In our recent Cybercrime Intelligence report, we described the business side of the Golden Cash botnet.
In this blog post, we will provide you with more technical information about the botnet C&C server and the attack lifecycle.
Here is how it works:
A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit.
Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency.
The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server.
The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.
One interesting discovery that was found indicated that the botnet’s command and control server uses another website as a proxy that tunnels the bots communication to and from the C&C server. By applying this technique the C&C server remained ‘protected’ and undetected by security vendors for a longer time. In fact, we found Zeus Trojan logs on the C&C server from June 2008. Normally, we find logs that are about 3-4 month old.
As noted above, the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor.
Following is a screenshot of Virus Total scan results (26/40) for one of those builds:
For managing and building the bots, the cybercriminals utilized the notorious “Zalupko” Trojan. Below is a screenshot taken from the admin panel:
The system is set up in such a way, that only bots communicating with the C&C server in the previous 15 days are counted; bots that didn’t communicate in this period of time were removed from the database.
Zalupko has “built-in” FTP-grabbing capabilities that were utilized by the cybercriminal to steal around 100k FTP-credentials:
Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth.
The C&C server is hosted in Texas, US; the registrant country is China.
The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia.
Posted by Golan Yosef