CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed »Atrax« and is both a cheap kit – costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules.
TOR based BOTs are not new, but Atrax combines the power of crimeware and data stealing capabilities with a lot of additional functions such as form grabbing, DDoS module, Bitcoin / Litecoin Miner and data extraction for several popular browsers. Atrax is advertised as »the first public bot to support Windows 8« which is perhaps not entirely correct but lets play along.
- Download (over Tor), Execute (Commandline-Parameter allowed)
- Download (over Tor), Execute (Commandline-Parameter allowed) in memory
- Install Plugin
- Installation List (A list with all installed applications
Apparently the author admits that the main component, which has a fairly big size of ~1,2 MB is due to TOR integration and x64/x86 code. However a first stage free assembler web downloader ~2KB is also available making the infection process slighly lightweight.
From the advertising the following details are included:
The bot consist of a core and various plugins/addons. Each plugin/addon costs some money. Every plugin also communicates over tor.
Some basic features:
- Autostart, Persistence
- x86/x64 Code, x86/x64 Injection with Heavens Gate technique
- Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine
- Doesn't use suspicious windows apis like GetProcAddress/GetModuleHandle
- Plugins are saved to disk with AES-128-CBC encryption (random key)
- Communication over tor is already encrypted, so no extra communication encryption
- Every Plugin and the core are watermarked. Leak -> No updates/support. (All updates are free)
- Everything UNICODE
Addon - DDOS:
- Full IPv6 + IPv4 support.
- UDP Flood
- TCP Flood
- TCP Connect Flood (Some idiots call this »SYN-Flood«)
- HTTP Slowloris (based on http://ckers.org/slowloris/)
- HTTP RUDY (R-U-Dead-Yet, based on https://code.google.com/p/r-u-dead-yet/)
- HTTP File Download (Good if your target hosts a file >1MB)
- If you need some more methods, contact me.
Addon - Form Grabber:
- Firefox, Internet Explorer x86/x64, Chrome SSL HTTP POST Grabber
- Anti-Hook Engine (Removes hooks from other bots)
- Own Hook Engine (No copy/paste crap)» Tested with Browser: Internet Explorer v7/v9/v10, Firefox v11/v21/v22/v24, Chrome v27/v30
- Tested with Website: PayPal, Amazon, Bitcoin.de, Mt. Gox, eBay, Googlemail, vBulletin Boards
- SPDY v3 support
- IE 7/8/9/10 (Enhanced) Protected Mode Support
- Grabs only important POST Form Requests.
- Searches automatically for Username/Password/Email and CC (Possible CC will be displayed in panel)
Addon - Socks 5 Reverse Socks:
- You need a 2nd VPS/dedicated Server to keep your main C&C server secure!
- Server is a Java application to achieve complete platform independence -> All OS supported!
- Socks 5 with and without authentication
- Controlled via tasks
- You can run different instances of the proxy server for different purposes
- Works on all clients because it is a reverse socks (No SSH crap!)
Plugin - Stealer:
- Steals all current browser versions.
- Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)
- If you need something more -> ask me.
- Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!
- Bitcoin / Litecoin Miner
- Hash Rate displayed in panel
- Based on Ufasoft Miner v0.68 (updated regularly)
- Mining with tasks:
Core: $250 (Launch price! Read information below)
Addon DDOS: $90
Addon Form Grabber: $300
Addon Reverse Socks: $400
Plugin Stealer: $110
Plugin Coin Mining: $140 (Experimental)
We’re looking for active samples for this kit to fully get an understanding about its capabilities, however obviously - we are looking at a new crimeware kit with a lot of different functions and plugins.
The kit is designed to both be stealthy using TOR to communicate with C&Cs but also to be abused to conduct DDoS attacks and systematically stealing data from infected hosts.
As plenty of these commercialized kits Atrax comes with free updates, support and bug fixes. Interestingly, payments can only be done using Bitcoins.