lundi 30 janvier 2017

БОМБИЛА - БОТНЕТ

Spambot safari #1 - Bombila

Hey!

Let's go for a Spambot safari.
There is a lot of malware analysis on the Internet but a very small number about malware used for Spamming (Necurs is a rare exception). But behind every big spam campaign, there is a spambot. And this part of the campaign is often technically weak.

It's easy to find a spambot. Most of the time, botmatsers's do the error of spreading the spambot's binary via the spam botnet itself. Due to the malware's communication, this mistake expose the spambot architecture and allow us to analyze the CNC part.
Looking for malware with SMTP communication on public sandboxes is a another good way to find spambot samples.

Here, I'll try to describe "Bombila" Spambot (БОМБИЛА).
This malware was used for spreading Teslacrypt in 2016 (if you want to understand how weak are spamming campaigns, take a look at: https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/)

I'll try to give an overview of this malware.
Sample: 6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d

Silent_SMTP_Bruter.exe

The malware itself (Silent_SMTP_Bruter) is not really interresting and seems in developpment;
A lot of bugs, poor strings obfuscation, OutputDebugStrings, a log file created in C:\log.txt...
Persistance is done via CurrentVersionRun, there is no self replication or hidden feature (the malware stay where you launch it), after some connection checks, the malware contact the CNC (HTTP). If you kill the process with the task manager, the malware stop working.


Wow! So much obfuscation...


"Silent_SMTP_Bruter" string is present in the PACKAGEINFO


As usual the malware is composed of a SMTP bruteforce module and a SMTP spam module.
The main module try to contacts a gate "cmd.php" in 2 different ways:
  • A POST request $_POST['status'] every 5 minutes for sending bot status
  • a GET request whitout parameter for retrieving new order.

Not so boring malware

But, the best part is not in the malware itself; it's the icon of the malware \o/. You can observe a funny behaviour; when you rename the binary, the binary's icon changes. It take icons already present in system icon cache. The hash is still the same (works on Windows 10 up to date :]).
It can be used to fool victims because the malware takes icon like directory or Word, txt etc


If we extract the icon from resources binary, I reproduce the bug with the .ico icon:


It's a very small icon file (78bytes)


In red, it's the Ico header composed of 2 structures: ICONDIR and ICONDIRENTRY
In green, it's the bitmap header, in the structure BITMAPINFOHEADER
In blue it's the color data RGB

It seems that, after a MapViewOfFile, user32 misparse bitmap data and choose a "random" icon in the icon Cache (C:\Users\login\AppData\Local\Microsoft\Windows\Explorer).
I'm still working on that; I'll try to write a post about how reverse these kinds of UI tricks without getting suicidal tendencies \o/.
Thanks a lot to @Antelox for his precious help :]

Crack the bot

During Teslacrypt analysis I was abble to dump the web panel. So, why not try to patch the bot with my CNC for playing with all the features ?
For that, we have to understand were is stored the CNC in the binary and patch it.
There is a good resource about that on Xylibox But in this case I'll use a easier way :]. In the binary we can see that the CNC is "obfuscated" (loc_4480D3)


It's now easy to make a dirty python script for encoding our CNC and patch the binary (Offset 0x58488)
Due to a stupid parsing error, the CNC must look like "http://domain.com/folder" without the last slash.



You can now control the bot and explore all the features \o/.


Panel Overview



The source code is a real mess. It looks like the panel is a compilation of 2 panels
For example there is 3 footers in index.php:

Some comments refer to other projects:


It's time for a quick overview (I've try to do a quick and dirty english version (thanks @KodaES :D), put your cursor on the image for the translated version):
The home page:

From this page, you can:
  • Upload emails lists
  • Upload subject, messages, "from", header etc
  • retrives statistics about the spam campaign
  • retrives some statistics about infected bots
  • configure the campaing


I cannot found any bot lists or campaigns details directly form the webpanel.
Some page are only accessible by reading the source code.
In fact, index.php is a big switch case:



For example: the bots list (index.php?act=work):


Search engine:

there is no dropping or backdoor feature. This malware is only about spam purpose.

After Teslacrypt ?


I've try to found other sample of this malware after the end of Teslacrypt.
I've found a another panel but nothing else.


I think it can be easy to retrives new sample via VTi.

Some numbers to conclude (based on webstat files found on the CNC):
From December 2015 to February 2016, Bombila :
  • was composed of ~10 000 bots
  • has sent at least 10 millions emails


Thanks for reading :]

Aucun commentaire:

Enregistrer un commentaire