Tags: corebot, Darknet, encrypt
We’ve recently discussed Corebot malware and its possible ties to btcshop[.]cc, a site selling stolen data.
Today, we have discovered more pieces of the puzzle: two more Corebot samples and an online crypt service.
We’ve been monitoring the btcshop[.]cc infrastructure and its IP address in Poland – 46.29.18[.]240.
|IP address||Domain||First seen||Last seen||Email registrant|
The last 4 domains caught our attention and will shed light on the criminal activities.
Online crypter service
Crypter is a software used by cybercriminals to encrypt their malware to evade detection. It can add features to the malware like sandbox, virtual machine checks, autorun creation and more, depending on the software. In the case we’re observing, the actors created an online shop that brings together customers who want their malware crypted with people who can make it happen. It’s yet another example of Cybercrime-as-a-Service.
The domain names associated to this service are:
The cybercriminals have also created a Darknet version to ensure they can still operate if the web version is taken down:
Image 1. cFUD crypto service login page
Clients with an account can create a task and upload their malware where it will be encrypted for them. Crypters wait for an incoming task, accept the job and return their work. We looked into the service, saw a pending task and downloaded the file. It turned out to be a Corebot sample.
This samples generated 50 domains using its DGA algorithm (Appendix A). This sample appears similar to what we discussed in our previous blog on Corebot.
Corebot delivery mechanism
At first we thought the domain vincenzo-bardelli[.]com was a possible Corebot CnC due to its resemblance with a known Corebot CnC vincenzo-sorelli[.]com.
Once you get on the vincenzo-bardelli[.]com using Firefox you’re redirected to vincenzo-bardelli[.]com/ffxpi/index.php, you are asked to install a Firefox extensions to run a plugin to load the webcam. We downloaded the extension called ff.xpi ( 2d2ff08dfeec68115e8fd8968abc6072).
Image 2. Accessing vincenzo-bardelli[.]com using Firefox
We decompressed the file ff.zpi and found out that it includes a binary called poc.exe
The file 3d6a32b20c66f268b03ec6e8521d6bf3 is another Corebot sample. The sample beacons to arijoputane[.]com/ldr/client.php?family=bank
Image 3. Index.php source code page on Firefox
When running this domain on Chrome, the behavior is different. We were not redirected to /ffxpi/index.php this time but rather to /javadriveby/index.php. It checks for the Java version running on the machine and depending on the version it founds it either redirects you to google.com or downloads the file 126.96.36.199/456/activex.exe
Image 4. Index.php source code page on Chrome
Image 5. Index.php source code page on Chrome
Internet Explorer 11
On IE you are redirected to vincenzo-bardelli[.]com/activex/index.php. To view the page it asks you to install a plugin. The file activex.exe is located under vincenzo-bardelli[.]com/activex/activex.exe
Image 6. Index.php source code page on Internet Explorer
The file activex.exe is a copy of 3d6a32b20c66f268b03ec6e8521d6bf3.
Stats from drive-by infection
For each browser an additional piece of code was added at the bottom of the webpage, to keep track and stats of who visited the malicious page.
Image 7. Index.php source code for statistics
Image 8. Maltego graph showing links between domains, IPs and email addresses
Is it coincidental that all of the following are on the same IP?
- A domain delivering corebot via drive-by
- An online shop selling PIIs and socks proxies
- An online crypter service where a corebot sample was found
It is difficult to exactly know how all of this is interconnected, but it is clear to see that the criminals providing the infrastructure, running the online btcshop[.]cc and the crypter service know each other or are the same group.
As part of our mission to protect online users and with the help of our friends from CERT Poland, we were able to have the online shop btcshop[.]cc suspended.
Damballa detects this threat as ThreePaperConvicts.
Domain generated with 3d6a32b20c66f268b03ec6e8521d6bf3 on Sept 21st 2015
— Loucif Kharouni
Senior Threat Researcher, Damballa