from Malware Must Die!
The background
This post is about recent intelligence and information of the currently emerged botnet named "Atmos".
For the the reference, first publicity and thorough technical analysis of the threat was posted by Xylit0l [link] in Xylibox blog [link]. The post contains good details and screenshots of the botnet. I strongly recommend you to take a look at his post first before reading this or before you google about Atmos botnet, to have you a good correct background & know-how of this threat beforehand, specially to the sysadmins and incident response team.
To add a few words, as known expert in the field of this particular threat, Xylit0l is having strong dedication to follow the growth of the cyber criminal used stealer tools from Zeus, SpyEye..Carberp to Citadel with its variants, then KINS and ZeusVM to now..Atmos. He knows exactly which versions and what is needed to decode each encrypted configuration in each version. You can follow his research on SpyEye, Citadel, KINS, Carberp, ZeusVM and now.. Atmos botnet, on our beloved whitehat gathering site kernelmode or in Xylibox.
Personally I feel his man deserves acknowledgement and respect of what he contributes, openly and freely, to help all folks in security community securing our cyber space from real crime acts. He doesn't know I am writing this, since if he knows he will yell to me not to.
Okay, so why I post this for?
Our team bumped into this threat, as it's emerged too rapidly now on some aggressive campaign, and some recent facts of Atmos found in our real investigation may need to bring up to the surface to support several IR cases on the issue, since this threat is successfully bypassing some security parameter, literally. You will see snips of PoC the campaign and infection we handled in the following sections.
What it is, and where Atmos name came from?
I make this explanation short: Atmos is an evolution of credential stealer toolkit, build with the complete facility for a crimeboss herder. Period.
Atmos can be used as hacktool, or as RAT, but it is built as form credential grabber, as added with screenshot/video capture surveillance center. Or as deployment center for further distribution of malware payloads too. Atmos is having a web panel, a server to handle the remote requests for its infection functionality, and a binary builder facility. Originated from multiple code leaks from Zeus/Carberp/Citadel/KINS, the author managed to wrap all bad functions from previous "brands" into one package, with a bit additional handy specific crime tools as "add-value" such as crypter interface, scan4you interface, jabber interface, and even an interface for balance management in some group management, and so on.
As per Zeus or Citadel banking credential stealer botnet, Atmos is sold basically on license basis scheme to its trusted distributors, yet apparently the distributors also fetch re-sellers on their campaign, we will go to the scheme of selling this threat in the end of the post.
The name of Atmos came from the author of this package. It is visually recognizable if you face this threat, as per shown clearly in each screenshots below:
In the the server console:
In the builder:
In the WebUI interface:
Or, in the infection intercept module original names:
This name wasn't known in the AntiVirus ("AV" in short) industry when it was around 1 or 2 months after initially spotted..by Xylit0l, so much of AV marked the detected malware as Trojan.Agent.something or even as Citadel or Zeus, etc. I recalled it well that Xylit0l was making some contact effort to advise the correct names to the AV vendors during late 2015, that was the first time appears. He also did the same during firstly spotted KINS.
The campaign & new version released in June 2016
Atmos distributors are recently on steroid pushing their campaign in several monitored blackhat forums since the early 2016. Some of the latest detail is about the new version that is released in this month, June 2016. To cut the crap, I am sharing some securely taken screenshots of the campaign below:
Several facts of Atmos that we all need to know
This is the boring part unless you love to crack encryption of credential grabber series. Some facts posted here might help you in figuring its crypted data.
Russian language comments:
"Online" encryption functions:
Where the goodies are:
The "config" download traffic is something like this:
About this configuration data, this is spotted in the campaign aiming USA, we reported all data accordingly, we found that majority Desktop and Servers accounts of US network nodes was hacked by actors in Turkey, and the name of this config is one evidence of the targeted effort.
Atmos interception modules
In an infection process, Atmos CNC serves the module to intercept spying traffics from the victims to then being installed in the compromised Windows system. Like these three modules:
PoC of the traffic during downloading, noted the module and file type used:
And no AV can detect these modules yet, even-though some AV made research publicity about Atmos botnet, the hashes are:
Zero detection PoC:
74e7744a8660940da4707c89810429780d23f9ea6650be3d270264743835f39a video module
40160debd0a3b6a835e003ecf49c712c1ecd356d1037bcd46c8930ca206f6867 RAT/VNC module
58b44c86e77461c4df3fc44c98890e30675d6ece3df07a69c30590bd7953e7d9 Firefox cookie module
Noted1: VT result is now showing actual detection of Windows Antivirus, okay.
Noted2: The below botnet CNC screenshot shows infected clients are infected with these modules even their PC is isntalled with the below AntiViruses:
PoC of Utmos botnet as a cybercrime tool with RAT function
Following the last line of the previous section, this video is showing so many windows PC and servers with the recorded video session from the CNC server. The detail of information in this video is in law enforcement accordingly. This video is showing to us how evolution of crime tool is becoming more sophisticated, not to only infect the victims, but spying them too. Thus none of these are detected by the current available antiviral protection installed in these victims.
Note: Some sensitive information was cropped.
More corrected facts of Utmos botnet sales for law enforcer
I read somewhere a misleading statement about Utmos distribution which says: "..there is at least one group of cyber criminals who is using Atmos in its attacks". I hate pointing finger to anyone here. yet as per checked ourself in "darkweb" world, the statement seems "outdated", the valid/correct one is as below:
"Atmos botnets are rented on VPS by its few trusted distributor(s) and mostly player-crooks are just buying access to that VPS, so it's not limited to one group but to anyone who have enough money and "trust" can start using it".
The statement is backed up by at least we collect more than ten blackhats are now on deploying (or started to deploy) Atmos botnet as the effect of the campaign shown in the above screenshots.
Epilogue
We hope the information shared here will help to battle the threat better.
To the people in the security industry (related to the threat publicity folks). I would please ask you to credit kernelmode.info [link] forum if you ever research based on information written in there. Many good whitehats are exchanging information there for the communication and responsible sharing because of their passion and care to security and to secure internet. Mention them and don't rip off their credits. Thank you.
I may update or add information, as usual.
#MalwareMustDie!
