A new strain of malware dubbed “ChewBacca” after the character in Star Wars series is the name that was given to one of the bots functions. The malware drops the function ‘P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL’ as ‘spoolsv.exe’ into the user’s startup folder and asks for the public IP of the victim using a public service.
Then the Tor function is dropped as ‘tor.exe’ to the user’s Temp folder and runs with a default port number localhost:9050.
Researchers at Kaspersky Labs identified this malware and stated, “Lately Tor has become more attractive as a service to ensure users’ anonymity,” explained Kaspersky Lab expert, Marco Preuss. “Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure.”
Tor was also utilized in a recent Zeus variant captured in the wild which also included functionality aimed at 64-bit systems. Additional malware like the CrimewareKit Atrax and the botnet built using the Mevade malware have already been spotted using Tor.
Using Tor offers a level of protection that masks the location if the Command and Control server the malware uses to recieve and send commands. Nevertheless, you can find disadvantages for attackers. For instance, because of the network and structure setup, Tor is naturally slower. In addition to the slow Tor network, as seen with Mevade, a massive rise in botnet activity can affect the network making such activity easy for researchers to identify.
“Tor is just one of many tricks in a good malware author’s – or gang’s – toolbox,” noted Richard Henderson, Security specialist at Fortinet. “Tracking down command and control can be difficult; other methods like…bouncing through C&C proxies, using domain generation algorithms and multiple C&C proxies, or using a P2P C&C model…can make it difficult for researchers to track down the head of the beast in order to lop it off.”
When operating, ChewBacca records all keystrokes to a log file named ‘system.log’, that’s produced by the malware dropped and operating in the local Temp folder. The Trojan also looks at all running processes, scans their process memory and utilizes two various typical expression patterns to take data.