2014-07-07 - Affiliate
From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)
At begining of February 2014 a sample pushed via Sweet Orange caught my attention :
 |
| Alureon(MS)/wowliks(Eset) pushed in Sweet Orange 2014-02-03 |
The same Sweet Orange thread operator (mean same account/actor on the Sweet Orange ) was also pushing Qadars ( e.g. d7c1414939dc0956445835cc67187868) and an Andromeda (e.g. f757d0ce1bfcca3111e9060a6823b936 - exolocity.info [**] /andro/image.php -> 5.10.69.232:80)
[/OT]
The sample ( 61bdea52b821c04cb65237c345d2b7dc ) later tagged Trojan:Win32/Alureon.GQ by Microsoft was showing affiliate ID : 427 (connection with advert on underground has not been made for now)
Call were like :
http://cc9966 .com/log?install|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32
http://cc9966 .com/cmd?version=1.5&aid=427&id=e87ff15a-a56a-42f5-b69b-503c6d3bf908&os=5.1.2600_3.0_32
http://cc9966 .com/log?exist_2_c0000035|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32
You can find its analysis by Malwr.com here.
Unpacked by Horgh here and another one here
Another example in may, other exploit kit, other domain, other affiliate id but same botnet instance :
 |
| 2014-05-22 - Angler EK via BlackOS (formerly Tales of the North Iframer aka Cookie Bomb) compromission |
Payload : 21b2767f6da96c7e32c00b864ec5f03c
 |
| wow.ini dropped in the VM |
05/22/2014-16:13:35.041044 f5f5dc.com [**] /log?start|aid=103|version=1.5|id=f66896c4-a2e2-4bba-a564-6242c3f778a6|os=5.1.2600_2.0_32 [**] <useragent unknown> [**] <no referer> [**] GET [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] 192.168.1.31:1066 -> 31.184.192.196:80
But lately the affiliate seems to spread something different.
(2014-06-30) in Magnitude :
 |
| Poweliks.A pushed in Magnitude |
Payload : c42ff115afabb81a979b51b15621f088
Unpacked by Horgh here and dll uncompressed
First set of post infection calls have changed and are are like :
06/30/2014-05:22:20.148052 cd5c5c.com [**] /q [**] <useragent unknown> [**] <no referer> [**] POST [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] 192.168.1.31:1066 -> 31.184.192.202:80
06/30/2014-05:22:23.244452 download.microsoft.com [**] /download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe [**] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 318224 bytes [**] 192.168.1.31:1069 -> 96.7.41.136:80
Note it's getting : Microsoft .Net Framework 2.0 SP1 (x86) and later KB968930 (incl. PowerShell 2.0 and require sp3 on windows XP btw)
Firing ET pro rules in Suricata :
06/30/2014-05:22:20.148052 [**] [1:2808248:2] ETPRO TROJAN Win32/Poweliks.A Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1066 -> 31.184.192.202:80
06/30/2014-05:22:20.840616 [**] [1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 96.7.41.136:80 -> 192.168.1.31:1069
06/30/2014-05:22:21.124879 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 96.7.41.136:80 -> 192.168.1.31:1069
Poweliks.A is a name given by Eset.
Wowliks and Poweliks are sharing a lot of piece of codes
 |
| Some code snippet comparison (courtesy of Horgh) |
Wowliks :
http://%s/log?%s|aid=%s|version=1.5|id=%s|os=%s_%s
Poweliks :
type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s
As we might expect Poweliks integrates some PowerShell scripts.
 |
| b64 chain in powershell scripts in Poweliks (leading to mpress compressed dll) http://pastebin.com/REdC5nB6 http://pastebin.com/SP1nHsT5 |
Now here is a look at the C&C side (February/March 2014) :
 |
| Botnet Size (around 30k active nodes) and daily new bots for a week in February |
.png) |
| Income for a Week in February (all Affiliates) Not far from 60k |
 |
| showing some AID |
 |
| Showing version available in February |
How much money did they make since that time ? At least 721k (it's not a speculation - only 14k 2 month ago and 12k previous month vs 244k in february with one feed provider).
Note :
They may have change account within the same Feed Provider or may have change Feed Provider and hence have made far more.
Where is (was?) the feed/money coming from ?
IntecPPC.
 |
| Feed provider for this AdFraud botnet |
 |
| Feed information |
Beneficiary: Loyal Bank Limited
Beneficiary Account: RO81FNNB009502959442US01 USD
Beneficiary Bank: Credit Europe Bank (Romania) SA
Beneficiary Bank SWIFT: FNNBROBU
Bank Address: Bucharest, Romania
Beneficiary Address: Cedar Hill Crest, Villa, St. Vincent and the Grenadines
Payment details: In f/o Beneficiary Acc.no. 104011281407840 to the Beneficiary Name IntecPPC Ltd. and address Suite 101, 1885 Driftwood bay, Belize city, Belize. Payment for clicks on advertisements(traffic)
- our company name IntecPPC Ltd. (with "." in the end)
- our company address: Suite 101, 1885 Driftwood bay, Belize city, Belize
In june 2013 account for intecppc was :
All further payments should be sent to the following wire details:
Beneficiary: IntecPPC Ltd.
Beneficiary Account: 104011281407840 USD
Beneficiary Bank: Loyal Bank Limited
Beneficiary Bank SWIFT: LOYAVCVX
Bank Address:
Cedar Hill Crest, Villa, St. Vincent and the Grenadines
Beneficiary Address:
Suite 305, Marina Towers, Newtown Barracks,
Belize city, Belize
 | ||||
Streeview for
|
Note : Maybe IntecPPC is abused, and end customers of their advertisers here are victims...or maybe let's think darker, this is a complex money laundering scheme.
There is a "bot activity" detection implemented but less than 0.1% of the botnet traffic was flagged that way.
Credits: Thanks a lot Horgh for the time spent dissecting those samples.
Files : Fiddler/Pcap and some samples.
Post Publication Reading :
Win32/Poweliks on Kernel Mode - 2014-07-15 - EP_X0FF