Have you heard of Win32/Bradop? We recently investigated this interesting data theft family in more detail and exposed some of its inner secrets. The following is a description of what we found out. Spoiler alert: spam emails, protectors, the download mechanism, database credentials, stolen data, and the source code all figure in prominently.

Win32/Bradop arrives in a computer after the recipient of a spam email falls victim to social engineering. A recent spam message looks like this:

Sample Bradop spam email

Figure 1: Sample Bradop spam email

In the example above, the infection occurs when the recipient clicks on the picture on top. The picture, mimicking an attachment, is a hyperlink that to the Bradop downloader component, detected as TrojanDownloader:Win32/Bradop.A (SHA1: 6dcc3fde29018dbe7d5cd7072cd385fbca58235e). This is the component of the Win32/Bradop family in charge of downloading and installing the TrojanSpy component, which is the one that does all the dirty work.

What we found of interest is that the links to both the fake attachment picture and the TrojanSpy use the Bitly URL shortening service. Using Bitly’s telemetry we found that the fake attachment banner has been accessed 48,805 times and the payload 30,117 times, between May 15 and May 23 2012. This means that the spam has been viewed 48,805 times and in 61% of the cases the payload was downloaded, mainly in Brazil. The data provided by Bitly is shown below:

Bitly figures for one Bradop spam email campaign

Figure 2: Bitly figures for one Bradop spam email campaign (click to enlarge)

In an earlier Win32/Bradop spam campaign, which started March 21st, we discovered that the picture views were in excess of 197,000, with a recorded number of payload downloads in excess of 80,000. That’s a staggering 40% social engineering success rate. For more examples of Win32/Bradop spam emails, go to TrojanDownloader:Win32/Bradop.A.

Most of the time, TrojanDownloader:Win32/Bradop.A arrives inside a base64-based dropper employing a custom dictionary. This is just another protection layer, and it tries to disable User Account Control (UAC) on the infected computer, if UAC is supported by the OS. If the protector is not used, then the downloader will disable UAC itself.

Each installment of the Downloader has the address of the TrojanSpy component, which is remotely hosted, hardcoded inside. The TrojanSpy component stored at that location is Zlib compressed. Once the downloader has downloaded and decompressed the TrojanSpy, it registers it as a Browser Helper Object (BHO), and runs it by opening up an instance of Internet Explorer browser.

Aside from the hardcoded download link, the downloader component also contains an encrypted configuration data file. This data is saved to the disk but there is no code inside the downloader to interpret it. Clearly it is intended for the TrojanSpy.

Configuration files are saved with names of clean system files in random Windows subdirectories. A decrypted configuration file looks like this:

Decrypted configuration file dropped by TrojanDownloader:Win32/Bradop.A for its TrojanSpy component

Figure 3: Decrypted configuration file dropped by TrojanDownloader:Win32/Bradop.A for its TrojanSpy component

The configuration file contains an alternate/update download location. If you navigate to that location you’ll just see an error page, but taking a closer look at the HTML source code reveals the following text rendered with white font color on a white background:

...<font color='white'>§wucps.js;Modulo;1257122;1196342|ESdo4DLUdmx6.js;Config;0;366§</font>...

This piece of code pinpoints the two components available at this location:

  1. “Modulo” a.k.a. the TrojanSpy component (SHA1: 6e86c5c25a0b00ef41e0b2ee26fecaa3ada81867), Zlib compressed - this file is “wucps.js”, found in the same virtual directory as index.html
  2. “Config”, an updated configuration file (SHA1: b890724bdc646091ea2186887f957a8f610fc877), encrypted - this file is “ESdo4DLUdmx6.js”, found in the same virtual directory as index.html.

Another important part of the configuration file is the location and credentials of an attacker-controlled MySQL server where the data stolen by the BHO is to be saved.

Some configurations, like the one you see above, also provide access to the database server through an HTTP tunnel.

HTTP tunnel used to access the database in which stolen data is stored

Figure 4: HTTP tunnel used to access the database in which stolen data is stored

An extract from the instructions included in the tool: “Devart HttpTunnel ... allows you to manage database server even if the corresponding port is blocked or remote access to database server is not allowed.”

The following is a diagram of the infection scenario of Win32/Bradop:

Win32/Bradop infection scenario

Figure 5: Win32/Bradop infection scenario (click to enlarge)

Regarding the TrojanSpy component, our analysis revealed that it has the ability to harvest the following information:

  • Account and login credentials for the following online service providers:
    • brturbo.com.br
    • globo.com
    • globomail.com
    • Gmail
    • Hotmail
    • ibest.com.br
    • ig.com.br
    • locaweb.com.br
    • r7.com
    • serasa.com.br
    • terra.com.br
    • Twitter
    • uol.com.br
  • Website/Domain administration accounts from the following:
    • Hostnet
    • kinghost.net
    • locaweb.com.br
    • redehost.com.br
    • uol.com.br
    • pachost.com.br
  • Login information and user activity snapshots for the online Brazilian banking portals of the following banks:
    • BancoBrasil
    • Bradesco
    • Caixa
    • Grvsolutions
    • Santander
    • Sicredi
  • Credit card information for payments on:
    • americanas.com

We discovered that more than 150,000 sets of account, username, and password were stolen from affected computers by Win32/Bradop, along with bank account information for 1,642 accounts.

Another interesting find was the source code for the protector and the downloader components, stored in the MySQL database. Here’s a snapshot of the entry-point code of the downloader component:

Entry-point code for the Bradop downloader component

Figure 6: Entry-point code for the Bradop downloader component

At the time of this writing we’ve discovered eight live MySQL databases, on three IP addresses, where stolen information is being uploaded. An additional four older MySQL server IPs are no longer active. All eight live accounts are controlled by four distinct usernames but sharing the same password. This implies that we’re not dealing with a malware pack sold as a service, but with one single gang who is in charge of all operations of Win32/Bradop.

Here is a snapshot of the activity on one of the servers we took during our investigation:

Server activity writing stolen information into the attacker-controlled database

Figure 7: Server activity writing stolen information into the attacker-controlled database (click to enlarge)

Users of Microsoft Security Essentials are protected from this threat. If you’re not using an antivirus we strongly encourage you to install one and scan your computer, especially if you believe you might have been infected with this threat.

MMPC

PS: All data presented in this blog post is valid as of May 23rd, 2012.