The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.
Dubbed Kardon Loader, the downloader started being advertised on underground forums as a paid beta product on April 21, 2018. The actor behind it, using the online handler Yattaze, asks $50 for the malicious program and offers it as a standalone build, with charges for each additional rebuild. He/she also allows customers to set up a botshop and sell access to their own operation.
Downloader malware and botshops are typically used by malware authors and distributors to build networks and create botnets that are then leveraged for the distribution of information stealers, ransomware, banking Trojans, and other threats. These networks are often offered as a service on underground markets.
The newly observed Kardon Loader appears to be a rebrand of the ZeroCool botnet, which was developed by the same actor (who had an account on the forum since April 2017 and received multiple vouches for this product).
The actor, Netscout Arbor reveals, is using a professional looking advertisement for the loader, with its own logo, and provides a disclaimer claiming that the software should not be used maliciously. The developer also published a YouTube video detailing the downloader’s admin panel functionality.
Kardon Loader, the actor claims, has bot functionality, can download/execute/update/uninstall tasks, has debug and analysis protection, supports TOR and Domain Generation Algorithm (DGA), includes usermode rootkit functionality, and RC4 encryption (not yet implemented).
“ASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded command and control (C&C) URLs instead of DGA. There was also no evidence of TOR or user mode rootkit functionality in the binaries,” the security firm reveals.
For anti-analysis, the malware downloader attempts to get the module handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and exits its process if any of the targeted handles are returned.
Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against values associated with virtual machines (such as Microsoft HV, VMware, and VBox). Should any of them be detected, the malware also exits.
The threat uses a HTTP-based C&C infrastructure and base64 encoded URL parameters. When executed, the malware sends HTTP POSTs to the C&C server, with information such as an identification number, operating system, user privilege, initial payload, computer name, user name, and processor architecture.
Depending on the server response, the malware can download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.
The administration panel has a simple design, with a dashboard where bot distribution and install statistics are displayed. A “bot store” feature allows the bot admin to generate access keys for customers, providing them with the ability to execute tasks based on the predefined parameters.
“Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking Trojans/credential theft etc. […] Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” Netscout Arbor concludes.