English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Big box LatAm hack (1st part - Betabot)

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 16, 01:42  GMT
Tags: Botnets, Spammer techniques, Malware Technologies, Passwords
0.2
 

Introduction
Last week a good friend (@Dkavalanche) mentioned in his twitter account his findings of a Betabot malware which was spammed via fake emails in the name of Carabineros of Chile. It piqued my attention so I dug a little bit and this is what I found:
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity; however, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later. First, let’s speak about the initial malicious binary spoofed via email and then about other things. I will only focus on the most interesting details.

Denuncia_penal.exe
This is the name of the original binary. Translation to English is the “Criminal complaint”.
The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.

 
So, what is interesting about this malware? It’s a Spy malware which interacts with C2 using some commands like: “JOIN”, “PRIVMSG” and others. It steals data from the clipboard, keystrokes and also makes screenshots. Additionally, it steals cookies from the browsers and sends it via SQLite format to a remote DB.
 

It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions. This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution. The debugger will just block the execution of the files by its file names.
 

The malware tries to detect if the sample is executed in a Sandbox environment by detecting SBIEDLL.DLL library which belongs to Sandboxie software and also it tries to detect if the environment is a virtual one by looking for resources like HGFS and VBoxGuest.
While working in the memory you may find the string identifying the sample with the Betabot.
 

In September 2013, the FBI posted a Public Service Announcement about this threat. However, the difference now is that this botnet is no longer just being used by Russian speaking criminals but by cybercriminals from LatAm as well.  

Victims
Who are exactly the victims of this particular campaign? I was able to recover the DB of the email addresses used to spam and basically, if we analyze only 1st level domains and look for a specific geo related ones, then Chile and the Dominican Republic are the main targets:
 

The complete list is quite long. If we check only geo specific domains, then the Top 10 countries where most of the victims are include:
1.    Chile
2.    Dominican Republic
3.    Spain
4.    Argentina
5.    Mexico
6.    Ecuador
7.    Germany
8.    France
9.    Colombia
10.    Italy

Also, it’s important to note that the list of victims has thousands of emails in .edu and .gov domains. In the next post we will discuss a little bit more about the victims and the operation behind the attack.

Kaspersky detects this sample as Trojan.Win32.Neurevt.zp

You may follow me on twitter @dimitriest


4 comments

Oldest first
Threaded view
 

Pen24

2014 Feb 06, 00:54
0
 

Geolocations

The .biz domain, I'm curious if you checked the WHOIS since the service provider to conceal WHOIS information is located in Panama and will show up in the WHOIS.

Reply    

Dmitry Bestuzhev

2014 Feb 06, 06:04
0
 

Re: Geolocations

The location was determinated by it's IP address and not the domain name. The server was phisically located in Panama, right now it's taken down.

Reply    

frankielad

2014 Feb 06, 06:33
-1
 

Re: Geolocations

I have the answer for all of you there is a Company by the name
of Strike Force Technologies they have the software to eliminate
any keylogger attacks this works for internet, i phone,I pad,This is 100% bullet proof protection from anyone steeling your identity
They have given www.cyberwealth7.com/frankielad the sole rights to
sell this software

Reply    

Dmitry Bestuzhev

2014 Feb 06, 16:30
0
 

Re: Re: Geolocations

The site is trying to hiddenly get access to the canvas image to see which is the visitor's environment... not good.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog