Grabbot is Back to Nab Your Data

Introduction

Fortinet has discovered a new botnet capable of stealing large amounts of user information, as well as remotely manipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot, which was first discovered back in November of 2014. This new variant improves on that existing functionality while adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions.

Replication

The bot can be found hosted on a number of compromised websites with a random filename. We currently suspect that Grabbot may arrive on these hosts through Exploit Kits or other malicious campaigns.

The bot may drop several files in the following paths:

●"%AppData%{GUID}{generated filename}.exe"

●"%AppData%{GUID}{generated filename}.bat"

●"%AppData%{GUID}{generated filename}"

Note that each generated filename is different, with the host machine’s System Volume Information. Several mutexes are created in the same way. Each drop file also has its file time information set to be the same as “cmd.exe” in Windows.

The malware creates the following registry entry to survive system reboots:

●HKEY_CURRENT_USERSoftwareMicrosoft WindowsCurrentVersionRun

○{GUID} = "%AppData%{GUID}{generated filename}.exe"

During execution, the bot may inject the main payload into explorer.exe and delete the original file.

Browser Targeting

The bot enters a sleep loop and will not perform the rest of its functionality unless one of the following internet browsers is found in the active process list:

●Internet Explorer (iexplore.exe)

●Firefox (firefox.exe)

●Google Chrome (chrome.exe)

●Opera (opera.exe)

Anti-analysis measures

The bot also scans active processes for the presence of certain system analysis tools, such as Wireshark or Process Explorer. If any is found, the bot may branch into a fake set of behaviours instead of the actual payload.

Fig.1: Searching for hashes of specific process names

Fig. 2: Part of the fake behaviour – Random domain name generation and contact

C&C Connection

Before the bot attempts to contact the command and control (C&C) server, it first makes a connection to www.microsoft.com to verify internet connectivity. If a connection can be established, the bot will iterate through a list of possible C&C servers and contact each until a response is received. The list of C&Cs observed in this sample are:

●http://de{REMOVED}is.site

●http://ge{REMOVED}et.site

●http://bi{REMOVED}ys.info

●http://on{REMOVED}nc.site

●http://de{REMOVED}is.info

●http://ss{REMOVED}rs.info

When a connection is established, the bot may attempt to download the following data files:

●/wordpress/ajax/d.dat

●/wordpress/ajax/e.dat

●/wordpress/ajax/f.dat

●/wordpress/ajax/out.dat

●/wordpress/ajax/g.dat

●/wordpress/ajax/h.dat

The files are saved on the disk with a generated filename. Notably, the file “out.dat” is renamed to the executable file in the autorun registry. All communication between the bot and the C&C are encrypted and done through HTTP. In any contact with a C&C, the bot will try twice to establish connection before trying a different C&C.

Fig.3: C&C communication

C&C Commands

The botnet is capable of responding to the following commands:

Compared to the previous known version of Grabbot, there are several new commands labeled “conf_update2”, “install_bd1”, “grab_pop”, “run_plugin_exe” and “run_plugin_dll”.

Sending Back Debug Information

The bot is able to extract current system information, including a list of active processes, detected AV products, and a list of installed applications. The bot may send this information to the C&C on command.

Fig.4: System debug information

Banking Backdoor

The bot is also capable of tracking if specific sites, namely financial institutions and services, are accessed, and may launch a proxy or remote access backdoor to steal information. Some targeted sites from the list are as follows (in the format of *[URL]*;[backdoor cmd][arguments]):

●*paypal.com*;socks_bc 5.{REMOVED}.250:7777

●*https://www1.royalbank.com/cgi-bin/rbaccess/*;run_vnc

●*https://easyweb.td.com/*;run_vnc

●*https://www1.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain?product=5*;run_vnc

Crypto-Currency Wallet Stealing

The bot recursively scans the %AppData% directory looking for files with the name “wallet.dat”, “electrum.dat” or “wallet”. If any match is found, the contents of the file are read and encrypted, then stored into a temporary file for retrieval.

Fig.5: Wallet data to be retrieved

Conclusion

Grabbot was a relatively unknown bot in the past, but from our brief analysis of this new variant it is apparent that Grabbot now has the potential to be very dangerous. Although we are still investigating its current distribution method, Fortinet is able to detect this new variant and we will keep you updated on any further changes.

Sample MD5: d439c468d59f117c584bda463b03aea9

Sample SHA256: 6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221

Fortinet Detection Name: W32/Kryptik.VVV!tr

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.