Tags: advanced malware, asprox, C&C, dropper, infection chain, rerdom
We’ve talked often about the ineffectiveness of prevention controls when it comes to stopping advanced malware attacks. Criminals continually hone their tradecraft to evade prevention and find new ways to monetize their malware. Their tangled web is nearly impossible to see unless you are properly instrumented for advanced detection.
A case in point is detailed in our new report, “Behind the Rerdom Malware Lifecycle and Infection Chain.” We detail the complex nature of how different malware families serve as partners in crime to evade prevention and monetize malware. In this report, we detail the connection between Asprox, Zemot, Rovnix and Rerdom. The use of multi-stage “downloaders” and “droppers” obfuscates the original malware and starts a chain reaction of infections.
Phased Delivery of Malware
If you’ve seen email spam asking you to click on links to track imaginary shipments, you’ve probably seen Asprox malware at work. Once downloaded, Asprox infected devices get updates from Asprox command-and-control (C&C) servers.
These Asprox controlled servers also pass Zemot payloads with statically programmed Zemot domains. The Zemot domains serve the Rovnix bootkit and then Rerdom (usually in that order.)
As the diagram depicts, this infection chain occurs in four phases. Preventative controls, like anti-virus or network-based dynamic analysis, would only have a chance to catch the infection at the start of the life cycle (between Phase One and Phase Two). But as we’ve seen in various detection evasion demos, by-passing these types of controls is easy for today’s threats. In Phases two and three, communications to C&C servers and the subsequent downloaded binaries are usually encrypted, making it virtually impossible for any prevention tool, including sandboxing, to examine.
We’ve also seen the Rovnix malware downloaded in Phase 2 sometimes utilize domain generation algorithms (DGA) for its C&C communications. DGAs were created to evade blacklisting.
By the time Phase 3 and 4 are executed, the compromised device would have at least three different but related malware binaries– all stemming from an initial infection of Asprox.
Although our report follows the trail to Rerdom ad-fraud malware, any variety of malware can be dropped and executed in this same manner.
We’ll look at the different monetization methods in the next blog.
— Isaac Palmer, Malware Reverse Engineer
— Kevin Stevens, Senior Threat Researcher