty, making this an even bigger red flag. For reference, the certificate issuer information is shown below:
3. If something seems suspicious about this traffic flow, we can verify it using the JA3 client fingerprint. As shown below, the client fingerprint is flagged as malicious. Checking JA3 against sslbl.abuse.ch confirms that, yes, the client certificate is indeed malicious.
Although the blacklisted JA3 fingerprint does not indicate Qakbot, we have just discovered that this host is infected with the Gozi banking trojan.
Conclusion
Even when analyzing recorded network traffic, ntopng is a great tool for gaining an overview of network activity. However, its true value lies in its ability to perform real-time scoring and alerting. When dealing with malware like this, I may not immediately know the exact type of malware, but the generated alerts strongly indicate that the host is compromised. This allows for network isolation and further investigation.
Original Statement: This article is published with the authorâs permission on Tencent Cloud Developer Community. Reproduction without permission is prohibited.
If there is any infringement, please contact [email protected] for removal.