Cybercriminals have recently released a new (v3 to be more precise indicating possible beneath the radar operation until now), commercially available, modular malware platform, including such cybercrime-friendly features like DNS Changer, Loaders, Injects, and Ransomware features — completely blocking the Internet access of the affected user in this particular case — with several upcoming modules such as stealth VNC, and Remote IE (a feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host, naturally including the cookies).
Sample screenshots of the command and control interface+DNS Changer in action:
With prices for the standard package starting from $1,500, I expect that the malware bot will quickly gain market share thanks to its compatibility with existing/working crimeware concepts/releases, as well as thanks to the general availability of 24/7/365 managed malware crypting services, applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it. Moreover, yet another factor that would greatly contribute to the success of such type of newly released platforms is the the ease of acquisition of legitimate traffic — think blackhat SEO, compromised FTP accounts, or mass SQL injection campaigns — to be later on converted into malware-infected hosts, most commonly through social engineering, or the client-side exploitation of outdated and already patched vulnerabilities in browser plugins/third-party applications.
Furthermore, with or without the full scale modularity in place — some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot’s worth keeping an eye on.
The DNS Changer IP seen in the screenshot 220.127.116.11 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 18.104.22.168.
And most interestingly, according to this assessment, next to phoning back to 22.214.171.124, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com – known to have responded to 126.96.36.199
r55u87799hd39.com – known to have responded to 188.8.131.52
The following malicious MD5s are also known to have phoned back to the same C&C IP (184.108.40.206) since the beginning of the month:
Leave a reply