A new modular malware platform sold on the underground

0
53

8:30 ET, 19 November 2013

Security researcher Dancho Danchev profiled a new commercially modular malware platform recently released on the underground marketplace.

A new commercially modular malware platform has been released on the underground marketplace, the news is posted by the security expert Dancho Danchev.

Danchev recently observed a new modular malware platform specifically designed to provide a series of powerful features through a user-friendly interface, the application is equipped with modules for the implementation of principal functionalities including  Loaders, Injects, DNS Changer and Ransomware. The malware that is possible to compose may be used to steal sensitive information from victims of to completely block the Internet access , attackers can count on feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host.

The new modular malware platform allows also to remote control victims providing the possibility to include in the malicious code several upcoming modules such as stealth VNC and Remote IE.

The following image shows the command and control interface, the console appears very intuitive and demonstrate the effort spent by the authors to provide a ready-to use modular malware platform for cybercriminals that intend to conduct malware based attacks integrating the produced malicious code with existing crimeware.

scszcs

Danchev bets on the success of the modular malware platform, the systems in very convenient for those criminals that already intent to conduct a wide range of illegal activities like mass SQL injection campaigns or blackhat SEO campaigns and decide to monetize converting into malware-infected hosts the “conquered” machines.

Recently security experts have observed a peak in social engineering attacks (e.g. phishing campaigns) and client-side exploitation of vulnerabilities in the browser plugins/third-party applications, the data is confirmed by principal security firms as I wrote yesterday in a post on the last report produced by TrendLabs on cyber criminal activity.

With prices for the standard package for the Modular Malware Platform is $1,500, the authors offer the general availability of 24/7/365 managed malware crypting services, “applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it”. The modularity of the platform and the scalability offer give to the authors the possibility to propose continuous updated with the product with the scope to improve its efficiency, Danchev highlighted that the platform is still a work in progress and new improvements could be available on the black market soon.

“Furthermore, with or without the full scale modularity in place — some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot’s worth keeping an eye on.” wrote Danchev.

The post ends with a mention to real case that is the proof of diffusion for malicious code controlled by the last version of the modular malware platform.

“The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 62.76.176.214. And most interestingly, according to this assessment, next to phoning back to 62.76.176.214, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com – known to have responded to 31.170.179.179
r55u87799hd39.com – known to have responded to 31.170.179.179
r95u8114dfd9.com

The following malicious MD5s are also known to have phoned back to the same C&C IP (31.170.179.179) since the beginning of the month:
MD5: 56f05611ec91f010d015536b7e9fe1a5
MD5: 49aeaa9fad5649d20a9c56e611e81d96
MD5: bf4fa138741ec4af0a0734b28142f7ae
MD5: cd92df2172a40ebb507fa701dcb14fea
MD5: 1d51cde1ab7a1d3d725e507089d3ba5e
MD5: a00695df0a50b3d3ffeb3454534d97a8
MD5: ea8340c95589ca522dac1e04839a9ab9
MD5: f2933ca59e8453a2b50f6d38a9ad9709
MD5: dd9c4ba82de8dcf0f3e440b302e223e8
MD5: d92ad37168605579319c3dff4d6e8c26
MD5: 004bf3f6b7f49d5c650642dde3255b16
MD5: deb8bcd6c7987ee4e0a95273e76feccd
MD5: 1791cb3e3da28aec11416978f415dcd3
MD5: 7eae6322c9dcaa0f12a99f2c52b70224
MD5: 0027511d25a820bcdc7565257fd61ba4
MD5: 294edcdaab9ce21cb453dc40642f1561
MD5: b414d9f54a723e8599593503fe0de4f1
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0
MD5: e1059ae3fb9c62cf3272eb6449de23cf

The cybercrime industry never stops and it is no more a surprise its capability to tailor the offer to mutating needs of the cybercriminal community. Thanks to a wide range of  DIY tools and hacking services available on the back market also criminals without particular skill could create serious problems.

Pierluigi Paganini

(Security Affairs – Modular Malware Platform, cybercrime)
rsa-logo