News on MultiBanker, features now a jabber p2p functionality

In March we have blogged about the MultiBanker gang and their operation. It turns out that earlier this year they were updating their software – hence we saw no active command & control server on the old infrastructure for some time.

New MultiBanker (2013) version

This is a very quick comparison between the old and the new MultiBanker version:

                            MultiBanker 1           MultiBanker 2
Highest known version       835                     43
Directory                   %AppData%               C:\Windows\System32
Main File                   appconf32.exe           jabcon32.exe
Main Mutex                  UpdateAppConf32         UpdateJbr32
Main activity inside        Browser process         explorer.exe

For their new version they have reset the version numbering and feature an internal version “a” and “f”. The domain generation algorithm remains the same (the first 4 chars of the domain change on every iteration).

A new feature is a potential Jabber p2p network functionality.

Spot MultiBanker domains

Finding MultiBanker domains is easy. They always use one of these 3 who-is identities for their domains:

   Andreas Rueping andreasrueping@yahoo.com
   +49.1708073753 fax: +49.1708073753
   Uhlenflucht 1A
   Barth Mecklenburg-Vorpommern 18356
   de

   Julien Michel Dumke julienmicheldumke@yahoo.com
   +49.1772525187 fax: +49.1772525187
   Koppelweg 28A
   Gifhorn Niedersachsen 38518
   de

   Stefan Kuehlein stefankuehlein@yahoo.com
   +49.17675588328 fax: +49.17675588328
   Willy Brandt Strasse 82
   Bergisch Gladbach Nordrhein-Westfalen 51469
   de

For all their domains they were using in the past weeks the IP 41.77.136.140 as their main server. Some example domains:

displeasuredehydratorysagp.com
antisemitismgavenuteq.com
cantorcajanunal.com
andersensinaix.com
formidablyhoosieraw.com
gbpsenhancedysb.com
genialitydevonianizuwb.com
gerhardenslavetusul.com
kennanerraticallyqozaw.com
rozellaabettingk.com
doniellefrictionlessv.com
anshanarianaqh.com
buckbyplaywobb.com

These domains were all just active for few hours. The criminals are actually testing their new software, hence the infection count is pretty low (for each test botnet only a handful). On our servers we can see for example these infections:

MultiBanker 2 infections

Jabber P2P botnet functionality?

Interestingly, the bot software contains a potential jabber (xmpp) p2p botnet functionality. When being hooked in the jabber chat, messages like the following appear:

(20:27:22) gd000826@bestjabber.com:
-----BEGIN PGP MESSAGE-----

JnwqBA63a7pyb0OLM7/inZGSHhxr5bzlWQ==
-----END PGP MESSAGE-----

We found following login information via Virus Total.

KEY: 0x000000b8\Pass01
TYPE: REG_SZ
VALUE: 515E5DC1 (successful)

KEY: 0x000000b8\jid01
TYPE: REG_SZ
VALUE: marriageabilitybobbye8429@zlug.asia/vki4yzcznzg3my0znzkwyzg4y18001 (successful)

Being logged in with the ‘marriageabilitybobbye8429@zlug.asia’ account, these are the other contacts:

MultiBanker Jabber

Where is this going?

The MultiBanker people are actively updating their software. A comparison of the new versions showed that they are still updating it, e.g. by changing the names of registry keys.

We will continue to monitor their operation and keep the public updated on any movements that we observe.