Investigating several domains registered using the email address drake.lampado777@gmail[.]com. IBM Security X-Force spotted the information-stealing malware named Corebot.
The Corebot’s author included the ability to add plugins to the malware in order to incorporate more features. The features are usually a specific function the malware will perform or turned the bot in, such as being a socks proxy or adding the possibility for the malware to spread via USB drives, grab certificates, or even perform DDOS.
The sample analyzed by IBM Security X-Force communicates with two domains registered to drake.lampado777@gmail[.]com that are down at this time :
You can find similar strings in the 64bits code as the 32bits :
We recently released a blog discussing TVSPY in greater detail. TVSPY is a remote access tool (RAT) leveraging Teamviewer software to gain access to remote computers. With this tool, the attackers could gather private information from their victims as well as take control and install further malware at will.
What else has drake.lampado777@gmail[.]com registered :
Out of the 30+ domains registered using that email address, one domain stood out, btcshop[.]cc. This is a fairly new domain created July 30th 2015. The domain may mislead people as this is not an online shop to buy bitcoin, but an online shop to buy lists of Socket Secure (socks) proxies and personally identifiable information. The lists of proxies are usually infected machines turned into a socks proxy to be used for further malicious activity. Several malware families have the capability to turn an infected machine into a socks proxy. However, this shop has a few peculiarities that are interesting.
The registration process is very simple. You just have to click on the Register button and you are redirected to a new screen notifying you that the registration has been successful. It gives you a hash as a way to log in. The hash is 41 alphanumeric characters long similar to a sha1 hash.
Once you are logged in, there are two tabs available, Accounts and Socks. The Accounts tab lists several countries you can choose from and check if there are any accounts available. There is no specification of what type of accounts but we can assume they contain personally identifiable information (PII). It also shows a bitcoin wallet assigned to you automatically. To purchase, you’ll have to add bitcoin to that specific wallet. Every hash has a new Bitcoin wallet address assigned.
Once the information about the malicious domains linked to the email drake.lampado777@gmail[.]com was collected, we looked into what we could find about btcshop on forums. We found someone using the handle btcshop who wrote a few posts on forums. In one post btcshop asks advice on how much he could sell socks proxy bots for. The jabber account used is the same account advertized on btcshop[.]cc, btcshop@exploit[.]im.
The email address is linked to a Google+ account :
The link between Corebot, the TVSPY C&C and the online shop is the email address used to register all the domains. We were able to link the online shop to a person on a forum using the handle btcshop and using the Jabber account email@example.com. This person may or may not be running Corebot and TVSPY a way to collect personally identifiable information for sale in his online shop. However, it would be convenient for the same person or a small group of people to be running malicious domains registered under the email drake.lampado777@gmail[.]com and also running btcshop to sell their collected wares. More evidence is needed to definitively say that drake.lampado777@gmail[.]com and firstname.lastname@example.org are the same person.