Kaspersky researchers say the Trojan is not sold publicly

Dec 18, 2013 09:23 GMT  ·  By

Researchers from Kaspersky have come across a new piece of malware that uses the Tor anonymity network to host its malicious infrastructure. This feature is being integrated into more and more pieces of malware, including ZeuS and the Atrax crimeware kit.

The threat, dubbed “ChewBacca,” is currently not available on public underground forums. Experts believe that the malware is either still in development, or sold only privately.

The Trojan has been developed with Free Pascal 2.7.1 and it’s distributed as a 5 Mb PE32 executable file that also includes TOR 0.2.3.25.

When it’s executed, ChewBacca (Trojan.Win32.Fsysna.fej) drops an executable in the operating system’s “Startup” folder and obtains the victim’s IP address via the ekiga.net/ip service. Next, tor.exe is dropped into the “Temp” folder and executed.

Once it settles in on a device, the malware starts logging keystrokes into a file called “system.log.” The file is later uploaded to a remote server.

Another important function integrated into ChewBacca is the one that enables cybercriminals to uninstall the threat.

As far as the command and control (C&C) infrastructure is concerned, the server is a LAMP installation running Linux CentOS, Apache 2.2.15, PHP 5.3.3 and MySQL. When the user interface is opened via Tor, the customer is asked to log in.

The background image of the login screen shows ChewBacca of the “A Game of Clones” series.

The server hosts a couple of PHP scripts. One of them, sendlog.php, is designed to facilitate the uploading of the file in which the stolen information is stored. The second file, recvdata.php, is for exfiltrating data obtained after enumerating all running processes and reading their process memory.

While Tor offers a lot of advantages for cybercriminals, it also has some drawbacks. For instance, it’s slower. Furthermore, a lot of botnet activity could have an impact on the entire network, and similar to the case of the Mevade malware, it could attract the attention of security researchers.