Cybercriminals often rely on legitimate services for communications between their command and control (C&C) servers and the malware they develop. Another example is Win32/Jabberbot.A, a malware that uses the Extensible Messaging and Presence Protocol (XMPP), better known as the Jabber protocol.
ESET researchers explain that Jabberbot has been mainly targeting users from Ukraine, but they’re uncertain how it’s spread.
For communications, Jabberbot uses one shared account on all the infected hosts, firstname.lastname@example.org. Each instance generates one pseudorandom resource identifier, utilized by the botmaster to communicate with each individual bot.
From a master Jabber account, the cybercriminal sends instructions to delete files, execute system commands, open files, download remote files, or upload files from the infected hosts.
No encryption and no authentication are used, despite the fact that the XMPP protocol and the jabber.ru service support Transport Layer Security (TLS).
This particular threat is not sophisticated and the botnet can be easily taken down. However, experts highlight that Jabberbot demonstrates the fact that XMPP can be used for a reliable C&C infrastructure if a proper design is implemented.
Here is the detailed analysis made by ESET.