Up-And-Coming Botnet Uses Same Malware Kit As Defunct Mariposa

A financial-fraud botnet built with the same malware kit used in the now-defunct Mariposa botnet remains active after arrests this month of two Eastern European men who allegedly ran it.

Researchers at Unveillance, Panda Labs, and Damballa have been studying the botnet, which has been dubbed "EvilFistSquad" by Damballa and "Metulji" by Unveillance and Panda, for some time now. Unveillance and Panda Labs today announced that the botnet has hit businesses and individuals across 172 or more countries, including the U.S., Russia, Brazil, China, Great Britain, India, and Iran. The botnet uses the Butterfly Bot Kit, a.k.a. Palevo, Pilleuz, and Rimecud, the malware that was used by the Mariposa botnet.

According to translated news reports out of Eastern Europe earlier this month here, here, and here, the FBI worked with Interpol in the arrest of two suspected hackers, Aljosa Borkovic and Darko Malinic, in the so-called Operation Hive case. The two men allegedly used the so-called EvilFistSquad botnet to steal several hundred thousand dollars from victims' bank accounts around the world. Borkovic reportedly had been arrested a few years ago for cybercrime; he since had lived in a luxury apartment in Banja Luka in Bosnia and Herzegovina, and drove expensive cars.

Damballa, which has been tracking Butterfly-based command-and-control traffic since 2007, ranks EvilFistSquad at No. 28 in the most prevalent botnets in the U.S. as of the first quarter of this year.

"Across our customer base -- ISPs and large enterprises -- the number of unique machines in the U.S. that are currently live and communicating with the [EvilFistSquad] command-and-communications infrastructure is just under 60,000 machines," says Gunter Ollmann, vice president for research at Damballa. Ollmann says there are three other Butterfly-based botnets his firm is tracking as well, but they are relatively small.

Karim Hijazi, CEO and president at Unveillance, says his firm estimates that the Metulji botnet is bigger than Mariposa in its heyday -- possibly twice the size, he says -- but is still confirming actual bot counts. He doesn't believe there's a direct connection between the operators of this botnet and those of the former Mariposa. "At first glance, I don't think these guys were tied to the guys in Spain other than using a similar kit -- just far more successfully, from the looks of it," he says. "Metulji" is Slovenian for "butterfly."

Before Mariposa was taken down in early 2010, it was a massive global botnet with close to 13 million infected machines in more than 190 countries -- including those of half of all Fortune 1000 firms. The botnet harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords. A team made up of law enforcement officials in Spain, the FBI, Panda Security, Defence Intelligence, and Georgia Tech cut off the Mariposa botnet's command-and-control (C&C) infrastructure in one day in December, ultimately leading to the arrest of the alleged head botmaster and two of his partners by Spanish authorities.

Mariposa infected machines via email and Web exploits, as well as via instant messaging and USB drives, which were the most successful modes of infection for Mariposa. Several months after the takedown, a hacker known as "Iserdo," who allegedly wrote the Mariposa virus, was arrested in Slovenia.

Meanwhile, researchers say the new Metulji/EvilFistSquad botnet uses Butterfly Bot malware to infect its victims, and then steals bank account credentials and other personal information. The worm spreads via removable drives, namely USB sticks. The researchers say that while some of the botnet's domains were taken down, several other domains are still up, running, and harvesting stolen information from victim machines.

"All we can say at the moment is that we are analyzing the few thousand binaries involved to determine the exact connection with the Slovenian Butterfly Framework creator and the different botmasters identified from the Mariposa case," says Pedro Bustamante, senior research adviser for Panda Security. "It is obvious that any Butterfly-based botnet out there is related to the Mariposa case in some way or another, as the creator of the botnet framework was arrested by the Slovenian police last year and is now most likely pending extradition to the U.S., thanks to the involvement of the FBI."

The good news is that when Mariposa was taken down, researchers discovered the licensing model inside the malware framework, which then provides nicknames of the botmasters who license the Butterfly bot malware.

"There are other Butterfly-botnets out there. The key here is that during the Mariposa case, we discovered the licensing mechanism inside the Butterfly framework, and we were able to get the framework creator arrested. This gave law enforcement the list of all Butterfly botnet operators around the world," Bustamante says. "... It is safe to assume that law enforcement has a very good insight into who is running any Butterfly-based botnet out there."

So why would botmasters use the same kit that ran the former Mariposa? "Obviously, those botmasters are either not concerned about going to jail or just plain stupid," he says.

Another clue that the perpetrators either weren't worried about, or aware of, getting caught: Unveillance researchers say one of the arrested men used the same email address to register multiple domains for the botnet, and even used his real name and address at times.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.