Anubis BitSight Labs

Bolek – An evolving botnet targets Poland and Ukraine

Sofia Luis | October 6, 2016

Bolek is a recent malware from the Kbot/Carberp family. We first heard about this malware from the cert.pl blog post in May 2016, and since then, a few others have published additional information about it (links below).

 

This is a very interesting piece of malware because it is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

Anubisnetworks has recently sinkholed two botnets of this family, one that is targeting Ukraine and another one that is targeting Poland. The following images show the clearly targeted geographic dispersion of the infections. 

Bolek botnet targeting Ukraine:

4anubisblog1.png

Bolek botnet targeting Poland:

4anubisblog2.png

Looking at malware samples for each of the botnets, we found two different versions in use (1.0.2.0 and 1.0.3.1), both have more recent version numbers than the ones analysed by cert.pl back in May (1.0.1.0), showing that this malware is being actively updated. On a quick look, a relevant difference we noticed is that the config is no longer stored in clear text on the binary and is now obfuscated. 

Through the use of a Debugger it is still possible to obtain the configurations without having to look at the actual obfuscation mechanism. The following are the configs for each of these botnets:

4anubisblog3.png4anubisblog4.png

As these configs, show, the botnets come preconfigured with a large number of domains that can be used for C2, on the event that some of them get taken down.

For further reading on Bolek and its features, please see the following links:

We will keep monitoring this threat as it evolves, keep posted for new updates.

Samples analysed:
ed1a6200d871122600bd0f2f73c79d072c1a2c0eb9fd122ea2f40f45cf21b191
0f37e74d790cceafe09a53b33bb28ac262594d469dcd23e8bbe60bede71c67c3

 

 

Suggested Posts

Third-Party Insight into Triada & Related Families

A few weeks ago Google confirmed that there was malware pre-installed on a number of Android devices due to a supply-chain attack. The latest installment was discovered by security researchers from Dr.Web who have been investigating this...

READ MORE »

Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...

READ MORE »

Fraudulent Android Advertising SDK Installed In Over 15 Million Devices

Every day, BitSight monitors the global threat landscape in a constant effort to identify software that may be placing users and organizations at risk. The presence of malware — or simply potentially unwanted applications — in an...

READ MORE »

Subscribe to get security news and updates in your inbox.