Trash and Mailbox by Bethesda Softworks |
Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response ) is a Spam Botnet
I saw it loaded as a plugin in an instance of Andromeda
That Andromeda is being spread via :
- Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :
VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memory Bedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task. 2015-09-28 |
Note : Bedep 6007 was sometimes loading it with other payload
-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Ponya4f08c845cc8e2beae0d157a3624b686
-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )
That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :
Andromeda dnswow 2015-11-22 |
Andromeda dnswow 2015-11-27 |
Task installing Otlard.A as a plugin to Andromeda |
- a Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :
Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A 2015-11-28 |
Andromeda : b75f4834770fe64da63e42b8c90c6fcd
(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 : Htbot.B : d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)
Now here is what the control panel of that plugin looks like :
Otlard.A panel :
Otlard.A - JahooManager - Main - 2015-09-27 |
Otlard.A - JahooManager - Servers - 2015-09-27 |
Otlard.A - JahooManager - Settings - 2015-09-27 |
Otlard.A - JahooManager - Campaigns - 2015-09-27 |
Otlard.A - JahooManager - Bot - 2015-09-27 that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be Andromeda |
Otlard.A - JahooSender - Tasks - 2015-09-27 |
Otlard.A - JahooSender - Tasks - 2015-11-28 |
Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27 |
Otlard.A - JahooSender - Domains - 2015-09-27 |
Otlard.A - JahooSender - Domains - 2015-11-28 |
Otlard.A - JahooSender - Messages - 2015-09-27 |
Otlard.A - JahooSender - Messages - 2015-11-28 |
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28 |
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28 |
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28 |
Otlard.A - JahooSender - Headers - 2015-11-28 |
|
|
|
|
|
Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28 |
Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28 |
Otlard.A - JahooSender - Attach - 2015-11-28 |
Otlard.A - JahooSender - Attach - Attached image - 2015-11-28 |
Otlard.A - JahooSender - Rules - 2015-11-28 |
Otlard.A - JahooSender - Rules > Spam - 2015-11-28 |
Olard.A - JahooSender - Rules > User - 2015-11-28 |
Olard.A - Bases - Emails - 2015-11-28 |
Olard.A - Bases - Blacklist - 2015-11-28 |
Olard.A - Bases - Blacklist - Edit - 2015-11-28 |
Olard.A - Botnet - Main - 2015-09-27 |
Olard.A - Botnet - Main - 2015-11-28 |
Otlard.A - Botnet - Modules - 2015-11-28 |
Otlard.A - Botnet - Modules - Edit - 2015-11-28 |
Otlard.A - Incubator - Accounts - 2015-11-28 |
Otlard.A - Incubator - Settings - 2015-11-28 |
--
Andromeda C&C 2015-11-28 :
5.8.35.241
202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost Inc
Spam Module C&C 2015-11-28 :
5.8.32.10
5.8.32.8
5.8.32.52
5.8.34.20
5.8.32.53
5.8.32.56
202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost Inc
Thanks : Brett StoneGross for helping me with decoding/understanding the network communications
Files :
All samples which hashes have been discussed here are in that zip.
Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798
( If you want to look into this, i can provide associated network traffic)
Read More :
Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Inside Smoke Bot - Botnet Control Panel - 2012-04-28
Post publication Reading :
ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto