Atrax systematically sets up a bot to steal data from infected hosts, but it can also be used for additional attacks, such as distributed denial of service (DDoS). “TOR-based bots combine the power of crimeware and data stealing capabilities with a lot of additional functions such as form grabbing, DDoS module, Bitcoin / Litecoin miner and data extraction for several popular browsers,” CSIS said. “Atrax is advertised as ‘the first public bot to support Windows 8’ which is perhaps not entirely correct but let’s play along.”
The bot consist of a core and various plugins and add-ons, all of which communicate using Tor. In addition to the core platform, DDoS costs $90, a form grabber is $300, reverse SOCKS is $400, a stealer is $110, and the experimental coin mining feature is $140. It comes with with free updates, support and bug fixes, and can only be bought using Bitcoins.
“We’re looking for active samples for this kit to fully get an understanding about its capabilities, [but clearly] we are looking at a new crimeware kit with a lot of different functions and plugins,” said CSIS.
Atrax is an example of the growing trend of using Tor to encrypt botnet traffic and evade network monitors. Tor routes traffic through participating nodes, or relays, and encrypts all traffic. It obscures the origin, location and nature of command-and-control operations, and there is no way to take over or sinkhole the associated .onion domain.
As Infosecurity previously reported, over the past year, a handful of sizeable botnets have used Tor, the Onion Router, to hide their command-and-control operations. This niche activity might be set to explode, as dark market sellers have increasingly started offering services to add such functionality.
“It seems that there’s an increasing tendency of Torifing existing botnets," security researcher Tom Brewster said. "This isn’t new but it looks like it’s getting somewhat trendy. Fraudsters can now purchase a service that will turn their Zeus, Citadel or SpyEye regular botnets into Torified botnets, running on the Tor network, which makes it bulletproof.”