Back to Home

ESET participates in the elimination of the Gamarue botnet / ESET NOD32 Blog

malware · botnet · wauchos

ESET takes part in the elimination of the Gamarue botnet

    A large-scale operation to eliminate the botnet network Gamarue (Andromeda), which has been operating for several years, has completed. The operation involving ESET, Microsoft and law enforcement agencies lasted more than a year.



    Introduction


    Gamarue (Win32 / TrojanDownloader.Wauchos according to ESET classification) has been known since the end of 2011 and was sold on a dark web called Andromeda bot. The bot was in demand, which caused the existence of 464 independent botnets at the time of elimination. In the past, Wauchos led the way in the number of attacks repelled by ESET.

    As part of the operation, ESET provided technological expertise - we monitored the botnets within the Wauchos network, identified their C&C servers for subsequent neutralization, and monitored other malicious programs that were installed on infected systems. Together with Microsoft, we provided law enforcement agencies with the following information:

    - 1214 domains and IP addresses of botnet C&C server managers
    - 464 individual botnets
    - 80 related malware families

    In Figure 1, you can see the Wauchos distribution map based on our telemetry. Obviously, Wauchos is a global problem, and the operation to eliminate it was worth the effort. We present the data of last year - at the peak of Wauchos activity.


    Figure 1. Distribution of Wauchos (December 2016)

    If you suspect that your Windows computer was compromised and are not an ESET user, download and use the free ESET Online Scanner tool . It will remove all threats, including Wauchos, by detecting them in the system.

    What is Wauchos?


    This common malware has existed since 2011. We previously wrote about him on the blog (see "Sources"). In this section, we will look at the core of Wauchos: what it is and how it spreads, and then describe the technical details of the malware.

    Wauchos is primarily used to steal credentials, and to download and execute other malicious programs on the system. Thus, if the system is compromised by Wauchos, it is very likely that another malware is installed in it.

    Wauchos has a modular architecture. Its functionality can be expanded by adding appropriate modules. Among the well-known modules are a keylogger, spyware to intercept entered logins and passwords (form grabber), rootkit, SOCKS proxies and TeamViewer bot.

    There are five major versions of Wauchos based on their own version control scheme: 2.06, 2.07, 2.08, 2.09, and 2.10. In the first three, the build number is included in the first POST request sent by the bot to the C&C server, so identifying the version is quite simple. In later versions of Wauchos, the parameter bvin the POST request is removed. However, determining the bot version is relatively easy if you look at the identifier string sent to the server (3):


    (* Pay attention to switching to JSON format)

    A typical POST request is shown in Figure 2. The identifier string is encrypted using the RC4 algorithm and then encoded with base64.


    Figure 2. Typical POST request

    Since the linker for version 2.06 was publicly available several years ago, we saw quite a few versions of this botnet in telemetry data. Nevertheless, according to our information, the most common version is 2.10.

    The global nature of the threat is also noted in the variety of C&C servers used by Wauchos operators. Throughout the study, we opened new management servers every month. Figure 3 shows the top-level domains used by C&C servers; Figure 4 shows the geography of the IP addresses of these servers at the time of connection with our search bot (crawler) in November and December 2016.


    Figure 3. Top-level domains of C & C-servers in November and December 2016


    Figure 4. Geography of IP addresses of C & C

    It is interesting that a number of samples studied checks the keyboard settings and stops the attack if the system uses Russian, Belarusian, Ukrainian or Kazakh languages.

    Infection vector


    Because Wauchos are bought and distributed by different operators, different vectors are used to infect. Historically, Wauchos samples were distributed through social networks, instant messengers, removable media, spam, and exploit kits. Figure 5 shows a typical letter with a sample of Wauchos in an attachment.


    Figure 5. Typical spam with Wauchos in an application.

    Installing according to the pay-per-install scheme.

    As mentioned earlier, Wauchos is mainly used to distribute other malicious programs. Using our automated systems, we have compiled statistics on the malvari loaded by the Wauchos bots that we tracked. Figure 6 shows the various modules that were loaded by our search bot on the first connection to C&C.


    Figure 6. Download statistics - December 2016

    The first boot is usually the bootloader module, which we will describe in the next section. Further, other malicious programs are installed - in December 2016, spam bots were loaded mainly, in particular, Win32 / Kasidet, Win32 / Kelihos and Win32 / Lethic. Of course, when it comes to the pay-per-install scheme, statistics change from time to time. Wauchos also downloaded other malware, but, according to our telemetry data, most often these programs were listed above.

    Technical analysis


    In this section, we will present some technical details that have not been publicly discussed before, but which create context against the backdrop of the elimination of the botnet. In particular, we will describe two modules that provide communication via third-party channels for the botmaster, increasing the botnet's resistance to dismantling operations.

    Versions of Wauchos

    First of all, we would like to help colleagues who are interested in this malware family and briefly describe using the ESET classification the main versions and their capabilities.

    Win32 / Wauchos.B is the most common component detection of Wauchos version 2.06. Version 2.10 is usually detected as Win32 / Wauchos.AW. In addition, the Win32 / Wauchos family contains other modules, packaged versions of the listed versions, and other Wauchos assemblies, including 2.07, 2.08, or 2.09; according to our telemetry, they are less common, and therefore less relevant in the discussion.

    In the latest version of Wauchos (2.10), the bot supports the following commands:


    Modules

    Wauchos is an extensible bot that allows the operator to create and use custom modules. However, there are several widely available modules that are found in different botnets. In this section, we will look at the modules that were able to be loaded using our tracking mechanism.



    When the bot loads the module, it must first decrypt its header with the RC4 key. The header contains a unique key needed to decrypt the payload. After decryption, the last operation is to unpack the module using aPLib. Further, the malware uses a custom loader to load a binary blob into memory. Binary blobs can be loaded directly into memory and executed.

    The number of different RC4 keys collected by our tracking systems in different botnets turned out to be small - about 40. This allows you to easily decrypt any downloaded components, even those that are not needed for sample analysis.

    As for C&C communications, all the samples we analyzed for resolving C&C domains directly used the Google DNS infrastructure. Version 2.06 attempts to resolve the IP address of the C & C server using UDP sockets up to 8.8.4.4:53. If this fails, it returns first to the DnsQueryA () API, and then to the gethostbyname () API. Version 2.10 intercepts GetAddrInfoW () and resolves all calls to it using UDP packets up to 8.8.4.4:53, if this fails, it returns to the original GetAddrInfoW () API.

    New persistence mechanisms

    In this section, we will talk about two modules that appeared this year. We believe that they are designed to prevent dismantling, like the current operation, and for this purpose provide a third-party communication channel for the botmaster. This behavior was described in an article at link 4 in the Sources section.

    The first module is a USB spreader (a utility for distributing malware across flash drives). The second one performs a fileless attack using the bootloader, which is stored in the registry and is launched by the PowerShell script at startup.

    USB spreader - Win32 / Bundpil.CS

    The module allows you to intercept the DNS API functions, tries to spread via removable media and uses DGA (domain generation algorithm) to load additional data.

    One process scans for connected removable media and, having found the desired one, installs a copy of the malicious program on it.

    The second function of the module is to intercept the DNS API and replace certain domains with encoded ones. For example, one sample studied redirected all requests to these old Wauchos domains:

    - designfuture.ru
    - disorderstatus.ru
    - atomictrivia.ru
    - differentia.ru

    to gvaq70s7he.ru.

    The module also has a DGA component that tries to connect to automatically generated domains to load additional data into a compromised system. DGA pseudo-code can be found on our github page. The URLs he is trying to reach match the following patterns:

    -.ru / mod
    - ww1..ru / 1
    - ww2..ru / 2

    We were able to load a binary blob from a circuit with DGA. What we received was an encrypted blob and started with "MZ". The module will delete these two bytes and save the blob in the Windows registry.

    The main Wauchos bot decrypts the payload encrypted with RC4, unpacks it from aPLib and loads it like a regular module. Please note that the same RC4 keys are used for this process as for module encryption. The binary file thus obtained is an updated version of the USB spreader. We assume that through DNS interception, the botmaster can restore bot management by downloading the latest version of the module from a controlled domain, and then redirect hard-coded domains mainly to Wauchos.

    Loader

    The last module is a small bootloader that uses DGA to access the following URLs, depending on version:

    -.ru / ld.so
    -.ru / last.so
    -.ru / nonc.so

    The module is used to download the binary blob that it stores in the registry. The blob can be decrypted using the RC4 key contained in the Wauchos main payload.
    One of the malware variants downloaded by this module is another bootloader detected as TrojanDownloader.Small.AHI. The malicious program is of interest, since its only task is to download the updated version of the bootloader module and save it in the registry in encrypted form, but with one nuance.

    It also adds a startup key with a PowerShell script that decrypts and executes the encrypted binary from the registry key after each computer startup. The binary is just being updated right now. However, its DGA can be used as a secondary communication channel to establish a new payload and restore control over bots if anyone tries to intercept it. The process is shown in Figure 7.


    Figure 7. Scheme of the loader module

    It is interesting to note that we observed the loading of Necurs.B through the DGA and this module. However, in most downloads, Win32 / TrojanDownloader.Small.AHI was installed on the system. In fact, this program was detected multiple times, according to our cloud statistics. The highest activity of the module was noted using our search bot in August 2016, after which it was reduced to zero. It is not known whether we were blacklisted or if the malvari operators simply tested the function for a short period of time.

    Conclusion


    Wauchos (Gamarue / Andromeda) is an old botnet updated for several years. ESET experts have been monitoring its infrastructure for years, as well as other threats. Monitoring is important to track any changes in the behavior of the malware, as well as for subsequent elimination.

    Wauchos uses old methods to compromise new systems. Users should be careful when opening files on removable media, as well as files received by e-mail, in social networks or instant messengers. If you think your system is infected with Wauchos, use the free tool to check and remove malware.

    Botnet information was collected using ESET Threat Intelligence telemetry service. ESET products detect thousands of variants of Wauchos modules and other malware families distributed by the botnet.

    Thanks for your help with the study Juraj Jánošík, Viktor Lucza, Filip Mazán, Zoltán Rusnák and Richard Vida.

    Hashes




    Sources


    1. blog.fortinet.com/2014/04/16/a-good-look-at-the-Andromeda-botnet
    2. blog.avast.com/Andromeda-under-the-microscope
    3. eternal-todo.com/ blog / Andromeda-gamarue-loves-json
    4. blog.trendmicro.com/trendlabs-security-intelligence/usb-malware-implicated-fileless-attacks

    Read Next