Tuesday, June 7, 2016

MMD-0054-2016 - ATMOS botnet facts you should know

The background

This post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident response and may help reverse engineering. This report is the third coverage of online crime toolkit analysis series that we disclose in MalwareMustDie blog, on previous posts we disclosed about PowerZeus/KINS [link] and ZeusVM/KINS2 [link]

About Atmos botnet, for the the historical reference, first publicity and thorough technical analysis of the threat was posted by Xylit0l [link] in Xylibox blog [link]. His post contains good technical details with screenshots of the botnet functions. I strongly recommend you to take a look at his post first before reading this, or before you "google" other posts about Atmos botnet, to have you a good correct basic background & know-how on this threat beforehand, specially to the sysadmins and incident response team.

To add a few words, as a known threat expert in this field, Xylit0l is having strong dedication to follow the growth of the cyber criminal used stealer tools from Zeus, SpyEye, Carberp to Citadel with its variants, then KINS and ZeusVM to now.."Atmos". He knows exactly which version and what is needed to decode each encrypted configuration per version. You can follow his research on those mentioned threats in Xylibox blog post.

Personally I feel his man deserves acknowledgement and respect of what he contributes, openly and freely, to help all folks in security community securing our cyber space from real crime acts. He doesn't know I am writing this, since if he knows he will yell to me not to.

Okay, so why I posted this for?

Our team bumped into this threat in the field, as along with investigation taken we found it's emerged too rapidly by now on some aggressive campaigns. Some recent facts of Atmos botnet was found in real incidents may need to bring up to the surface some additional facts to support IR handle on the issues. The importance raised since this threat is successfully bypassing some client security perimeters, literally. You will see snips of PoC campaign and infection details we handled in the following sections.

What is this? And where Atmos name came from?

If I may to make a short definition: Atmos is an evolution of credential stealer toolkit, build with the complete facility meant for a crimeboss herder to operate. Period.

By function or origin

Atmos is having a web panel with a strong nuance of Citadel colors, a server to handle the remote requests for its infection functionality, and a binary builder facility.

Atmos can be used as hacktool, or as RAT, but it is built based from form credential grabber leaked codes, as added with screenshot/video capture surveillance center, or, Atmos can be used as deployment center for further distribution of malware payloads too.

PoC of Atmos herder executed in infected clients to download other malware:

Proof that the remote command was executed in a "report":

In the above two screenshots a Pony malware was being pushed to Atmos bot client.

Originated from multiple leak codes (dragged from Zeus/Carberp/Citadel/KINS etc), the author managed to combine and wrap all of the bad functions from previous "brands" into a new package and new name, with a bit additional handy crime tools as "add-values" such as: crypter interface, scan4you interface, jabber interface, and even an interface for balance management in some group management, and so on (again, read Xylibox post for the details of these functions).

As per Zeus or Citadel banking credential stealer botnet, Atmos is sold basically on license basis scheme to its trusted distributors, yet apparently the distributors also fetch re-sellers on their campaign. We will go to the scheme of selling this threat in the end of the post.

The name of Atmos, how to ID the threat

The name of "Atmos" came from the author of this package. It is visually recognizable if you meet this threat based on identification as per shown in each screenshots below:

In the the server console:

In the builder:

In the WebUI interface:

Or, in the infection intercept module original names:

This name wasn't known in the AntiVirus ("AV" in short) industry when it was around 1 or 2 months after initially spotted..by Xylit0l. Many AV marked the detected Atmos client malware as Trojan.Agent.something or even as Citadel or Zeus variants, etc. I recalled it well that Xylit0l was making some contact effort to advise the correct names to the AV vendors during late 2015, that was the first time appears. He also did the same on pushing the correct names to the industry during firstly spotted KINS in the wild.

How Atmos bot client malware binary looks like in PEStudio (winitor.com)


The campaign & new version release plan in June 2016

Atmos distributors are recently on steroid pushing their campaign in several monitored blackhat forums since the early 2016. Some of the latest detail is about the new version that is released in this month, June 2016. Surprisingly, there is no "fix price" on these offers by the distributors/sellers, as per seen in the various prices offered. Okay, to cut the crap, I am sharing some taken screenshots of the campaign below:

This is complete list of feature of Atmos in a page:

Other campaigns mushroomed too, recent ones:

The "spoiler" of new features for Atmos-new-release version in June 2016

Several facts of Atmos that we all need to know

This is the boring part unless you love to crack encryption of credential grabber series. Some facts posted here might help you in figuring its crypted data.

Russian language comments:

"Online" encryption functions:

Where the goodies are:

The "config" download traffic is something like this:

About this configuration data, this is spotted in the campaign aiming USA, we reported all data accordingly, we found that majority Desktop and Servers accounts of US network nodes was hacked by actors in Turkey, and the name of this config is one evidence of the targeted effort.

Atmos interception modules

In an infection process, Atmos CNC serves the module to intercept spying traffics from the victims to then being installed in the compromised Windows system. Like these three modules:

PoC of the traffic during downloading, noted the module and file type used:

And no AV can detect these modules yet, even-though some AV made research publicity about Atmos botnet, the hashes are:

74e7744a8660940da4707c89810429780d23f9ea6650be3d270264743835f39a video module
40160debd0a3b6a835e003ecf49c712c1ecd356d1037bcd46c8930ca206f6867 RAT/VNC module
58b44c86e77461c4df3fc44c98890e30675d6ece3df07a69c30590bd7953e7d9 Firefox cookie module
Zero detection PoC:

Noted1: VT result is not showing actual detection of Windows Antivirus, okay.
Noted2: The below botnet CNC screenshot shows infected clients are infected with these modules even their PCs are installed with the below AntiViruses:

To be more precised, the evidence of the almost 80 installment sessions of the Atmost malware client that successfully bypassed above listed AntiVirus in grapgical mode is shown well too in the CNC:

And additionally one known third party (non-OS base) firewall was bypassed too:

In other case too:

And in a fresh NEW panel found a live "competition" on bypassing antivirus by Atmos bot client..

Explanation on low detection for the Atmos modules:

The modules are in the Atmos encrypted form (please read Xylit0l's blog for encryption detail). The coder made it this way to make it difficult to be detected by AV's signature. Decryption will be done in the Atmos client's workspace, so theoretically it is up to the Windows OS security setting (depends on Windows OS version I guess) for allowing these modules to be installed or not. In these mentioned cases, the modules were successfully installed on Windows7.

If you take a look to the Atmos post initially published in Xylibox blog by Xylit0l, it was mentioned a good tool released by friends in JP-CERT/CC, that can be used to decode these modules before they reached the Atmos client decryption space, that may raise some chance to be detected, or blocked.

PoC of Atmos botnet as a cybercrime tool with RAT function

Following the last line of the previous section, this PoC is showing so many windows PC and servers with the recorded video session from the CNC server. The detail of information in this PoC video is in law enforcement accordingly.

The movie is showing to you how evolution of crime tool is becoming more sophisticated today, not to only infect the victims, but spying them too by logging victims activity in a video recording sessions. Again, almost all of victims are installed with AntiVirus products, yet bypassed well by Atmos botnet to make this capture module installation.

Note: Some sensitive information was cropped.

After released the above video, some says the correlation between the video and the screenshots of the AV bypassed looks unclear, true, I took them from different browsers since I had no plan to expose that far before. But well, in order to assure you there is nothing fake stuff on facts of Atmos bot client & video intercept module is fully undetected by AntiViruses, I just recorded the PoC #2 that will show you EXACTLY one panel with the bot client infecting victims, connected to panels, saving captured movie of victim's PC and you can see yourself with WHICH antiviruses the victims are installed with. See below & get some popcorn, friends :)

More accurate facts of Atmos botnet sales for law enforcer

I read somewhere a bit incorrect statement about Atmos distribution which says: "..there is at least one group of cyber criminals who is using Atmos in its attacks" ..yet after we checked ourself in "darkweb", the statement seems to be "outdated", the valid/correct one is as below:

"Atmos botnets are rented on VPS by its few trusted distributor(s) and mostly player-crooks are just buying access to that VPS, so it's not limited to one group but to anyone who have enough money and "trust" can start using it" - I made confirmation about this too to Xylit0l.
The statement is backed up by at least we collect more than ten blackhats are now on deploying (or started to deploy) Atmos botnet as the effect of the campaign shown in the above screenshots.
There is also recent incident shows that a hacked site was used to serve Atmos botnet panel.

Several countries targeted by Atmos

There is no "specific country" to be targeted by Atmos. It practically all depends on the actors objectivity. Since most of actors are crooks or thiefs, they are mainly aiming our pocket for online money/card info we do in our PC in anywhere. Atmos provides many scheme for getting those, and to push more scheme of infection to the infected botnet further too, therefore for crime crooks who are familiar in using previous era of crime toolkits like Zeus, Citadel or KINS before, can use Atmos in a snap. In the field,we saw varied scheme of infection, few are spam campaigns and some are web driven infecion methods. On several Atmos CNC panels, which their information are "safe" to be shared (several panels were taken down though), they are showing country basis victims in graphical modes as per data below:

Speaking of countries, there are many character encoding used for handling the PC data saved to be grabbed by Atmos bad actors. This botnet is handling the encoding character very well, i.e. double bytes encoding Chinese(Simplify/not) or Japanese, were perfectly grabbed and stored in its user's interface:

So this botnet toolkit is designed to compromise anyone, anywhere, to perform any desirable method in online data stealing. A pure evil toolkit.
There is a minority usage for a specific target/purpose too, but this info is classified :)

How incident response team recognizing the country victims?

In the Atmos panel, just like Citadel, there is no sorting function for gathering data of bot ID per listed countries, they have only the summary, so the crooks should click ID per bot one by one too I guess for checking details. But it is important to warn victims who got infected by this botnet, and we are doing that too. So, in order to get list of evidence on Atmos infection during "securing" their panel, don't waste your time, and go to the botlist and grab the textual data listed in that panel. Just grab it all page per page and safe into a select-able text file. To then you can aim any desired country victims as per real cases we handled below. This way you won't spend too much time in that evil environment.

You can later on divide each IP's network by ISP for them to contact their users for the alert to their customers, or pass the list to your coordinated CERT/CSIRT.

One more thing that IR team should be aware is, the GeoIP indicator used by Atmos just sucks. Atmos used own outdated database to locate infected IP to be showned in the botlist like this one (see the marked one):

It is said the location is in Japan, but actually is in India. So you must re-check the list of IP first before you make any action.

Atmos setup tutorial & full package overview

This video is the latest version, it was said, which is planned to be pushed in the market this month (June 2016), yet apparently it is the version 1.01 (for sure: it is the current ITW version actually), and an idiotic distributor was sharing its video tutorial :)

So, would it be the best of interest for security community to see how the setup process of this botnet goes, as per crooks do it? I share this for everyone involved (and specially law enforcement too) to take a notification on many facts can be taken from recent Atmos botnet. See how it is installed, builder's usage, and panel configuration, etc. This video should be "genuine" artifact made by crime actor himself, it would be better in presenting than either me or Xylit0l made it. PLEASE use the information exposed for taking down this actor and the further Atmos botnet. DO NOT use this information for the bad purpose! (the most important part of this setup video was cropped for security purpose)

In the below video is snagged from another cyber crook who was trying to promote Atmos (also version 1.01) in late May 2016, he demonstrated the full Atmos package list in his PC that I think will give all of us better idea about how this threat distribute. These two videos are coming from two distributors of Atmos botnet:

Atmos "Tango Down"

The main reason of whitehat hackers, IR professionals and malware researchers gather together in MalwareMustDie is to takedown the malware services. This goes the same to the Atmos botnet, with the solid coordination of good folks and friends in incident response chains, WE ALL took chain of efforts in taking them down. Below are some examples:

Many thanks to friends who involved to this action. Special thank you to Xylit0l.


We hope the information shared here will help to battle the threat better.

A small announcement from me:

I may update or add or delete information, as usual. You know where to reach us.
Bravo Xylit0l for the good work & thanks for the previous share to all of us!

Don't be that serious :-)

Firstly it was a joke from me to tease this Atmosseller..

Well, he took it very seriously..so I played it along :)
Obviously there's no such new version bragged by some sellers, but there are some cracked versions with the builders that some of them are not working. Well, don't ever trust of what these crooks say.

#MalwareMustDie! Analyzed by @unixfreaxjp, all reference: @Xylit0l
This report along with overall blog posts are bound to our legal disclaimer-->[link]