{"id":16231,"date":"2014-03-20T14:37:55","date_gmt":"2014-03-20T20:37:55","guid":{"rendered":"https://www.webroot.com/blog/?p=16231"},"modified":"2023-12-08T08:14:10","modified_gmt":"2023-12-08T15:14:10","slug":"peek-inside-modular-tor-cc-enabled-bitcoin-mining-malware-bot","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/03\/20\/peek-inside-modular-tor-cc-enabled-bitcoin-mining-malware-bot\/","title":{"rendered":"A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot"},"content":{"rendered":"

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013<\/strong><\/a> assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth.\u00a0Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model<\/strong><\/a>, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself)\u00a0commercial and publicly obtainable malware\/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent\/malicious operation.<\/p>\n

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled<\/strong><\/a>, Bitcoin mining malware\/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshots of the modular, Tor C&C enabled, Bitcoin mining malware\/botnet generating tool’s Web based interface:<\/strong><\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular\"<\/a><\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular_01\"<\/a><\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular_03\"<\/a><\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular_06\"<\/a><\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular_07\"<\/a><\/p>\n

Priced at $250, and coded in C, the malware\/botnet generating tool supports all Windows versions (XP up to 8.1 on x86\/x64 hosts), and possesses the cybercrime ecosystem’s standard anti-debugging features. It also encrypts the plugins (modules), with AES-128-CBC. As a related key differentiation feature, it also applies a decent degree of OPSEC (Operational Security) to the bot’s Web-based command and control interface. A few examples are brute-force protection for the admin’s panel and SQL injection protection for the Web based interface. The OPSEC features introduced by the vendor are\u00a0an indication<\/strong><\/a>\u00a0for decent situational awareness<\/a>\u00a0<\/strong>on behalf of the vendor in terms of the industry’s response to large scale botnet infrastructures<\/strong><\/a> over the years.<\/p>\n

Not surprisingly, the vendor is also Tor-aware in the context of what we believe is a perceived value-added feature in terms of OPSEC. Compared to alternative competing malware\/botnet generating tools\/platforms within the cybercrime ecosystem, this bot’s\u00a0command and control domain structure is generated using\u00a0a\u00a0Domain Generation Algorithm (DGA)<\/strong><\/a> within the Tor network. While Tor can provide additional protection for domain hosting, it also has flaws. Case in point, the Sefnit botnet<\/strong><\/a>, which despite its reliance on Tor for C&C communications which gave it a boost in terms of OPSEC\/growing infected population, ironically, also introduced a potentially exploitable third-party software, a vulnerable Tor client in this case.<\/p>\n

Featured modules\/plugins:<\/strong>
\n– DDoS bot functionality
\n– Form grabbing features — tested against major Web properties
\n– Socks5 module
\n– Passwords stealing module
\n– (Experimental) task-capable Bitcoin\/Litecoin mining feature<\/p>\n

\"Web_Tor_Malware_Botnet_Cybercrime_Modular_05\"<\/a><\/p>\n

Despite its experimental state, the bot’s vendor is also emphasizing on the fact that the prospective cybercriminal can also take advantage of any of the commercially\/publicly obtainable stealth Bitcoin mining tools<\/strong><\/a>, like the ones we’ve been extensively profiling in a series of blog posts.<\/p>\n

We’ll continue monitoring this bot’s development and will post updates as soon as new developments take place.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth.\u00a0Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17673,17663,4863,9833,17669,17661,17657,16381,17675,17671,10155],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16231"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16231"}],"version-history":[{"count":21,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16231\/revisions"}],"predecessor-version":[{"id":32499,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16231\/revisions\/32499"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16231"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16231"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}