Quantcast
Channel: Malware don't need Coffee
Viewing all articles
Browse latest Browse all 185

Inside Jahoo (Otlard.A ?) - A spam Botnet

$
0
0
Trash and Mailbox by Bethesda Softworks



Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam Botnet

I saw it loaded as a plugin in an instance of Andromeda

That Andromeda is being spread via :


  • Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :


VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memory
Bedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.
2015-09-28


Note : Bedep 6007 was sometimes loading it with other payload
-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Ponya4f08c845cc8e2beae0d157a3624b686
-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )

That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :
Andromeda dnswow 2015-11-22

Andromeda dnswow 2015-11-27
Here the Otlard.A task in that Andromeda instance :
Task installing Otlard.A as a plugin to Andromeda

  • a Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :
Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A
2015-11-28
Smokebot : cde587187622d5f23e50b1f5b6c86969
Andromeda : b75f4834770fe64da63e42b8c90c6fcd
(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)

Now here is what the control panel of that plugin looks like :

Otlard.A panel :


Otlard.A - JahooManager - Main - 2015-09-27
Otlard.A - JahooManager - Servers - 2015-09-27
Otlard.A - JahooManager - Settings - 2015-09-27
Otlard.A - JahooManager - Campaigns - 2015-09-27
Otlard.A - JahooManager - Bot - 2015-09-27
that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be Andromeda





Otlard.A - JahooSender - Tasks - 2015-09-27

Otlard.A - JahooSender - Tasks - 2015-11-28



Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27
Otlard.A - JahooSender - Domains - 2015-09-27
Otlard.A - JahooSender - Domains - 2015-11-28

Otlard.A - JahooSender - Messages - 2015-09-27
Otlard.A - JahooSender - Messages - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Headers - 2015-11-28
Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28
Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28
Otlard.A - JahooSender - Macross - 2015-11-28

Otlard.A - JahooSender - Macross - 2015-11-28


Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender - Attach - 2015-11-28
Otlard.A - JahooSender - Attach - Attached image - 2015-11-28
Otlard.A - JahooSender - Rules - 2015-11-28
Otlard.A - JahooSender - Rules > Spam - 2015-11-28
Olard.A - JahooSender - Rules > User - 2015-11-28
Olard.A - Bases - Emails - 2015-11-28
Olard.A - Bases - Blacklist - 2015-11-28
Olard.A - Bases - Blacklist - Edit - 2015-11-28
Olard.A - Botnet - Main - 2015-09-27
Olard.A - Botnet - Main - 2015-11-28
Otlard.A - Botnet - Modules - 2015-11-28
Otlard.A - Botnet - Modules - Edit - 2015-11-28
Otlard.A - Incubator - Accounts - 2015-11-28
Otlard.A - Incubator - Settings - 2015-11-28
Note : registrator menu has disappeared in last version. 


--
Andromeda C&C 2015-11-28 :
5.8.35.241
202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost Inc

Spam Module C&C 2015-11-28 :

5.8.32.10 
5.8.32.8
5.8.32.52
5.8.34.20
5.8.32.53
5.8.32.56
202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost Inc

Thanks : Brett StoneGross for helping me with decoding/understanding the network communications

Files :
All samples which hashes have been discussed here are in that zip.
Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798
( If you want to look into this, i can provide associated network traffic)

Read More :

Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Inside Smoke Bot - Botnet Control Panel - 2012-04-28

Post publication Reading :
ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

Viewing all articles
Browse latest Browse all 185

Trending Articles