New Variant of Notorious Svpeng Currently for Sale on the Russian Underground

In recent days, there have been numerous reports about the new Svpeng variant, with extended capabilities. These capabilities include keystroke logging and taking control of many device functions, using the accessibility services feature. Continue reading “New Variant of Notorious Svpeng Currently for Sale on the Russian Underground”

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

Two New Banking Trojans Offered for Sale on the Russian Underground

It is the time of summer vacations in East Europe now, and we definitely see a certain recession in the underground cybercrime business. Just as “regular” people in Russia, cybercriminals also spend a week or two by the sea or in their dachas (chalets), after hard work round the clock during the year. We are witnessing this recession not only in the decrease of trade activity, but also in the lack of support for some services offered on the forums, long absence of several high ranked members from the boards etc.

Considering this situation, it was quite exceptional to see almost simultaneously the appearance of two new Banking Trojans on one of the Russian underground forums. Although offered by different sellers, the names of both of them are derived from the Greek Mythology – Kronos and Kratos. Kronos is the father of Zeus, the most important Greek God, while Kratos was a far less important figure. The prices match the significance of the gods – Kronos costs $7,000 (a special release price till July 18th is $5,000, and one-week trial is offered for $1,000, on your own domain), while Kratos is available for only $2,000.

Let us look deeper at the features of the above mentioned Trojans, as they are described by the sellers.

Kronos

Kronos, first published on June 10th, is claimed not to be based on Zeus source code, or other known banking Trojans, thus suggesting a new generation of financial malware. The extremely high price supports this suggestion.

It has a ring 3 rootkit which is compatible both with x86 and x64 systems and includes formgrabber for the last versions of the popular browsers (IE, FF and Crome). Kronos’ web injections are configured in Zeus’ format, so the adjustment of old injections for the new Trojan is supposed to be pretty simple. As for security features, the Trojan is capable of bypassing proactive AV protection, as well as bypassing user-mode sandboxes and rootkits.

Among the disadvantages of this Trojan, the seller mentions the lack of VNC module and the discrepancy of Opera browser. Nevertheless, a vigorous discussion about Kronos developed on the forum and gained mostly positive feedback.

On July 8th, the seller posted the results of AV scan that he performed to his product – it was detected by 10 out of 35 vendors, as a generic malware.

Kronos in action - a snapshot from a video published by the seller
Kronos in action – a snapshot from a video published by the seller

Kratos

Kratos’ sales started on July 7th. It is based on Carberp’s bootkit, without relying on Zeus source code, and has the php Citadel’s administration panel.

The seller describes the main concept of his product as blocking AV detection (depends on a successful installation of ring0 bootkit). It works on both x86 and x64 OS, and based on modulatory system – one of them is injecting module for all version of FF, IE and Chrome browsers. As to security functions, the Trojan bypasses UAC protection and has a unique, 16kb, RSA signature key.

Kratos’ seller emphasizes the fact that the change in one of the protocols (compared to Zeus), allowed compression of the traffic, thus opening the possibility of connection to TOR browser.

The thread about Kratos on one of Russian underground forums
The thread about Kratos on one of Russian underground forums

In both cases, the discussions still continue. We still have not seen feedbacks from satisfied purchasers, but in general both of the Trojans were accepted with positives responses.

Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture