Kaspersky Lab security researchers are found Malicious Campaign Targeting Educational and Governmental Organizations. The Betabot malware which was spammed via fake emails in the name of Carabineros of Chile.
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity.
However, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later.
Denuncia_penal.exe is the name of the original binary. Translation to English is the “Criminal complaint”. The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.
It’s a Spy malware which interacts with C2 using some commands like: “JOIN”, “PRIVMSG” and others. It steals data from the clipboard, keystrokes and also makes screenshots. It steals cookies from the browsers and sends it via SQLite format to a remote DB.
It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions.
This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution.
It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions. This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution.
On September 2013, the FBI posted a Public Service Announcement about this threat. The difference now is that this botnet is no longer just being used by Russian speaking criminals but by cybercriminals from LatAm as well.
If we analyze only 1st level domains and look for a specific geo related ones, then Chile and the Dominican Republic are the main targets is complete list is quite long. If we check only geo specific domains, then the Top 10 countries where most of the victims are include: Chile, Dominican Republic, Spain, Argentina, Mexico, Ecuador, Germany, France, Colombia, Italy
it’s important to note that the list of victims has thousands of emails in .edu and .gov domains. In the next post we will discuss a little bit more about the victims and the operation behind the attack. Kaspersky detects this sample as Trojan.Win32.Neurevt.zp
The original .biz domain used in the malicious campaign was bought by someone allegedly from Panama. It’s a purely malicious domain used exclusively for cybercriminal activity.
However, the server itself is hosted in Russia! The same server has several folders and files inside, which we will discuss a little bit later.
Denuncia_penal.exe is the name of the original binary. Translation to English is the “Criminal complaint”. The file is compiled with fake information and it claims to be a legitimate tool build by NoVirusThanks, called NPE File Analyzer.
It’s a Spy malware which interacts with C2 using some commands like: “JOIN”, “PRIVMSG” and others. It steals data from the clipboard, keystrokes and also makes screenshots. It steals cookies from the browsers and sends it via SQLite format to a remote DB.
It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions.
This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution.
It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions. This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution.
On September 2013, the FBI posted a Public Service Announcement about this threat. The difference now is that this botnet is no longer just being used by Russian speaking criminals but by cybercriminals from LatAm as well.
If we analyze only 1st level domains and look for a specific geo related ones, then Chile and the Dominican Republic are the main targets is complete list is quite long. If we check only geo specific domains, then the Top 10 countries where most of the victims are include: Chile, Dominican Republic, Spain, Argentina, Mexico, Ecuador, Germany, France, Colombia, Italy
it’s important to note that the list of victims has thousands of emails in .edu and .gov domains. In the next post we will discuss a little bit more about the victims and the operation behind the attack. Kaspersky detects this sample as Trojan.Win32.Neurevt.zp
No comments:
Post a Comment