Danchev recently observed a new modular malware platform specifically designed to provide a series of powerful features through a user-friendly interface, the application is equipped with modules for the implementation of principal functionalities including Loaders, Injects, DNS Changer and Ransomware. The malware that is possible to compose may be used to steal sensitive information from victims of to completely block the Internet access , attackers can count on feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host.
The new modular malware platform allows also to remote control victims providing the possibility to include in the malicious code several upcoming modules such as stealth VNC and Remote IE.
The following image shows the command and control interface, the console appears very intuitive and demonstrate the effort spent by the authors to provide a ready-to use modular malware platform for cybercriminals that intend to conduct malware based attacks integrating the produced malicious code with existing crimeware.
With prices for the standard package for the Modular Malware Platform is $1,500, the authors offer the general availability of 24/7/365 managed malware crypting services, “applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it”. The modularity of the platform and the scalability offer give to the authors the possibility to propose continuous updated with the product with the scope to improve its efficiency, Danchev highlighted that the platform is still a work in progress and new improvements could be available on the black market soon.
“Furthermore, with or without the full scale modularity in place — some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot’s worth keeping an eye on.” wrote Danchev.
The post ends with a mention to real case that is the proof of diffusion for malicious code controlled by the last version of the modular malware platform.
“The DNS Changer IP seen in the screenshot 18.104.22.168 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 22.214.171.124. And most interestingly, according to this assessment, next to phoning back to 126.96.36.199, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com – known to have responded to 188.8.131.52
r55u87799hd39.com – known to have responded to 184.108.40.206
The following malicious MD5s are also known to have phoned back to the same C&C IP (220.127.116.11) since the beginning of the month:
The cybercrime industry never stops and it is no more a surprise its capability to tailor the offer to mutating needs of the cybercriminal community. Thanks to a wide range of DIY tools and hacking services available on the back market also criminals without particular skill could create serious problems.
(Security Affairs – Modular Malware Platform, cybercrime)