When looking into Napolar, “Independently, we observed an advertising campaign of a new Trojan dubbed Solarbot that started around May 2013,” noted Peter Kálnai of the Avast security firm, in a blog. “This campaign did not run through shady hacking forums as we are used to, but instead it ran through a website indexed in the main search engines. The website is called http://solarbot.net and presents its offer with a professional looking design.”
While making a comparison with the Napolar Trojan, the use of certain character strings have left “almost no doubts that the Trojan and Solarbot coincide,” according to Kálnai, in his forensic analysis.
The malware can perform a range of functions. Among other things, both can download the Bitcoin wallet stealing plugin called WalletSteal.bin. Bitcoin wallets are the equivalent of a physical wallet on the Bitcoin network which contains private keys that allows a user to spend the Bitcoins allocated to it in a public record of Bitcoin transactions. It also has been seen to download a Bitcoin miner that was afterwards injected in a classic Windows notepad binary in the system’s Temp directory and executed.
“We have seen implemented functionalities like FTP and POP3 Grabber, Reverse Socks 5 or basis of functional modularity,” Kálnai said. “There were relevant strings indicating the possibility of man-in-the-browser attacks. Indeed, we observed that the content of forms of internet banking sites were sent to C&C in an unencrypted form, but only in the case when the site requested a reputation or certificate verification. This could have connection with internal list of URLs, updated remotely.”
In terms of the distribution of the infection, Avast analyzed manifestations of part of related detections. The incidence reaches at least several hundred unique computers a day – and that number could be higher for all Solarbot samples. Places most affected with the infection are the South and Central American countries of Colombia, Venezuela, Peru, Mexico, and Argentina; the Asian countries of the Philippines and Vietnam, and Poland in Europe.
“A few gate URLs (C&C servers) have been identified so far: xyz25.com, cmeef.info, paloshke.org,” Kálnai said. “The latter is registered by the infamous Bizcn.com.” The advertising site solarbot.net is registered with NetEarth One, a domains registered with the fraudulent Chinese registrar. And, the registrant’s contact data are hidden behind PrivacyProtect.org, which is a service attracted by various groups involved in malicious activities.
“In the end, we have to say that this bot displays solid malicious performance,” Kálnai said. “Together with the reasonable price of $200, it could be on the rise in the near future. Fortunately, the antivirus industry will react to make the life of these cyber-criminals harder.”