Based on an older botnet dubbed Grabbot, a new iteration adds several new features.
Based on an older botnet dubbed Grabbot, a new iteration adds several new features.

Fortinet researchers have detected a new botnet that is able to siphon out user data and commandeer user machines.

Seemingly based on an older botnet dubbed Grabbot, first uncovered in November 2014, the new iteration builds on existing functions and adds several new features, according to a report from Fortinet.

The researchers found the bot hosted on several infected sites with a random filename. They suspect the malware injects its payload into explorer.exe and deletes the original file and likely arrived on these hosts via an exploit kit.

The files are saved on the disk with a generated filename and all communication between the bot and the C&C are encrypted and done through HTTP, the report stated. But, what's distictive is that there are several new commands generated by the latest version of Grabbot not previously seen.

Where the danger lies is the bot's capabilities in extracting information, particularly from the sites of financial institutions. Once accessed, the malware can launch a proxy or remote access backdoor to steal information. It appears that a number of prominent sites, including Paypal and the Royal Bank, were targeted.

The bot also searches for crypto-currency wallets and, if detected, reads the files, encrypts them and stores them in a temporary file for later retrieval.

"Grabbot now has the potential to be very dangerous," the Fortinet researchers wrote. 

When queried on how the attackers continue to alter their coding, He Xu, security researcher at Fortinet, and co-author of the report (along with David Wang, security researcher at Fortinet), told SC Media on Tuesday that there is not much detailed information available and it is not easy to collect similar samples for this family. "Similarity is as low as 55 percent," Xu said, and "that indicates huge changes over years."

He offered up two samples as examples:

  1. The old sample just uses plaintext for it's targeting processes (explorer.exe, wireshark.exe etc.) but the new variant turned to use hashes.
  2. The old sample doesn't check the anti-virus program but the new variant checks.

The Fortinet researchers captured this variant from a website, Xu explained. "Other botnet or malware families could use this website as a standalone download server to spread any malicious component, including the Grabbot family."

What's making it difficult to attribute is the fact that there was not any personalized information from the adversary inside this Grabbot variant, nor at the hacked website.

However, Xu told SC that the compromised host where his team initially discovered the sample most likely contains a known vulnerability which allowed various automated bots to drop malicious shells, scripts and malware.

"At the time of writing, the host website has been labeled as a 'deceptive site' and users are prompted before accessing the website," Xu said. "Currently, the location where we identified the sample contains several PHP webshells, several mailers and phishing pages."

The malware, Xu added, began being downloaded by users around the world on February 23, with many of the requests coming from Italy and Germany. However, he added, several days later the sample disappeared from the host, but queries to the file path continues to this day.