Tuesday, November 12, 2013

New Commercially Available Modular Malware Platform Released On the Underground Marketplace

Cybercriminals have recently released a new (v3 to be more precise indicating possible beneath the radar operation until now), commercially available, modular malware platform, including such cybercrime-friendly features like DNS Changer, Loaders, Injects, and Ransomware features -- completely blocking the Internet access of the affected user in this particular case -- with several upcoming modules such as stealth VNC, and Remote IE (a feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host, naturally including the cookies).

Sample screenshots of the command and control interface+DNS Changer in action:

With prices for the standard package starting from $1,500, I expect that the malware bot will quickly gain market share thanks to its compatibility with existing/working crimeware concepts/releases, as well as thanks to the general availability of 24/7/365 managed malware crypting services, applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it. Moreover, yet another factor that would greatly contribute to the success of such type of newly released platforms is the the ease of acquisition of legitimate traffic -- think blackhat SEO, compromised FTP accounts, or mass SQL injection campaigns -- to be later on converted into malware-infected hosts, most commonly through social engineering, or the client-side exploitation of outdated and already patched vulnerabilities in browser plugins/third-party applications.

Furthermore, with or without the full scale modularity in place -- some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot's worth keeping an eye on.

The DNS Changer IP seen in the screenshot (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to

And most interestingly, according to this assessment, next to phoning back to, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com - known to have responded to
r55u87799hd39.com - known to have responded to

The following malicious MD5s are also known to have phoned back to the same C&C IP ( since the beginning of the month:
MD5: 56f05611ec91f010d015536b7e9fe1a5
MD5: 49aeaa9fad5649d20a9c56e611e81d96
MD5: bf4fa138741ec4af0a0734b28142f7ae
MD5: cd92df2172a40ebb507fa701dcb14fea
MD5: 1d51cde1ab7a1d3d725e507089d3ba5e
MD5: a00695df0a50b3d3ffeb3454534d97a8
MD5: ea8340c95589ca522dac1e04839a9ab9
MD5: f2933ca59e8453a2b50f6d38a9ad9709
MD5: dd9c4ba82de8dcf0f3e440b302e223e8
MD5: d92ad37168605579319c3dff4d6e8c26
MD5: 004bf3f6b7f49d5c650642dde3255b16
MD5: deb8bcd6c7987ee4e0a95273e76feccd
MD5: 1791cb3e3da28aec11416978f415dcd3
MD5: 7eae6322c9dcaa0f12a99f2c52b70224
MD5: 0027511d25a820bcdc7565257fd61ba4
MD5: 294edcdaab9ce21cb453dc40642f1561
MD5: b414d9f54a723e8599593503fe0de4f1
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0
MD5: e1059ae3fb9c62cf3272eb6449de23cf

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.