Cyber bad guys are very thorough when it comes to infecting systems because they want to extract as much information as possible. That is why the downloader Trojan called Trojan.Badlib is a nice piece of malware because it acts as a malware distribution network.
When Badlib gets into a system, its first goal is to go out and detect an Internet connection. It then tries to reach a C&C server in order to receive commands from it. It searches for it on a number of hard-coded domains, and if it doesn’t find it, it proceeds to check out several IP addresses on a default list.
Once it contacts the C&C server, it instructs the Trojan on where to download additional malware. The response includes the number of files it has to download and their digital signature so as to make sure it downloads the right ones.
Right now Badlib is currently downloading three distinct Trojans: Trojan.Badfaker, Trojan.Badminer, and Infostealer.Badface, said Symantec researchers.
Trojan.Badfaker’s goal is to disable the anti-virus (AV) solution on the infected computer and to hide that fact from the user. Once it detects and recognizes the running AV software, it modifies Windows to boot into safe mode when it next boots up.
Then, it deletes all the files and folders related to that AV it can find, but not before extracting the icon from the main executable file, which it will continue to display in the system tray in order to preserve the illusion that the legitimate AV is still running.
Next, it proceeds to disable the Windows Firewall and warnings from Microsoft Security Center, and ends with occasionally showing fake warnings (in English or in Russian) about infections mimicking the (now disabled) legitimate AV.
Trojan.Badminer aims at using the power of the infected computer’s GPU to mine Bitcoins.
And finally, Infostealer.Badface’s goal is to harvest login credentials for a number of popular social networks. It does that by creating a local Web server to redirect the traffic intended for those sites.
Once its records the login credentials, the user goes to the legitimate login page for those sites. The collected credentials then sell on underground online markets for other criminals to hijack social networking accounts in order to use them for a wide variety of revenue-generating purposes.
“Given the domains used, the bilingual nature of the Trojan, the targets of its information theft activity and the locations of the computers specified in command-and-control traffic, it would appear to suggest that this malware is of Russian or Eastern European origin,” the researchers said.