Exclusive – CSE ZLab experts spotted a new Wonder botnet in the wild

Pierluigi Paganini October 23, 2017

The CSE CybSec Z-Lab Malware Lab spotted a new botnet, dubbed Wonder botnet, while it was investigating malicious code in the dark web.

While investigating the malicious code in the dark web, ZLab experts discovered a “NetflixAccountGenerator.exe” that promises to generate a premium account for Netflix services for free. Unfortunately, the software downloaded does not work as expected because it installs a BOT rather than create a desiderated account!

The malware researchers analyzed this “exe” file and discovered that the malware is not indexed yet: only one site on the Clearnet identified it as a threat after it was uploaded for the first time around September 20th, probably by the author in order to test its ability to remain stealth.

The analysis of the malware revealed it is a bot that belongs to an alive botnet dubbed by the experts Wonder botnet. The Command and Control is hidden behind a site that is the mirror of another one:

Wonder Botnet

Figure 1 – On the left the fake site; on the right the original site

Experts verified that the fake page “support.com” at the link “wiknet.wikaba.com” on the left side, point to the front-end of the botnet’s C2C.  The interesting thing is that every link on it refers to the original page, clicking on one links the researchers were redirected to the corresponding page on “support.com”.

The experts also discovered some hidden paths that contain the information and the commands used by the bots.

The malware is composed of two parts:

  • A Downloader: it is a .NET executable with the only purpose of downloading and executing the real bot code, uploaded on “pastebin.com/raw/E8ye2hvM”.
  • The real Bot: when it is downloaded and executed, it infects the host setting its persistence mechanisms and starts its malicious behavior schematized in the following figure:

wonder botnet

Figure 2 – Wonder Botnet’s behavior scheme

Further technical details, including IoCs and Yara rules are included in the report published by CSE Cybsec ZLab.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/Wonder_botnet_ZLab_report.pdf

About the author: Antonio Pirozzi

Principal Malware Scientist and Senior Threat Researcher for CSE CybSec Enterprise spa

Actually, he holds more than 10 Infosec International Certification, from SANS, EC-Council and Department of Homeland Security.
His experience goes beyond the classical Computer Security landscape, he worked on numerous projects on GSM Security, Critical Infrastructure Security,  Blockchain Malware, composition malware, malware evasion.

 

Luigi Martire is graduated in Computer Engineering at the University of Sannio. He’s part of University of Sannio Software Security Lab (ISWAT lab) and participated in some cyber security projects, among them “DoApp – Denial Of App”. Nowadays, he’s also Malware Analyst and Threat Researcher for Z-Lab, the malware lab of CSE CybSec Enterprise spa.

 

Antonio Farina is graduated in Computer Engineering at the University of Sannio. He’s part of University of Sannio Software Security Lab (ISWAT lab) and participated in some cyber security projects, among them “DoApp – Denial Of App”. Nowadays, he’s also Malware Analyst and Threat Researcher for Z-Lab, the malware lab of CSE CybSec Enterprise spa.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Wonder botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment