![]() His old server was then used by a new, very interesting carder. That behaviour led us to think that Jer was also probably reselling access to some of his valuable victims to other 3rd parties - which is something very common and profitable in the world of carders.Īt the end of 2018, Jer left his old C&C for a new fresh server, with the latest version of the panel. That feature opened all kinds of opportunities for the operators.Īfter digging Jer’s targets in 2018, we observed various victims (government organizations, large institutions, big companies) being infected at the same time by unknown 2nd stage implants. One of the very important features of Dreambot is the capability to drop a 2nd stage implant to any infected bot. We managed to observe that Jer was defrauding different banks around the world, and it seems this was not even his main business. Each customer seemed to be able to choose what version of the panel they wanted. Over the time we observed 3 different versions of the Dreambot panel always hosted on port 3000 of the C&C. The best way to track a Dreambot customer (or other banking trojan for that matter) is probably by following the webinjects configurations.Įxamples of SERPENT keys observed in the wild:Ġ0DONPORT7710209 0WADGyh7SUCs1i2V 0XOT6QaGzY7j9dhy 10274948AOQPNTBB 36694321POIRYTRI 87654321POIUYTRE 87677321POIRYTRI 87694321POIRYTRI A4F6421F93DF49AF A79CE7E04B4C9A6A CBA16FFC891E31A5 DB23B3470D0CF889 Dfei8OoQ0xhjTyql GFL4R4F6Cw5nFYnA K74USJY728910OA1 OvZz8XVH91INT7ek PHZ4OVL2QLI0N8WN q1a2z3w4s5圆e7d8 Qp1FMx2VswbqKjX0 s4Sc9mDb35Ayj8oO V86iYRDA2FSEqWzL Vm3hI8Nfe5xR0hPW Y46frPcNAJQGl6KT KTXDkwvQHiBLP2OV dJReCsX8qWlhQ0kv WIdtM3YCfxhwrbV1Įxamples of onion domains observed in the wild:Ģud3gaufzaiikf3e.onion aaxvkah7dudzoloq.onion aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion cbt3milmkp32ou4w.onion cxzko43pnr7ujnte.onion erreg34983gy89g389g89459.onion gfgyucg4ot3q3qno.onion iod5tem372udbzu2.onion kzuzxhlardmkvwwg.onion l圓sxhs55czhsb3u.onion s2mf5op7sjtonnkv.onion voekeyq7k5vyeg4z.onion wdwefwefwwfewdefewfwefw.onion ey7kuuklgieop2pq.onion jm2g6cyszkutaurp.onion h33a7jzovxp2dxfg.onion wuodygsb2cevqgh5.onion 6vcatkjlim35nscu.onion Dreambot panels Since the keys are always reused, an SERPENT key value in 2017 can (and probably is) still used in 2019 but not by the same Dreambot customer. When you try to identify a Dreambot client by the SERPENT key used, time is a really important factor. RIG Drops Dreambot.Ĭustomer volatility also makes it hard to measure the real number of victims, even though we counted more than a million infections world-wide just for 2019.Īnd if Dreambot was not hard enough to track, we also observed different clients of Dreambot reselling access to their C&C in order to share the fraud. Malvertising Chain Leads to the HookAds Campaign. IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distributionĭetection Content: Finding Ursnif Trojan Activityīanking Trojan Targets Czech and Slovenian SpeakersĪttack Vectors Behind Online Banking Malware “DreamBot” Targets Japan New Ursnif Campaign: A Shift from PowerShell to Mshta New Ursnif trojan variant targets ‘tens of thousands of users’ across Japanĭreambot Banking Trojan Delivered via Resume-Themed Email Polish malspam with XLS attachment pushes Ursnif Sophisticated Dropper Masqueraded as Fake DHL Invoice to Distribute Ursnif Malware Since the Dreambot customer base was very volatile (some customers only stay for a couple of months) it’s very likely that we also missed a lot of different campaigns. Very popular in Japan associated to URLZone, Dreambot was used in other parts of the world as well: USA, Canada, Europe, Asia, Australia. Mentioned publicly for the first time by IBM and detailed by Proofpoint and FoxIT, Dreambot was a botnet primary used to commit bank fraud.īased on the leaked source code of ISFB, Dreambot was simply another Gozi fork but with a singular feature making it easy to identify: the support of Tor C&Cs.ĭreambot was a common banking trojan, having all the usual features: It’s time to tell some stories we learned while researching this very interesting malware operation. Now, more than ever, the history of botnets is essential to have a deep understanding of the evolving cyber-crime industry. The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can’t be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot. The back-end servers of the botnet are down for a few weeks now, the onion C&Cs are down too, and it seems that no new samples have been found in the wild since March 2020. The end of Dreambot? Obituary for a loved piece of Gozi.ĭreambot seems to finally be out of service after +6 years of activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |