A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling.
Their clients usually pay to gain access to the tools and additional services like support, zero or low antivirus detection, ...
We are going to see a service we have been studying recently. Clients pay for the service and then they gain access to a web portal where they can generate personalized Trojans, manage the infected victims via the web browser and host the malware on their “cloud”.
Creators promote itself as a service to remote control computers and “recover passwords”.
It means that clients don’t have to mess with almost any technical issues, and they don’t need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server.
When you login in your personal account you can see the main menu, tutorials and shortcuts.
The control panel uses HTTPS with a valid certificate.
Then you can create a new personalized malware (Trojan Horse) that will be generated in real time.
They take care of the antivirus detections for you. Created samples have a very low antivirus detection ratio (2/42).
Then the time to host the malware comes. Clients can choose between some fake domains that seem legitimate. The administrator of the service have bought two domains to create the fake subdomains.
cf.pro.br
as.bio.br
The domain whois data from the main website is hidden but the previous domains we mentioned are not. This way we can discover some information about the authors:
http://whois.domaintools.com/cf.pro.br
domain: cf.pro.br
owner: Pedro Henrique
ownerid: 401.407.278-92
country: BR
created: 20090510
changed: 20100713
Finally, once infected, you can easily manage your victims. You can perform remote control on the machine, password stealing, and command execution.
If you need to infect more targets, you will have to pay for them.
Malware communication with the C&C is done using HTTP. For command execution they use other protocol from port 9000.
The C&C IP is from Brazil and always the same, which is included in our IP reputation database -> 174.142.93.226.
You can use the following rules to detect the communication traffic and command execution requests:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE Capfire4 register machine”; flow:to_server,established; content:“GET”; depth:3; uricontent:”/registraMaquina”; content:“Host|3A| api|2E|capfire4|2E|com”; http_header; classtype:trojan-activity; sid:5000080; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE Capfire4 update machine status”; flow:to_server,established; content:“POST”; depth:4; uricontent:”/updMaqStatus”; content:“Host|3A| api|2E|capfire4|2E|com”; http_header; classtype:trojan-activity; sid:5000081; rev:1;)
alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:“MALWARE Capfire4 remote command execution”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|”; distance:1; within:1; content:”.exe”; classtype:trojan-activity; sid:5000082; rev:1;)
alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:“MALWARE Capfire4 remote kill process”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|taskkill”; distance:1; within:9; classtype:trojan-activity; sid:5000083; rev:1;)
alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:“MALWARE Capfire4 remote download and exec”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|wget -c”; distance:1; within:8; classtype:trojan-activity; sid:5000084; rev:1;)
As a conclusion, we can mention that the ease to use frameworks to monetize malware is getting more and more popular on the Internet as they let people without technical skills to easily manage their victims.
