New Malware Uses Tor

Wednesday, December 18, 2013 @ 01:12 PM gHale

The Tor anonymity network is truly getting a malicious workout these days as another new piece of malware is using it to host its infrastructure.

The idea of using Tor is ending up integrating into more pieces of malware, including ZeuS and the Atrax crimeware kit, said researchers at Kaspersky Lab.

FBI Took Over Tor Servers
Botnet Found on Tor
Botnet within Tor Network
Botnet Keeps Morphing, Growing

The threat, called “ChewBacca by the Kaspersky folks,” is currently not available on public underground forums. Researchers said the malware is either still in development, or the developers are selling it privately.

The Trojan’s underpinnings are with Free Pascal 2.7.1 and it ends up distributed as a 5 Mb PE32 executable file that also includes Tor

When executed, ChewBacca (Trojan.Win32.Fsysna.fej) drops an executable in the operating system’s “Startup” folder and obtains the victim’s IP address via the service. Next, tor.exe drops into the “Temp” folder and executes.

Once it settles in on a device, the malware starts logging keystrokes into a file called “system.log.” The file later uploads to a remote server.

Another important function integrated into ChewBacca is the one that enables cybercriminals to uninstall the threat.

As far as the command and control (C&C) infrastructure goes, the server is a LAMP installation running Linux CentOS, Apache 2.2.15, PHP 5.3.3 and MySQL. When the user interface opens via Tor, the user gets a log in prompt.

The background image of the login screen shows ChewBacca of the “A Game of Clones” series.

The server hosts a couple of PHP scripts. One of them, sendlog.php, facilitates the uploading of the file in which the stolen information ends up stored. The second file, recvdata.php, is for exfiltrating data obtained after enumerating all running processes and reading their process memory.

While Tor offers a lot of advantages for cybercriminals, it also has some drawbacks. The most glaring is it is slower. Furthermore, more botnet activity could have an impact on the entire network, and similar to the case of the Mevade malware, it could attract the attention of security researchers.

Leave a Reply

You must be logged in to post a comment.