Quantcast
Channel: Malware don't need Coffee
Viewing all articles
Browse latest Browse all 185

CBeplay.P : Now target Australia and moved to server side localization

$
0
0


The VMaware CBeplay.P is moving (to learn about the past look here ).

 CBeplay is stealing/borrowing design from Urausy (AU - ES - NL)
- It's not talking anymore to UK Citizen
- The design is not embedded anymore in the binary but downloaded from the C&C.
(to be honest I was expecting that move to occur earlier, this choice was complicating their life for sure. This required one exploit kit landing by binary (on Cool EK) and traff work in front of the exploit kit + more compilation/crypting)

This move allow the team to enjoy font drop with one fixed payload  and to easily target more countries.
Expect far more to come.....

All Design :
 (a small  watermark has been included, up left, on some -  sorry about that, too lazy to remake affected screenshots)

Australia (newly targeted by this threat - it's also the Default design) :
CBeplay.P AU in it's Windows Form - 2013-02

CBeplay.P AU (scroll inside the form) 2013-02

Austria (updated design):
CBeplay.P AT 2013-02 in its Windows form
CBeplay AT 2013-02 Scrolled



Belgium (no change) :
CBeplay.P BE 2013-02


France (no change but new capture for me) :
CBeplay.P FR
Germany (no change):
CBeplay.P DE 2013-02
Italy (no change):
CBeplay.P IT 2013-02
Luxembourg (no change):
CBeplay.P LU (2013-02)


Netherlands (no change):
CBeplay NL 2013-02


Spain (updated design) :
CBeplay.P ES in its windows Form (2013-02)
CBeplay.P ES Scrolled 2013-02
Sweden (no change) :
CBeplay.P SE 2013-02


United Kingdom (no more voice):
CBeplay.P UK 2013-02
United States (recent but not change) :
CBeplay.P US 2013-02


C&C :

Design : 87.117.253.11

French Design download by CBeplay.P
Payment/Check : 93.115.240.226
"Mama's gonna make all your nightmares come true."
Infection:
 (Got some help on that one. Waiting approval for proper credits) 

Cool EK  CVE-2013-0431 successfull path leading to infection by CBeplay.P
Files :  883cfd95ccc89de70c20015e8479e936 (vt link)

883cfd95ccc89de70c20015e8479e936_CBeplay.P_210213.zip (Mega via Goo.g shortener)

883cfd95ccc89de70c20015e8479e936_CBeplay.P_210213.zip (OwnCloud via Goo.gl shortener)

Read:

Botnets.fr CBeplay.P page (i will update soon...)

Viewing all articles
Browse latest Browse all 185

Trending Articles