Two months ago, the authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan. Despite these efforts, the Bredolab Trojan is still spreading malware on user’s machines.
Unlike the Zeus or SpyEye Trojans, the Bredolab Trojan is a pretty simple and has limited capabilities, which is similar to the Ofikla Trojan. It’s functionality was reviewed in a very interesting and detailed blog of Kaspersky Lab Expert Alexei Kadiev “End of the Line for the Bredolab Botnet?” Our blog sheds a light on additional aspects of Bredolab communication, its evasive techniques and C&C functionality.
Let’s take a step by step look at how the Trojan operates.
Once the malware is executed, it copies itself to a temp folder and injects code into “svchost.exe” process. It then generates a key and sends basic information.
Ollydbg Dump of "svchost.exe" Process
The bot wraps up the data and sends it to the command and control server.
The bot Communicates with the Command and Control Server
The following is a screenshot of Virus Total scan results (16/41) for the latest generated malware:
Virus Total Results of Bredolab Trojan
As mentioned, Bredolab, unlike the Zeus Trojan, doesn’t have local configuration files pre-generated by the malware operator. The Trojan operates like a Trojan Dropper; it receives the malware, saves it on the hard disk or in the memory according to the Trojan operator, and then loads it.
Along with the Trojan itself, the operator manages the Trojan using a Control Panel called “BManager” which contains the following functionalities:
- Statistics of the controlled bots
- Downloaded and executed malwares sent by the operator
- Manages users of the administration panel
- Create bots commands
The BManager control panel provides real time information on the infected machines:
BManager Statistics
BManager Statistics Divided by Country
Besides statistics, the tool provides the administrator management over user accounts along with specific permission for each section in the control panel.
As mentioned previously, the main objective of the tool is to download and execute malware onto the victim’s machine.
The control panel supplies the cybercriminal a variety of capabilities such as:
- Location to save the malware (Hard disk / Memory)
- Define specific regions that will or will not receive certain malware
- Time limit in which to execute the malware
Once the malware is successfully installed on the victims’ machine, it becomes much more complicated for AV companies to detect any activity committed by Bredolab Trojan. Looking closely at the traffic sent from the server to the victim shows how the downloaded executable is encrypted in a unique way for each machine, rendering AV pattern detection useless.
Incoming traffic Sent from the C&C to the bot
The screenshot above describes the information sent by the Command &Control. The image shows that the server adds 2 additional parameters:
- “Rnd”: A number generated by the client, re-generated by the server, and sent back to the bot.
“Magic-Number”: A new key generated by the server that is sent to the client to de-crypt the malware
- Bredolab, Generate Key Algorithm
The server is using the “Rnd” key sent from the bot and generates a new key. Meanwhile it loads the relevant malware to load for the specific bot.
Bredolab, encrypt the loaded malware
The new malware package is encrypted using the encryption key and sent to the bot along with the “Rnd” and the “Magic-Number” as described earlier.
Bredolab, Keys sent to the bot for Forwarded Communication
While instances of the Bredolab Trojan can still be found in the wild and used by cybercriminals, it is expected that it will gradually decrease over time.
– Daniel Chechik on M86 Security Labs Blog
