In 2015, Operation Windigo is Still Going Strong

Brad Duncan is a Security Researcher at Rackspace, where he investigates suspicious network activity and identifies threats from various groups. This blog entry discusses the results of ongoing research into one such criminal operation. 

Introduction

According to a 2014 report by ESET, Windigo is the code name for an ongoing operation that started as early as 2011 [1]. As noted in the report, legitimate traffic to servers compromised by the Windigo group redirect visitors to an exploit kit. The goal is to infect vulnerable Windows clients trying to view these websites.

Operation Windigo is still active, and the group continues using compromised servers to infect vulnerable Windows computers.

Chain of events

Above: Flowchart for Operation Windigo traffic

Traffic Characteristics

Some characteristics remain consistent for Operation Windigo traffic:

  • Compromised websites need a referrer to kick off a chain of events leading to an infection.
  • If conditions are right, the compromised website returns a “302 Found” Cushion redirect that leads to an exploit kit [2][3].
  • The exploit kit’s malware payload is still identified by ESET as Win32/Glupteba.M.

When I started documenting traffic associated with this group in 2014, Windigo used the Neutrino exploit kit to deliver malware to vulnerable Windows clients [4]. Since then, Windigo has changed exploit kits. Windigo is currently using the Nuclear exploit kit to deliver malware.

I infected a vulnerable host as recently as 2015-05-18 and examined the traffic.

Above: Wireshark display of Windigo traffic from an infected host on 2015-05-18.

Above: Snort alerts for Windigo traffic on 2015-05-18 from the Emerging Threats signature set on Security Onion.

The malware payload (Glupteba) from this traffic was submitted to Malwr.com. If you’re registered with Malwr.com, you can retrieve a copy here.

Previously, Operation Windigo caused a redirect to adult-themed dating sites like adultfriendfinder.com while an infection happened in the background. In recent months, Windigo has caused a Nuclear exploit kit landing page to appear in the web browser. We no longer see any related traffic to adult-themed dating sites.

Shown above: Previously seen, an adult-themed website caused by Operation Windigo.

Above: Currently seen, a Nuclear exploit kit landing page caused by Operation Windigo.

Final Words

Traffic patterns for Operation Windigo are relatively unchanged, and most information from the 2014 ESET report still applies [1]. Based on our research, Windigo is as common now as it has been in previous years.

References:

[1] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
[2] http://docs.emergingthreats.net/bin/view/Main/2017507
[3] http://docs.emergingthreats.net/bin/view/Main/2017552
[4] http://malware-traffic-analysis.net/2014/03/08/index.html

Brad Duncan was a Security Researcher at Rackspace specializing in network traffic analysis and intrusion detection. After more than 21 years doing classified intelligence work for the US Air Force, Brad began a new career in cyber security. In 2013, Brad started a blog at www.malware-traffic-analysis.net as a way to share technical information with like-minded security professionals.

LEAVE A REPLY

Please enter your comment!
Please enter your name here