BitSight

Bolek – An evolving botnet targets Poland and Ukraine

Sofia Luis | October 6, 2016

Bolek is a recent malware from the Kbot/Carberp family. We first heard about this malware from the cert.pl blog post in May 2016, and since then, a few others have published additional information about it (links below).

 

This is a very interesting piece of malware because it is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

Anubisnetworks has recently sinkholed two botnets of this family, one that is targeting Ukraine and another one that is targeting Poland. The following images show the clearly targeted geographic dispersion of the infections. 

Bolek botnet targeting Ukraine:

4anubisblog1.png

Bolek botnet targeting Poland:

4anubisblog2.png

Looking at malware samples for each of the botnets, we found two different versions in use (1.0.2.0 and 1.0.3.1), both have more recent version numbers than the ones analysed by cert.pl back in May (1.0.1.0), showing that this malware is being actively updated. On a quick look, a relevant difference we noticed is that the config is no longer stored in clear text on the binary and is now obfuscated. 

Through the use of a Debugger it is still possible to obtain the configurations without having to look at the actual obfuscation mechanism. The following are the configs for each of these botnets:

4anubisblog3.png4anubisblog4.png

As these configs, show, the botnets come preconfigured with a large number of domains that can be used for C2, on the event that some of them get taken down.

For further reading on Bolek and its features, please see the following links:

We will keep monitoring this threat as it evolves, keep posted for new updates.

Samples analysed:
ed1a6200d871122600bd0f2f73c79d072c1a2c0eb9fd122ea2f40f45cf21b191
0f37e74d790cceafe09a53b33bb28ac262594d469dcd23e8bbe60bede71c67c3

 

 

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...

READ MORE »

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...

READ MORE »

Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...

READ MORE »

Subscribe to get security news and updates in your inbox.