Introduction

Fortinet has discovered a new botnet capable of stealing large amounts of user information, as well as remotely manipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot, which was first discovered back in November of 2014. This new variant improves on that existing functionality while adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions.

Replication

The bot can be found hosted on a number of compromised websites with a random filename. We currently suspect that Grabbot may arrive on these hosts through Exploit Kits or other malicious campaigns.

The bot may drop several files in the following paths:

●"%AppData%\{GUID}\{generated filename}.exe"

●"%AppData%\{GUID}\{generated filename}.bat"

●"%AppData%\{GUID}\{generated filename}"

Note that each generated filename is different, with the host machine’s System Volume Information. Several mutexes are created in the same way. Each drop file also has its file time information set to be the same as “cmd.exe” in Windows.

The malware creates the following registry entry to survive system reboots:

●HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run

○{GUID} = "%AppData%\{GUID}\{generated filename}.exe"

During execution, the bot may inject the main payload into explorer.exe and delete the original file.

Browser Targeting

The bot enters a sleep loop and will not perform the rest of its functionality unless one of the following internet browsers is found in the active process list:

●Internet Explorer (iexplore.exe)

●Firefox (firefox.exe)

●Google Chrome (chrome.exe)

●Opera (opera.exe)

Anti-analysis measures

The bot also scans active processes for the presence of certain system analysis tools, such as Wireshark or Process Explorer. If any is found, the bot may branch into a fake set of behaviours instead of the actual payload.

Fig.1: Searching for hashes of specific process names

Fig. 2: Part of the fake behaviour - Random domain name generation and contact

C&C Connection

Before the bot attempts to contact the command and control (C&C) server, it first makes a connection to www.microsoft.com to verify internet connectivity. If a connection can be established, the bot will iterate through a list of possible C&C servers and contact each until a response is received. The list of C&Cs observed in this sample are:

●http://de{REMOVED}is.site

●http://ge{REMOVED}et.site

●http://bi{REMOVED}ys.info

●http://on{REMOVED}nc.site

●http://de{REMOVED}is.info

●http://ss{REMOVED}rs.info

When a connection is established, the bot may attempt to download the following data files:

●/wordpress/ajax/d.dat

●/wordpress/ajax/e.dat

●/wordpress/ajax/f.dat

●/wordpress/ajax/out.dat

●/wordpress/ajax/g.dat

●/wordpress/ajax/h.dat

The files are saved on the disk with a generated filename. Notably, the file “out.dat” is renamed to the executable file in the autorun registry. All communication between the bot and the C&C are encrypted and done through HTTP. In any contact with a C&C, the bot will try twice to establish connection before trying a different C&C.

Fig.3: C&C communication

C&C Commands

The botnet is capable of responding to the following commands:

Command	Function
user_execute	Executes a file on the host machine
bot_update	Updates the bot itself
conf_update	Updates the bot configuration
bot_uninstall	Removes the bot from the host machine
conf_update2	Updates the bot configuration
send_debug	Send system information and log data to C2
socks_bc	Establish SOCKS proxy
run_vnc	Creates VNC connection
install_bd1	Install Teamviewer backdoor
url_block_add	Blocks specific URLs from being accessed
url_block_rem	Removes URL blocking
grab_ftp	Retrieves FTP information from host
grab_cookies	Retrieves browser cookies from host
grab_sol	Retrieves local shared objects/flash cookies
grab_certs	Retrieves client certificates
grab_all	Retrieves data from all grab functions
del_cookies	Deletes browser cookies
grab_pop	Retrieves Outlook POP accounts
run_plugin_exe	Downloads and injects an executable into svchost.exe and runs it
run_plugin_dll	Downloads and injects a library into svchost.exe and runs it

Compared to the previous known version of Grabbot, there are several new commands labeled “conf_update2”, “install_bd1”, “grab_pop”, “run_plugin_exe” and “run_plugin_dll”.

Sending Back Debug Information

The bot is able to extract current system information, including a list of active processes, detected AV products, and a list of installed applications. The bot may send this information to the C&C on command.

Fig.4: System debug information

Banking Backdoor

The bot is also capable of tracking if specific sites, namely financial institutions and services, are accessed, and may launch a proxy or remote access backdoor to steal information. Some targeted sites from the list are as follows (in the format of *[URL]*;[backdoor cmd][arguments]):

●*paypal.com*;socks_bc 5.{REMOVED}.250:7777

●*hxxps://www1.royalbank.com/cgi-bin/rbaccess/*;run_vnc

●*hxxps://easyweb.td.com/*;run_vnc

●*hxxps://www1.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain?product=5*;run_vnc

Crypto-Currency Wallet Stealing

The bot recursively scans the %AppData% directory looking for files with the name “wallet.dat”, “electrum.dat” or “wallet”. If any match is found, the contents of the file are read and encrypted, then stored into a temporary file for retrieval.

Fig.5: Wallet data to be retrieved

Conclusion

Grabbot was a relatively unknown bot in the past, but from our brief analysis of this new variant it is apparent that Grabbot now has the potential to be very dangerous. Although we are still investigating its current distribution method, Fortinet is able to detect this new variant and we will keep you updated on any further changes.

Sample MD5: d439c468d59f117c584bda463b03aea9

Sample SHA256: 6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221

Fortinet Detection Name: W32/Kryptik.VVV!tr