£38 Kardon beta malware allows customers to build own botnets

News by Robert Abel

A new commercial malware dropper was discovered on sale at the low price of US$ 50 (£38) in its beta form but promising the ability to allow customers to open their own botshop allowing the purchaser to rebuild the bot.

A new commercial malware dropper was discovered on sale at the low price of US$ 50 (£38) in its beta form but promising the ability to allow customers to open their own botshop allowing the purchaser to rebuild the bot to sell access to others, creating their own clientele.

NetScout Arbor ASERT researchers spotted the malware named Kardon Loader on underground forums as its authors were still looking for testers to infect victims, gain persistence on a user's computer and report back to a command and control (C&C) server, according to a recent blog post.

The malware was also promoted for its use of anti-analysis techniques to discourage white hats from examining its inner workings.

Kardon appears to be a rebrand of the ZeroCool botnet, which was previously developed by the same actor. The malware's creators aren't widely distributing the malware with only 124 infections spotted, but researchers found the threat actors initially conducted tests by leveraging the Pink Panther's automated loads shop.

Despite an extensive list of features advertised with the malware, some of them appear to have been exaggerated as its authors claim the bot has Tor integration and user mode rootkit functionality, however, researchers found no evidence of these capabilities in the binaries they analysed.

Researchers first spotted the malware on 21 April, 2018, after a threat actor using the name Yattaze began advertising the malware on a forum. The botnets creators have communicated that future development will be done on the malware and in the meantime, researchers recommend organisations leverage indicators to block malicious activity associated with the malware loader.

Sean Newman, Director of Product Development at Corero Network Security said news of the botnet doesn't represent any advances in the way the cyber-criminal community functions. 

“We are way past the time when hackers operated solely in isolation and had to craft every component of their attacks themselves,” Newman said in a 25 June blog post. “Pretty much every element of cyber-crime is now part of a broader ecosystem, with hackers specialising in certain areas and then selling those skills or capabilities on the dark web to others who can then use that for a broader cyber-crime campaign.”

He went on to say that malware like this emphasises the need for organisations to have dedicated protection against these types of threats.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events