Original sampleThe first sample that I've grab come from email, dropped by JSDropper. A quick dynamic analysis allow us to understand that it's a spambot (a lot of SMTP connections from the malicious process). Before reversing it, let's look a the CNC communication. Malware communicates over HTTP. An interesting thing is that the process doesn't contacts directly the CNC, it try to contact some proxy web page (PHP script uploaded on compromised websites).
Proxy - Good idea - Bad realizationUsing proxy websites is a good idea only if you don't use poor pwned CMS. With poor pwned CMS it take around 3 minutes to anybody to retrieves your real CNC. Example: I can make some supposition:
- It's pretty sure that the bot master uses a script for updating all the proxies scripts
- All the compromised websites are old: most probable infection vectors are FTP Bruteforce or CMS exploits
- They have leave a php backdoor somewhere on the compromised website
Panel - Good idea - Bad realization
Come back to the malware communication. As you can see here, the malware download some dll (ssl and 7zip) from the CNC. I'm not a good pentester but when you saw a full dll name ssleay32.dll in a GET parameter, it's smell something bad \o/.
Panel V2 - Good idea - Bad realizationAfter releasing the first blogpost about onliner, the botmaster change some stuff. They start to use IP White listing for accessing the panel, they update some code, they don't patch the LFI, they add some others vulns x]. Now, due to IP White listing, when you try to access the web panel, you are kicked by the PHP script:
BonusTo finish, I just want to show you without comment 2 security features used in the Onliner panel. Anti-SQLi: Anti-... I don't know what:
Malware binaryThe malware himself is in fact a dropper. When you run it, it copy itself in C:\windows\ and re-run as services. The dropper try to drop 2 dlls:
- http://cnc.com/MailerSMTP/dll.dll : the Spam module
- http://cnc.com/CheckerSMTP/dll.dll : the SMTP credentials checker module
- The CNC send the "control account", this account (mail+password+smtpserver) is used to be sure that the spamming process works. Valid SMTP credentials can be sends to this control account to
- The CNC send a file a list of SMTP server + a list of compromised account in 2 zip files. mask.zip and 3746000.zip
- The CNC wait until the bot finish his job and send another list of SMTP+Credentials
ConclusionAs reminded, this spam bot is used to spread Ursnif in Italy and Canada. Onliner has around 1000 infected bots, they don't spread to much sample of the spambot. I look forward the next update of the panel.
AnnexeOnliner known IPs: