Kraken/Laziok HTTP Bot Controls Victims With Remote Admin Tool

Lately, McAfee Labs has observed a lot of active samples detected as Trojan Laziok by many security vendors. According to online reports, the Trojan Laziok is dropped via an exploit of the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), which arrives via a spam email. In contrast, we have identified the dropped Trojan as part of the Kraken HTTP botnet. These samples have similar functionality to that described by online reports about Laziok (such as dropping itself under an Oracle directory with well-known names, collecting system information like CPU, RAM, antimalware installed, and network communication with multiple GET requests). Also the builder and panel for the Kraken HTTP bot have been leaked recently on the Internet, confirming similarities between Laziok and Kraken.

We have seen very active samples (detected as Laziok by multiple security vendors) with its malicious server running. We will classify these samples as a botnet, rather than a Trojan, throughout this post and will focus on its control server communications.

Let’s start with the basics: The bot has lots of hardcoded strings, some of which are in encrypted/encoded formats. The bot has some antianalysis checks that search for virtual environments such as VirtualBox, VMware, etc. It also checks for packet-capturing tools like Wireshark and Fiddler, by looking into desktop windows opened as shown below:

wireshark_wnd_kraken

Once all checks are bypassed, the bot creates a mutex with the name “yourhavebecracked”:

mutex_kraken

The bot then drops itself with the process name smss.exe under the directory %APPDATA%SystemOracle. The following image shows some registry and system activities carried out by this bot:

registry_kraken

The bot also scan for installed antimalware applications by scanning several program directories. Here are the different hardcoded string names used for scanning:

av_names_kraken

Once a system is infected, the malware sends a number of GET requests to its control server to check infected system details:

get_req_kraken

It then collects system information: installations of steam, Java, or .net, CPU, computer name, IP, country, RAM information, etc. The bot sends the information through two more GET requests:

idcontact_kraken

get_php_kraken

The bot uses “crackim” as a hardcoded user-agent string. The control server checks for the entry and replies with “Statistics Ok!” if the victim’s details are not found in the database. Once it creates a new infection, the bot makes another GET request asking for commands to execute:

post_php_kraken_2

The server’s response is to download and execute files from another compromised server. The bot informs its control server by yet another GET request:

run_php_kraken

The bot pings its control server with more GET requests:

mult_get_kraken

The bot can also steal FTP passwords; a few hardcoded strings show us how it succeeds:

ftp_kraken

Post Infection

After the primary infection, the bot continues, as we have shown in the preceding images. The main bot downloads additional binaries from other servers, namely cryp.exe and cc.exe. At the time of this analysis only cc.exe (MD5: BED4C44F4A2BDDDE3A419173583EE297) was available on the compromised server. The bot installs this binary to further attack the compromised system. Here is an interesting string found in the downloaded cc.exe binary:

darkeye_kraken

This string in cc.exe suggests that this downloaded malicious binary use the DarkEye Version 3 cryptor, which is not cheap. The description in the cryptor blog says “THIS IS A SECURITY SOFTWARE AND ITS USE IS TO PROTECT YOUR FILES AGAINST REVERSE ENGINEERING.” The file cc.exe appears to be a remote administrator tool (RAT) written in .NET that collects more information from the victim. The RAT runs under the name svchost.exe using process replacement. The RAT has hardcoded strings, too, including host and port. Here is a screenshot of the .NET disassembly:

hard_rat_kraken

The RAT first sends information about system–computer name, logged-in user, OS–along with active window names opened on Port 9003. It sends some information in plain text and some in Base64 (mainly the open active windows):

base64_kraken

The RAT keeps on sending data on Port 9003 whenever a new window opens. Thus the attacker not only collects system information but can also learn if the RAT is being analyzed by examining the window names. The RAT supports more capabilities, such as downloading and executing binaries, updating itself, capturing screens, and uninstalling, as shown below in disassembly:

cmd_rat_kraken

In this way the attacker can later spy on the infected system to gain further information. Even though the bot is not complex, it is effective in carrying out these attacks. Due to the leaked builder and panel for the Kraken HTTP bot, we may see lots of new infections from this botnet in the future.

Intel Security customers with McAfee products are already protected from this threat.

 

The post Kraken/Laziok HTTP Bot Controls Victims With Remote Admin Tool appeared first on McAfee.