Cybercriminals use Amazon server to manage Win32 / Bayrob malware
Over the past few months, our analysts have been analyzing several malicious programs that are widely distributed in countries such as Germany and Spain. One interesting example of such a malicious program was the Nemucod Trojan, which we wrote about earlier. The Nemucod functions included the task of distributing the ransomware Teslacrypt.
In this post we will tell about the new Trojan called Bayrob, which was aimed at mass infection of users in several countries since mid-December last year. The peculiarity of one of the modifications of this Trojan is that the server owned by Amazon was used as the managing director of the C & C server.
')
Like other malicious campaigns, cybercriminals spread Win32 / Bayrob using phishing emails whose attachments contain malware. In some cases, messages were disguised as mailings from Amazon, which can be quickly denied by carefully looking at the sender's email address.
Fig. A phishing email with a malicious attachment used to distribute Bayrob.
The Bayrob dropper executable file is packed into a zip-archive and after its launch in the system it starts performing its malicious actions. The trojan displays a special error message to the user, which states that the downloaded file cannot be run on the system. Thus, the user has the impression that the program was not running on the OS, although it has already begun to perform its work.
Fig. Error message for user obfuscation.
The Trojan registers itself in the system as a service and thus ensures autoload for itself in it. In the future, it will be used by attackers as a backdoor, including to steal the following information from a computer and transfer it to a remote server.
Of course, the above information is not the main goal for attackers, as they are aimed at stealing such confidential user data as his credit card data and authentication data of online banking. The bot communicates with the operators by connecting to the C & C server via the HTTP protocol and is able to perform the following tasks.
Another interesting feature of the Trojan is the URL generation mechanism (DGA), which allows it to receive addresses of active C & C servers. In addition to this function, the bot contains in its body and one fixed URL address of the server. Below are three domains that Bayrob uses.
Using the information from the whois service below, we found out that the domain “simplemodern.net” is registered with Amazon Japan. This may indicate that attackers could rent a server in the Amazon Web Services infrastructure and use it to send commands to the bot.
This fact, in turn, does not mean that any of the Amazon servers has been compromised. This suggests that the attackers behind the malware used the existing Amazon Japan web services infrastructure. This situation of using a legitimate resource as a malicious web server may allow law enforcement agencies to contact Amazon with a request to deactivate the server and possibly another request to provide information about its tenant.
As is the case with some other recent threats that we analyzed before Bayrob, its proliferation activity is significantly dependent on the region or country. In our case, the attackers focused their efforts on the countries of Europe, South Africa, Australia, and New Zealand. Among the most affected countries are Germany and Spain. Malware activity statistics from the Virus Radar portal show that for these two countries, its prevalence rate was above 15%. Data was calculated from mid-December 2015 to mid-January 2016.
Fig. The most active malware in Germany for the specified period.
Fig. The most active malware in Spain for the specified period.
As shown in the graph below, the previous versions of the Win32 / Bayrob Trojan were not as widely distributed as the version used in recent attacks since mid-December.
Fig. Bayrob activity dynamics.
The prevalence of malware for various countries, as shown on the map above, is not as high for North and South America, as well as for Asia, and most countries in Africa. Such statistics are rather strange, since we detected Bayrob phishing messages in several languages, and it is possible that the attackers use the special tactics of targeting the Trojan to specific countries at different times.
Conclusion
This type of malicious campaign, which we described above, and is used by cybercriminals to infect a large number of users at fixed intervals, is becoming more common. Such a situation may mean that the attackers have focused on the infection mechanism of as many users in the world as possible on targeted attacks on users of a particular country.
The above method of distributing malware is well known and antivirus companies should make more efforts to inform users about the danger of opening phishing email attachments.
In this post we will tell about the new Trojan called Bayrob, which was aimed at mass infection of users in several countries since mid-December last year. The peculiarity of one of the modifications of this Trojan is that the server owned by Amazon was used as the managing director of the C & C server.
')
Like other malicious campaigns, cybercriminals spread Win32 / Bayrob using phishing emails whose attachments contain malware. In some cases, messages were disguised as mailings from Amazon, which can be quickly denied by carefully looking at the sender's email address.
Fig. A phishing email with a malicious attachment used to distribute Bayrob.
The Bayrob dropper executable file is packed into a zip-archive and after its launch in the system it starts performing its malicious actions. The trojan displays a special error message to the user, which states that the downloaded file cannot be run on the system. Thus, the user has the impression that the program was not running on the OS, although it has already begun to perform its work.
Fig. Error message for user obfuscation.
The Trojan registers itself in the system as a service and thus ensures autoload for itself in it. In the future, it will be used by attackers as a backdoor, including to steal the following information from a computer and transfer it to a remote server.
- OS version
- Computer name
- Computer ip address
- Information about the OS and system settings
- MAC address
- List of running services
Of course, the above information is not the main goal for attackers, as they are aimed at stealing such confidential user data as his credit card data and authentication data of online banking. The bot communicates with the operators by connecting to the C & C server via the HTTP protocol and is able to perform the following tasks.
- Upload files from a remote server to a compromised system.
- Run files for execution.
- Send to a remote server information about the list of processes running on the system.
- Send to the server other interesting information for intruders.
- Update yourself to a more current version.
Another interesting feature of the Trojan is the URL generation mechanism (DGA), which allows it to receive addresses of active C & C servers. In addition to this function, the bot contains in its body and one fixed URL address of the server. Below are three domains that Bayrob uses.
Using the information from the whois service below, we found out that the domain “simplemodern.net” is registered with Amazon Japan. This may indicate that attackers could rent a server in the Amazon Web Services infrastructure and use it to send commands to the bot.
This fact, in turn, does not mean that any of the Amazon servers has been compromised. This suggests that the attackers behind the malware used the existing Amazon Japan web services infrastructure. This situation of using a legitimate resource as a malicious web server may allow law enforcement agencies to contact Amazon with a request to deactivate the server and possibly another request to provide information about its tenant.
As is the case with some other recent threats that we analyzed before Bayrob, its proliferation activity is significantly dependent on the region or country. In our case, the attackers focused their efforts on the countries of Europe, South Africa, Australia, and New Zealand. Among the most affected countries are Germany and Spain. Malware activity statistics from the Virus Radar portal show that for these two countries, its prevalence rate was above 15%. Data was calculated from mid-December 2015 to mid-January 2016.
Fig. The most active malware in Germany for the specified period.
Fig. The most active malware in Spain for the specified period.
As shown in the graph below, the previous versions of the Win32 / Bayrob Trojan were not as widely distributed as the version used in recent attacks since mid-December.
Fig. Bayrob activity dynamics.
The prevalence of malware for various countries, as shown on the map above, is not as high for North and South America, as well as for Asia, and most countries in Africa. Such statistics are rather strange, since we detected Bayrob phishing messages in several languages, and it is possible that the attackers use the special tactics of targeting the Trojan to specific countries at different times.
Conclusion
This type of malicious campaign, which we described above, and is used by cybercriminals to infect a large number of users at fixed intervals, is becoming more common. Such a situation may mean that the attackers have focused on the infection mechanism of as many users in the world as possible on targeted attacks on users of a particular country.
The above method of distributing malware is well known and antivirus companies should make more efforts to inform users about the danger of opening phishing email attachments.
Source: https://habr.com/ru/post/276501/
All Articles