2014-07-07 - Affiliate

From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)

At begining of February 2014 a sample pushed via Sweet Orange caught my attention :

Alureon(MS)/wowliks(Eset) pushed in Sweet Orange
The same Sweet Orange thread operator (mean same account/actor on the Sweet Orange ) was also pushing Qadars ( e.g. d7c1414939dc0956445835cc67187868) and an Andromeda (e.g. f757d0ce1bfcca3111e9060a6823b936 -  exolocity.info [**] /andro/image.php -> 

The sample ( 61bdea52b821c04cb65237c345d2b7dc )  later tagged Trojan:Win32/Alureon.GQ by Microsoft was showing affiliate ID : 427 (connection with advert on underground has not been made for now)

Call were like :
http://cc9966 .com/log?install|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32
http://cc9966 .com/cmd?version=1.5&aid=427&id=e87ff15a-a56a-42f5-b69b-503c6d3bf908&os=5.1.2600_3.0_32
http://cc9966 .com/log?exist_2_c0000035|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32

You can find its analysis by Malwr.com here.
Unpacked by Horgh here and another one here

Another example in may, other exploit kit, other domain, other affiliate id but same botnet instance :

2014-05-22 - Angler EK via BlackOS (formerly Tales of the North Iframer aka Cookie Bomb) compromission

Payload : 21b2767f6da96c7e32c00b864ec5f03c

wow.ini dropped in the VM

05/22/2014-16:13:35.041044 f5f5dc.com [**] /log?start|aid=103|version=1.5|id=f66896c4-a2e2-4bba-a564-6242c3f778a6|os=5.1.2600_2.0_32 [**] <useragent unknown> [**] <no referer> [**] GET [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] ->

But lately the affiliate seems to spread something different.

 (2014-06-30) in Magnitude :

Poweliks.A pushed in Magnitude

Payload : c42ff115afabb81a979b51b15621f088 
Unpacked by Horgh here and dll uncompressed

First set of post infection calls have changed and are are like :

06/30/2014-05:22:20.148052 cd5c5c.com [**] /q [**] <useragent unknown> [**] <no referer> [**] POST [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] ->

06/30/2014-05:22:23.244452 download.microsoft.com [**] /download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe [**] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 318224 bytes [**] ->

Note it's getting : Microsoft .Net Framework 2.0 SP1 (x86) and later KB968930 (incl. PowerShell 2.0 and require sp3 on windows XP  btw)

Firing ET pro rules in Suricata :

06/30/2014-05:22:20.148052 [**] [1:2808248:2] ETPRO TROJAN Win32/Poweliks.A Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} ->
06/30/2014-05:22:20.840616 [**] [1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} ->
06/30/2014-05:22:21.124879 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} ->

Poweliks.A is a name given by Eset.

Wowliks and Poweliks are sharing a lot of piece of codes
Some code snippet comparison (courtesy of Horgh)
and have very similar call back to C&C :

Wowliks :
Poweliks :

As we might expect Poweliks integrates some PowerShell scripts.

b64 chain in powershell scripts in Poweliks (leading to mpress compressed dll)
Despite slightly more complete network calls for poweliks it does not look like an evolution but more a downgraded fork... It's less resilient, does not have x64 components. Hard to understand such a move.

Now here is a look at the C&C side (February/March 2014) :

Botnet Size (around 30k active nodes) and daily new bots for a week in February
Income for a Week in February (all Affiliates)
Not far from 60k
showing some AID
Showing  version available in February
The operation on that Botnet seems to have start at beginning of November.
How much money did they make since that time ? At least 721k (it's not a speculation - only 14k 2 month ago and 12k previous month vs 244k in february with one feed provider).
Note :
They may have change account within the same Feed Provider or may have change Feed Provider and hence have made far more.

Where is (was?) the feed/money coming from ?


Feed provider for this AdFraud botnet

Feed information
so money should come from this bank account (in February - data you get when you register there):

Beneficiary: Loyal Bank Limited
Beneficiary Account: RO81FNNB009502959442US01 USD
Beneficiary Bank: Credit Europe Bank (Romania) SA
Beneficiary Bank SWIFT: FNNBROBU
Bank Address: Bucharest, Romania
Beneficiary Address: Cedar Hill Crest, Villa, St. Vincent and the Grenadines
Payment details: In f/o Beneficiary Acc.no. 104011281407840 to the Beneficiary Name IntecPPC Ltd. and address Suite 101, 1885 Driftwood bay, Belize city, Belize. Payment for clicks on advertisements(traffic)

- our company name IntecPPC Ltd. (with "." in the end)
- our company address: Suite 101, 1885 Driftwood bay, Belize city, Belize

In june 2013 account for intecppc was  :

All further payments should be sent to the following wire details:
Beneficiary: IntecPPC Ltd.
Beneficiary Account: 104011281407840 USD
Beneficiary Bank: Loyal Bank Limited
Beneficiary Bank SWIFT: LOYAVCVX
Bank Address:
Cedar Hill Crest, Villa, St. Vincent and the Grenadines
Beneficiary Address:
Suite 305, Marina Towers, Newtown Barracks,
Belize city, Belize

Streeview for
Marina Towers, Newtown Barracks,Belize city, Belize

Note : Maybe IntecPPC is abused, and end customers of  their advertisers here are victims...or maybe let's think darker, this is a complex money laundering scheme.
There is a "bot activity" detection implemented but less than 0.1% of the botnet traffic was flagged that way.

Credits: Thanks a lot Horgh  for the time spent dissecting those samples.
Files : Fiddler/Pcap and some samples.

Post Publication Reading :
Win32/Poweliks on Kernel Mode - 2014-07-15 - EP_X0FF