ESET participated in the elimination of the Gamarue botnet
A large-scale operation to eliminate the network of botnets Gamarue (Andromeda), which had been operating for several years, was completed. The operation involving ESET, Microsoft and law enforcement agencies lasted more than a year.
Gamarue (Win32 / TrojanDownloader.Wauchos by ESET classification) has been known since the end of 2011 and has been sold in a darkweb called Andromeda bot. The bot was in demand, which caused the existence of 464 independent botnets at the time of elimination. In the past, Wauchos was the leader in the number of attacks reflected by ESET products.
')
As part of the operation, ESET provided technological expertise - we tracked the botnets on the Wauchos network, identified their C & C servers for subsequent neutralization, tracked other malicious programs that were installed in the infected systems. Together with Microsoft, we provided law enforcement with the following information:
- 1214 domains and IP addresses of the managing C & C servers of the botnet
- 464 individual botnets
- 80 associated malware families
In Figure 1, you can see the Wauchos distribution map, based on our telemetry. Obviously, Wauchos is a global problem, and the operation to eliminate it was worth the effort. We present the data of last year - at the peak of Wauchos activity.
Figure 1. Distribution of Wauchos (December 2016)
If you suspect that your Windows computer has been compromised and you are not an ESET user, download and use the free ESET Online Scanner tool. It will remove all threats, including Wauchos, by detecting them in the system.
This common malware has existed since 2011. We have previously written about him in a blog (see "Sources"). In this section, we look at the basis of Wauchos: what it is and how it is distributed, and then we will describe the technical details of the malicious program.
Wauchos is used primarily to steal credentials, as well as to download and execute other malicious programs on the system. Thus, if the system is compromised by Wauchos, another malware is likely installed in it.
Wauchos has a modular architecture. Its functionality can be expanded by adding the appropriate modules. Among the known modules are a keylogger, spyware for intercepting entered logins and passwords (formgrabber), rootkit, SOCKS proxy and TeamViewer-bot.
There are five major versions of Wauchos based on their own version control scheme: 2.06, 2.07, 2.08, 2.09 and 2.10. In the first three, the build number is included in the first POST request sent by the bot to the C & C server, so identifying the version is quite simple. In later versions of Wauchos, the
(* Note the switch to JSON)
A typical POST request is shown in Figure 2. The string of identifiers is encrypted using the RC4 algorithm and then encoded with base64.
Figure 2. Typical POST request
Since the linker for version 2.06 was publicly available several years ago, we saw quite a few versions of this botnet in the telemetry data. However, to our knowledge, the most common is the latest version - 2.10.
The global nature of the threat is also noted in the diversity of C & C servers that Wauchos operators use. Throughout the study, we opened new management servers every month. Figure 3 shows the top-level domains used by C & C servers; Figure 4 shows the geography of the IP addresses of these servers at the time of connecting to our crawler in November and December 2016.
Figure 3. Top-level domains of C & C servers in November and December 2016
Figure 4. Geography of IP addresses of C & C servers in November and December 2016
Interestingly, a number of studied samples check the keyboard settings and stop the attack if the system uses Russian, Belarusian, Ukrainian or Kazakh languages.
Because Wauchos is bought and distributed by different operators, different vectors are used for infection. Historically, Wauchos samples were distributed via social networks, instant messengers, removable media, spam, and exploit kits. Figure 5 shows a typical letter with a sample of Wauchos in the attachment.
Figure 5. Typical spam with Wauchos in the application.
Installation under the scheme pay-per-install
As stated earlier, Wauchos is primarily used to distribute other malware. With the help of our automated systems, we collected statistics about Malvari loaded by the Wauchos bots we were tracking. Figure 6 shows the various modules that were loaded by our search bot when they first connected to C & C.
Figure 6. Download Statistics - December 2016
The first download is usually the loader module, which we describe in the next section. Next, other malicious programs are being installed - in December 2016, mainly spam bots were downloaded, in particular, Win32 / Kasidet, Win32 / Kelihos and Win32 / Lethic. Of course, if we talk about the pay-per-install scheme, the statistics change from time to time. Wauchos downloaded and other malware, but, according to our telemetry, most often it was the above programs.
In this section, we will present some technical details that have not been publicly discussed before, but create a context against the background of the liquidation of a botnet. In particular, we describe two modules that provide communication through third-party channels for the botmaster (botmaster), increasing the resilience of the botnet to the dismantling operations.
Versions of Wauchos
First of all, we would like to help colleagues interested in this malware family, and briefly describe, using the ESET classification, the major versions and their capabilities.
Win32 / Wauchos.B is the most common Wauchos component detection version 2.06. Version 2.10 is usually detected as Win32 / Wauchos.AW. In addition, the Win32 / Wauchos family includes other modules, packaged versions of the listed versions, and other Wauchos assemblies, including 2.07, 2.08, or 2.09; According to our telemetry data, they are less common and, therefore, less relevant in the discussion.
In the latest version of Wauchos (2.10), the bot supports the following commands:
Modules
Wauchos is an extensible bot that allows the operator to create and use custom modules. However, there are several widely available modules that are found in different botnets. In this section, we look at the modules that we managed to load using our tracking mechanism.
When a bot loads a module, it must first decrypt its header with the RC4 key. The header contains a unique key needed to decrypt the payload. After decryption, the last operation is unpacking the module using aPLib. Next, the malware uses a custom loader to load a binary blob into memory. Binary blobs can be loaded directly into memory and executed.
The number of different RC4 keys collected by our tracking systems in different botnets turned out to be small — about 40. This makes it easy to decipher any downloaded components, even those that are not needed for sample analysis.
As for C & C communications, all the samples we analyzed to resolve C & C domains directly used Google’s DNS infrastructure. Version 2.06 tries to resolve the IP address of the C & C server using UDP sockets up to 8.8.4.4:53. If this fails, it first returns to the DnsQueryA () API, and then to the gethostbyname () API. Version 2.10 intercepts GetAddrInfoW () and allows all calls to it using UDP packets up to 8.8.4.4:53, if this fails, then returns to the original API GetAddrInfoW ().
New persistence mechanisms
In this section, we will talk about the two modules that appeared this year. We believe that they are designed to prevent dismantling, like the current operation, and to this end provide a third-party communication channel for the botmaster. This behavior was described in the article under link 4 in the “Sources” section.
The first module is a USB spreader (a utility for distributing malware to flash drives). The second is performing a fileless attack using a bootloader, which is stored in the registry and is launched by the PowerShell script at startup.
USB spreader - Win32 / Bundpil.CS
The module allows you to intercept the functions of the DNS API, tries to spread through removable media and uses the DGA (Domain Generation Algorithm) to load additional data.
One process scans for connected removable media and, upon finding the required one, installs a copy of the malicious program on it.
The second function of the module is to intercept the DNS API and replace certain domains with coded ones. For example, one studied sample redirected all requests for these old Wauchos domains:
- designfuture.ru
- disorderstatus.ru
- atomictrivia.ru
- differentia.ru
on gvaq70s7he.ru.
The module also has a DGA component that tries to connect to automatically generated domains for loading additional data into the compromised system. The pseudocode of the DGA algorithm can be found on our github page . The URLs he tries to reach correspond to the following patterns:
- <dga_domain> .ru / mod
- ww1. <Dga_domain> .ru / 1
- ww2. <Dga_domain> .ru / 2
We were able to load a binary blob from the DGA circuit. What we got was an encrypted blob and started with “MZ”. The module will remove these two bytes and save the blob in the Windows registry.
The main Wauchos bot decrypts the payload encrypted with RC4, unpacks it with aPLib and loads it as a normal module. Please note that for this process the same RC4 keys are used as for encrypting modules. The binary file obtained in this way is an updated version of USB spreader. We assume that through DNS interception, the botmaster can regain bots control by downloading the latest version of the module from the monitored domain, and then redirect the hard-coded domains mainly to Wauchos.
Loader
The latest module is a small downloader that uses DGA to access the following URLs, depending on the version:
- <dga_domain> .ru / ld.so
- <dga_domain> .ru / last.so
- <dga_domain> .ru / nonc.so
The module is used to load a binary blob that it stores in the registry. Blobs can be decrypted using the RC4 key contained in the main Wauchos payload.
One of the variants of malware downloaded by this module is another boot loader detected as TrojanDownloader.Small.AHI. The malicious program is of interest, since its only task is to download an updated version of the loader module and save it in the registry in encrypted form, but with one nuance.
It also adds a startup key with a PowerShell script that decrypts and executes the encrypted binary file from the registry key after each computer startup. Right now the binary is just being updated. However, its DGA can be used as a secondary communication channel to install a new payload and regain control over bots if someone tries to intercept it. The process is shown in Figure 7.
Figure 7. Loader module operation diagram
It is interesting to note that we observed the download of Necurs.B through the DGA and this module. However, in most downloads, Win32 / TrojanDownloader.Small.AHI was installed on the system. In fact, this program was detected many times, according to our cloud statistics. The greatest activity of the module was noted using our search bot in August 2016, after which it was reduced to zero. It is not known whether we were blacklisted, or the Malvari operators simply tested the function for a short period of time.
Wauchos (Gamarue / Andromeda) is an old botnet that has been updated for several years. ESET specialists have been monitoring its infrastructure for years, as well as other threats. Monitoring is important for tracking any changes in the behavior of a malicious program, as well as for subsequent elimination.
Wauchos uses old methods to compromise new systems. Users should take care when opening files on removable media, as well as files received via email, social networks or instant messengers. If you think your system is infected with Wauchos, use the free tool to check and remove Malvari.
Information about the botnet was collected using the telemetry service ESET Threat Intelligence . ESET products detect thousands of variants of Wauchos modules and other malware families distributed by the botnet.
Thank you for your help in researching Juraj JánošĂk, Viktor Lucza, Filip Mazán, Zoltán Rusnák and Richard Vida.
1. blog.fortinet.com/2014/04/16/a-good-look-at-the-Andromeda-botnet
2. blog.avast.com/Andromeda-under-the-microscope
3. eternal-todo.com/blog/Andromeda-gamarue-loves-json
4. blog.trendmicro.com/trendlabs-security-intelligence/usb-malware-implicated-fileless-attacks
Introduction
Gamarue (Win32 / TrojanDownloader.Wauchos by ESET classification) has been known since the end of 2011 and has been sold in a darkweb called Andromeda bot. The bot was in demand, which caused the existence of 464 independent botnets at the time of elimination. In the past, Wauchos was the leader in the number of attacks reflected by ESET products.
')
As part of the operation, ESET provided technological expertise - we tracked the botnets on the Wauchos network, identified their C & C servers for subsequent neutralization, tracked other malicious programs that were installed in the infected systems. Together with Microsoft, we provided law enforcement with the following information:
- 1214 domains and IP addresses of the managing C & C servers of the botnet
- 464 individual botnets
- 80 associated malware families
In Figure 1, you can see the Wauchos distribution map, based on our telemetry. Obviously, Wauchos is a global problem, and the operation to eliminate it was worth the effort. We present the data of last year - at the peak of Wauchos activity.
Figure 1. Distribution of Wauchos (December 2016)
If you suspect that your Windows computer has been compromised and you are not an ESET user, download and use the free ESET Online Scanner tool. It will remove all threats, including Wauchos, by detecting them in the system.
What is wauchos?
This common malware has existed since 2011. We have previously written about him in a blog (see "Sources"). In this section, we look at the basis of Wauchos: what it is and how it is distributed, and then we will describe the technical details of the malicious program.
Wauchos is used primarily to steal credentials, as well as to download and execute other malicious programs on the system. Thus, if the system is compromised by Wauchos, another malware is likely installed in it.
Wauchos has a modular architecture. Its functionality can be expanded by adding the appropriate modules. Among the known modules are a keylogger, spyware for intercepting entered logins and passwords (formgrabber), rootkit, SOCKS proxy and TeamViewer-bot.
There are five major versions of Wauchos based on their own version control scheme: 2.06, 2.07, 2.08, 2.09 and 2.10. In the first three, the build number is included in the first POST request sent by the bot to the C & C server, so identifying the version is quite simple. In later versions of Wauchos, the
bv parameter in the POST request was removed. Nevertheless, it is relatively easy to determine the version of the bot, if you look at the row of identifiers sent to the server (3):(* Note the switch to JSON)
A typical POST request is shown in Figure 2. The string of identifiers is encrypted using the RC4 algorithm and then encoded with base64.
Figure 2. Typical POST request
Since the linker for version 2.06 was publicly available several years ago, we saw quite a few versions of this botnet in the telemetry data. However, to our knowledge, the most common is the latest version - 2.10.
The global nature of the threat is also noted in the diversity of C & C servers that Wauchos operators use. Throughout the study, we opened new management servers every month. Figure 3 shows the top-level domains used by C & C servers; Figure 4 shows the geography of the IP addresses of these servers at the time of connecting to our crawler in November and December 2016.
Figure 3. Top-level domains of C & C servers in November and December 2016
Figure 4. Geography of IP addresses of C & C servers in November and December 2016
Interestingly, a number of studied samples check the keyboard settings and stop the attack if the system uses Russian, Belarusian, Ukrainian or Kazakh languages.
Infection vector
Because Wauchos is bought and distributed by different operators, different vectors are used for infection. Historically, Wauchos samples were distributed via social networks, instant messengers, removable media, spam, and exploit kits. Figure 5 shows a typical letter with a sample of Wauchos in the attachment.
Figure 5. Typical spam with Wauchos in the application.
Installation under the scheme pay-per-install
As stated earlier, Wauchos is primarily used to distribute other malware. With the help of our automated systems, we collected statistics about Malvari loaded by the Wauchos bots we were tracking. Figure 6 shows the various modules that were loaded by our search bot when they first connected to C & C.
Figure 6. Download Statistics - December 2016
The first download is usually the loader module, which we describe in the next section. Next, other malicious programs are being installed - in December 2016, mainly spam bots were downloaded, in particular, Win32 / Kasidet, Win32 / Kelihos and Win32 / Lethic. Of course, if we talk about the pay-per-install scheme, the statistics change from time to time. Wauchos downloaded and other malware, but, according to our telemetry, most often it was the above programs.
Technical analysis
In this section, we will present some technical details that have not been publicly discussed before, but create a context against the background of the liquidation of a botnet. In particular, we describe two modules that provide communication through third-party channels for the botmaster (botmaster), increasing the resilience of the botnet to the dismantling operations.
Versions of Wauchos
First of all, we would like to help colleagues interested in this malware family, and briefly describe, using the ESET classification, the major versions and their capabilities.
Win32 / Wauchos.B is the most common Wauchos component detection version 2.06. Version 2.10 is usually detected as Win32 / Wauchos.AW. In addition, the Win32 / Wauchos family includes other modules, packaged versions of the listed versions, and other Wauchos assemblies, including 2.07, 2.08, or 2.09; According to our telemetry data, they are less common and, therefore, less relevant in the discussion.
In the latest version of Wauchos (2.10), the bot supports the following commands:
Modules
Wauchos is an extensible bot that allows the operator to create and use custom modules. However, there are several widely available modules that are found in different botnets. In this section, we look at the modules that we managed to load using our tracking mechanism.
When a bot loads a module, it must first decrypt its header with the RC4 key. The header contains a unique key needed to decrypt the payload. After decryption, the last operation is unpacking the module using aPLib. Next, the malware uses a custom loader to load a binary blob into memory. Binary blobs can be loaded directly into memory and executed.
The number of different RC4 keys collected by our tracking systems in different botnets turned out to be small — about 40. This makes it easy to decipher any downloaded components, even those that are not needed for sample analysis.
As for C & C communications, all the samples we analyzed to resolve C & C domains directly used Google’s DNS infrastructure. Version 2.06 tries to resolve the IP address of the C & C server using UDP sockets up to 8.8.4.4:53. If this fails, it first returns to the DnsQueryA () API, and then to the gethostbyname () API. Version 2.10 intercepts GetAddrInfoW () and allows all calls to it using UDP packets up to 8.8.4.4:53, if this fails, then returns to the original API GetAddrInfoW ().
New persistence mechanisms
In this section, we will talk about the two modules that appeared this year. We believe that they are designed to prevent dismantling, like the current operation, and to this end provide a third-party communication channel for the botmaster. This behavior was described in the article under link 4 in the “Sources” section.
The first module is a USB spreader (a utility for distributing malware to flash drives). The second is performing a fileless attack using a bootloader, which is stored in the registry and is launched by the PowerShell script at startup.
USB spreader - Win32 / Bundpil.CS
The module allows you to intercept the functions of the DNS API, tries to spread through removable media and uses the DGA (Domain Generation Algorithm) to load additional data.
One process scans for connected removable media and, upon finding the required one, installs a copy of the malicious program on it.
The second function of the module is to intercept the DNS API and replace certain domains with coded ones. For example, one studied sample redirected all requests for these old Wauchos domains:
- designfuture.ru
- disorderstatus.ru
- atomictrivia.ru
- differentia.ru
on gvaq70s7he.ru.
The module also has a DGA component that tries to connect to automatically generated domains for loading additional data into the compromised system. The pseudocode of the DGA algorithm can be found on our github page . The URLs he tries to reach correspond to the following patterns:
- <dga_domain> .ru / mod
- ww1. <Dga_domain> .ru / 1
- ww2. <Dga_domain> .ru / 2
We were able to load a binary blob from the DGA circuit. What we got was an encrypted blob and started with “MZ”. The module will remove these two bytes and save the blob in the Windows registry.
The main Wauchos bot decrypts the payload encrypted with RC4, unpacks it with aPLib and loads it as a normal module. Please note that for this process the same RC4 keys are used as for encrypting modules. The binary file obtained in this way is an updated version of USB spreader. We assume that through DNS interception, the botmaster can regain bots control by downloading the latest version of the module from the monitored domain, and then redirect the hard-coded domains mainly to Wauchos.
Loader
The latest module is a small downloader that uses DGA to access the following URLs, depending on the version:
- <dga_domain> .ru / ld.so
- <dga_domain> .ru / last.so
- <dga_domain> .ru / nonc.so
The module is used to load a binary blob that it stores in the registry. Blobs can be decrypted using the RC4 key contained in the main Wauchos payload.
One of the variants of malware downloaded by this module is another boot loader detected as TrojanDownloader.Small.AHI. The malicious program is of interest, since its only task is to download an updated version of the loader module and save it in the registry in encrypted form, but with one nuance.
It also adds a startup key with a PowerShell script that decrypts and executes the encrypted binary file from the registry key after each computer startup. Right now the binary is just being updated. However, its DGA can be used as a secondary communication channel to install a new payload and regain control over bots if someone tries to intercept it. The process is shown in Figure 7.
Figure 7. Loader module operation diagram
It is interesting to note that we observed the download of Necurs.B through the DGA and this module. However, in most downloads, Win32 / TrojanDownloader.Small.AHI was installed on the system. In fact, this program was detected many times, according to our cloud statistics. The greatest activity of the module was noted using our search bot in August 2016, after which it was reduced to zero. It is not known whether we were blacklisted, or the Malvari operators simply tested the function for a short period of time.
Conclusion
Wauchos (Gamarue / Andromeda) is an old botnet that has been updated for several years. ESET specialists have been monitoring its infrastructure for years, as well as other threats. Monitoring is important for tracking any changes in the behavior of a malicious program, as well as for subsequent elimination.
Wauchos uses old methods to compromise new systems. Users should take care when opening files on removable media, as well as files received via email, social networks or instant messengers. If you think your system is infected with Wauchos, use the free tool to check and remove Malvari.
Information about the botnet was collected using the telemetry service ESET Threat Intelligence . ESET products detect thousands of variants of Wauchos modules and other malware families distributed by the botnet.
Thank you for your help in researching Juraj JánošĂk, Viktor Lucza, Filip Mazán, Zoltán Rusnák and Richard Vida.
Hashes
Sources
1. blog.fortinet.com/2014/04/16/a-good-look-at-the-Andromeda-botnet
2. blog.avast.com/Andromeda-under-the-microscope
3. eternal-todo.com/blog/Andromeda-gamarue-loves-json
4. blog.trendmicro.com/trendlabs-security-intelligence/usb-malware-implicated-fileless-attacks
Source: https://habr.com/ru/post/344262/
All Articles