TL32Sn – twisted cousin of cz32ts and NV32ts
I’ve come across TL32Sn.exe (Anubis report, VirusTotal report), which appears to be related to cz32ts and NV32ts. Aside from the similar format of the name of the executable, it shares the same C&C server at 126.96.36.199.
cz32ts used port 8998 to get a list of URLs to attack, and the same port to report the results back. TL32Sn uses port 8999 instead, and via a command called PHPGETURL retrieves URLs like this:
These are Google searches which TL32Sn duly carries out (the user agent is TL32Sn.exe). There are lots more questions here:
- Why start at result #300?
- Why didn’t they say inurl:”asp?content=” instead of the less effective inurl:asp?content=
- Why are they searching for cholecystokinin and chopin anyway? The two URLs above were fetched within half an hour of one another – perhaps these words are from an ordered list of search terms?
One thing is for certain – 188.8.131.52 is at the heart of all this!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk