Spambot safari #1 - BombilaHey! Let's go for a Spambot safari. There is a lot of malware analysis on the Internet but a very small number about malware used for Spamming (Necurs is a rare exception). But behind every big spam campaign, there is a spambot. And this part of the campaign is often technically weak. It's easy to find a spambot. Most of the time, botmatsers's do the error of spreading the spambot's binary via the spam botnet itself. Due to the malware's communication, this mistake expose the spambot architecture and allow us to analyze the CNC part. Looking for malware with SMTP communication on public sandboxes is a another good way to find spambot samples. Here, I'll try to describe "Bombila" Spambot (БОМБИЛА). This malware was used for spreading Teslacrypt in 2016 (if you want to understand how weak are spamming campaigns, take a look at: https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/) I'll try to give an overview of this malware. Sample: 6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d
Silent_SMTP_Bruter.exeThe malware itself (Silent_SMTP_Bruter) is not really interresting and seems in developpment; A lot of bugs, poor strings obfuscation, OutputDebugStrings, a log file created in C:\log.txt... Persistance is done via CurrentVersionRun, there is no self replication or hidden feature (the malware stay where you launch it), after some connection checks, the malware contact the CNC (HTTP). If you kill the process with the task manager, the malware stop working.
- A POST request $_POST['status'] every 5 minutes for sending bot status
- a GET request whitout parameter for retrieving new order.
Not so boring malwareBut, the best part is not in the malware itself; it's the icon of the malware \o/. You can observe a funny behaviour; when you rename the binary, the binary's icon changes. It take icons already present in system icon cache. The hash is still the same (works on Windows 10 up to date :]). It can be used to fool victims because the malware takes icon like directory or Word, txt etc If we extract the icon from resources binary, I reproduce the bug with the .ico icon:
Crack the botDuring Teslacrypt analysis I was abble to dump the web panel. So, why not try to patch the bot with my CNC for playing with all the features ? For that, we have to understand were is stored the CNC in the binary and patch it. There is a good resource about that on Xylibox But in this case I'll use a easier way :]. In the binary we can see that the CNC is "obfuscated" (loc_4480D3) It's now easy to make a dirty python script for encoding our CNC and patch the binary (Offset 0x58488) Due to a stupid parsing error, the CNC must look like "http://domain.com/folder" without the last slash.
- Upload emails lists
- Upload subject, messages, "from", header etc
- retrives statistics about the spam campaign
- retrives some statistics about infected bots
- configure the campaing
After Teslacrypt ?I've try to found other sample of this malware after the end of Teslacrypt. I've found a another panel but nothing else. I think it can be easy to retrives new sample via VTi. Some numbers to conclude (based on webstat files found on the CNC): From December 2015 to February 2016, Bombila :
- was composed of ~10 000 bots
- has sent at least 10 millions emails