CapFire4: Criminal Malware-as-a-Service Platform

Tuesday, June 26, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

It’s not first time we have discussed cyber crime and in particular its organizational models.

Creative criminal services now offer almost any kind of support to organizations and individuals that desire to conduct an attack against specific target.

Cyber criminals in the past have used cloud architectures to rent out computational resources for use in powerful cyber attacks. Now these platforms have been used to organize social networks for “customer care”, to develop file sharing services and to arrange hacking platforms to conduct automated pentests against targets.

Unusual is the discovery made by a group of researchers at AlienVault, led by Alberto Ortega, regarding a new service that offers cyber-attack tools and hosting as part of a malware-as-a-service.

Once again, cyber crime is operating as an enterprise, with products offered as tools for the coordination of cyber attacks such as spamming of malware, malware hosting, andfor building up a complete command and control infrastructure (C&C) for the use of botnets.

The service is called CapFire4, and it’s a good example of C2C (Cybercrime to Cybercrime). The service provides technological support to criminals who haven’t the prerequisite knowledge to conduct a cyber attack or to arrange a cyber scam.

(click image to enlarge)

How is provided the service?

In the simplest way, users can have access to a Web portal that offers the possibility to create customized versions of malware and access to a management console to control bots in infected networks. The owner of the portal markets it as a service to remotely control computers and recover passwords.

The service provided is cloud-based and offers to users a payment platform for the generation of malware and their control, and all is documented with detailed tutorials.

The most popular malware on the portal are RAT (Remote administration tool), software created to let the attacker spy on the victims with actions like keylogging, password harvesting, command execution, remote access, and screen capturing. These tools are continually updated and improved to meet customer’s requirements.

The platform also offers a hosting service for malware. Once logged in, the client can choose a destination for the agent from a list of fake domains that appears like legitimate ones.

(click image to enlarge)

Of course, the supply of such services requires highly skilled professionals, as the malware created must avoid antivirus and other defense systems to be attractive for criminals. For this reason, the service also provides a rating mechanism for the detectability of the malware sold.

(click image to enlarge)

The platform also offers a management console that uses HTTPS protocol with a valid certificate for the malicious agents, and client can use it to gain to complete control of an infected system.

Researchers have discovered that the address of the C&C machine is from Brazil and it is always the same: 174.142.93.226. The communication between the agents and the C&C is done using HTTP and other protocols from port 9000 for command execution.

The researchers at AlienVault have provided useful information regarding the platform and the detection of the malware sold, posting information on the C&C used, on the registration of the fake domains used for the hosting, and providing the rules to detect the communications traffic and command execution requests.

Discoveries like these are of great concern for the following reasons:

  • The malware-as-a-service model is extremely dangerous because it links cyber crime to traditional crime that until now has been excluded for lack of adequate technological knowledge. It completely changes the morphology of the crime scenarios, and these joint ventures attract capital and strengthen relations between criminal organizations.
  • Other concerns born of these services are the impact they have on the spread of malware, which is high. Many environments today are too vulnerable and scenarios that lay ahead are indeed worrying. Putting a check of these pathways of contamination is mission critical.
  • Criminal models such as the one introduced by CapFire4 make affordable the production of malware and also contribute to the diversification of the agents, making more complex their detection due to their subsequent processing and improvements. These groups are led by professionals that are familiar with the mechanisms of antivirus detection of the manufacturers of security products. The spread of malware in this way could be used by terrorists or other groups wishing to conduct cyber attacks providing new and powerful weapons at low cost and without any special risks associated with their acquirement and use.

References:

Cross-posted from Security Affairs

Possibly Related Articles:
12971
Viruses & Malware
Service Provider
malware Botnets Hacking Cloud Computing Tools Cyber Crime Information Security Malware-as-a-Service CapFire4
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.