Earlier this year researchers at ESET, the leader in proactive protection against cyber-threats, discovered
a botnet that has some very interesting communication features. Amongst other activities, it tries to steal documents and certificates, is capable of creating audio and video recordings and browses the local network for information. Interestingly, it uses a Georgian governmental website to update its command and control information and ESET researchers therefore believe that Win32/Georbot is targeting computer users in Georgia. Yet another unusual characteristic of this malicious program is that it looks for “Remote Desktop Configuration Files” and thereby enables attackers stealing these files to upload them to remote machines without exploiting any vulnerability. What is more worrying is that the development of this malware is ongoing; ESET has found fresh variants in the wild as recently as March 20th. Win32/Georbot features an update mechanism to enable it to morph into new versions of the bot, in an attempt to remain undetected by anti-malware scanners. The bot also has a fall-back mechanism in case it can’t reach the C&C (Command-and-Control) server: in that event it will then connect to a special webpage that was placed on a system hosted by the Georgian government.
“This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised,” says Pierre-Marc Bureau, ESET Security Intelligence Program Manager. “It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, in parallel to their own – still ongoing – monitoring, have worked together with ESET on this matter,” he added. Of all the infected hosts, 70% were located in Georgia followed by far lower volumes in the United States, Germany and Russia.
ESET’s researchers were also able to get access to the bot’s control panel, yielding clear details about the number of affected machines, their location, and commands that might be sent to them. The most interesting information found on the control panel was a list with all the keywords that were targeted in documents on infected systems. Among the English-language words were “ministry, service, secret, agent, USA, Russia, FBI, CIA, weapon, FSB, KGB, phone, number” among several others.
“The functionality allowing the recording of video via the webcam, the taking of screenshots, and the launch of DDoS attacks was seen to be used a couple of times,” says Bureau. The fact that the botnet uses a Georgian website to update its C&C information, and that it probably used the same website to spread, suggests that people in Georgia might be a primary target. On the other hand, the level of sophistication for this threat is low. ESET researchers think that if this operation were state-sponsored, it would be more professional and stealthy. The most likely hypothesis is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.
“Cybercrime is getting more professional and more targeted with larger players entering the field as well. Win32/Stuxnet and Win32/Duqu are examples of high tech cybercrime and served a specific purpose, but even Win32/Georbot, while less sophisticated, still has unique (new) features and methods to get to the core of what its creators are after. In the case of Win32/Georbot the aim is to gather access to systems and lots of specific information: hence the search for Remote Desktop configuration files,” concludes Senior Research Fellow at ESET Righard Zwienenberg.