Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:44 PM
Connect Directly

Up-And-Coming Botnet Uses Same Malware Kit As Defunct Mariposa

'Butterfly bot' kit steals financial information, but its licensing model could ultimately lead authorities to its newest botmasters

A financial-fraud botnet built with the same malware kit used in the now-defunct Mariposa botnet remains active after arrests this month of two Eastern European men who allegedly ran it.

Researchers at Unveillance, Panda Labs, and Damballa have been studying the botnet, which has been dubbed "EvilFistSquad" by Damballa and "Metulji" by Unveillance and Panda, for some time now. Unveillance and Panda Labs today announced that the botnet has hit businesses and individuals across 172 or more countries, including the U.S., Russia, Brazil, China, Great Britain, India, and Iran. The botnet uses the Butterfly Bot Kit, a.k.a. Palevo, Pilleuz, and Rimecud, the malware that was used by the Mariposa botnet.

According to translated news reports out of Eastern Europe earlier this month here, here, and here, the FBI worked with Interpol in the arrest of two suspected hackers, Aljosa Borkovic and Darko Malinic, in the so-called Operation Hive case. The two men allegedly used the so-called EvilFistSquad botnet to steal several hundred thousand dollars from victims' bank accounts around the world. Borkovic reportedly had been arrested a few years ago for cybercrime; he since had lived in a luxury apartment in Banja Luka in Bosnia and Herzegovina, and drove expensive cars.

Damballa, which has been tracking Butterfly-based command-and-control traffic since 2007, ranks EvilFistSquad at No. 28 in the most prevalent botnets in the U.S. as of the first quarter of this year.

"Across our customer base -- ISPs and large enterprises -- the number of unique machines in the U.S. that are currently live and communicating with the [EvilFistSquad] command-and-communications infrastructure is just under 60,000 machines," says Gunter Ollmann, vice president for research at Damballa. Ollmann says there are three other Butterfly-based botnets his firm is tracking as well, but they are relatively small.

Karim Hijazi, CEO and president at Unveillance, says his firm estimates that the Metulji botnet is bigger than Mariposa in its heyday -- possibly twice the size, he says -- but is still confirming actual bot counts. He doesn't believe there's a direct connection between the operators of this botnet and those of the former Mariposa. "At first glance, I don't think these guys were tied to the guys in Spain other than using a similar kit -- just far more successfully, from the looks of it," he says. "Metulji" is Slovenian for "butterfly."

Before Mariposa was taken down in early 2010, it was a massive global botnet with close to 13 million infected machines in more than 190 countries -- including those of half of all Fortune 1000 firms. The botnet harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords. A team made up of law enforcement officials in Spain, the FBI, Panda Security, Defence Intelligence, and Georgia Tech cut off the Mariposa botnet's command-and-control (C&C) infrastructure in one day in December, ultimately leading to the arrest of the alleged head botmaster and two of his partners by Spanish authorities.

Mariposa infected machines via email and Web exploits, as well as via instant messaging and USB drives, which were the most successful modes of infection for Mariposa. Several months after the takedown, a hacker known as "Iserdo," who allegedly wrote the Mariposa virus, was arrested in Slovenia.

Meanwhile, researchers say the new Metulji/EvilFistSquad botnet uses Butterfly Bot malware to infect its victims, and then steals bank account credentials and other personal information. The worm spreads via removable drives, namely USB sticks. The researchers say that while some of the botnet's domains were taken down, several other domains are still up, running, and harvesting stolen information from victim machines.

"All we can say at the moment is that we are analyzing the few thousand binaries involved to determine the exact connection with the Slovenian Butterfly Framework creator and the different botmasters identified from the Mariposa case," says Pedro Bustamante, senior research adviser for Panda Security. "It is obvious that any Butterfly-based botnet out there is related to the Mariposa case in some way or another, as the creator of the botnet framework was arrested by the Slovenian police last year and is now most likely pending extradition to the U.S., thanks to the involvement of the FBI."

The good news is that when Mariposa was taken down, researchers discovered the licensing model inside the malware framework, which then provides nicknames of the botmasters who license the Butterfly bot malware.

"There are other Butterfly-botnets out there. The key here is that during the Mariposa case, we discovered the licensing mechanism inside the Butterfly framework, and we were able to get the framework creator arrested. This gave law enforcement the list of all Butterfly botnet operators around the world," Bustamante says. "... It is safe to assume that law enforcement has a very good insight into who is running any Butterfly-based botnet out there."

So why would botmasters use the same kit that ran the former Mariposa? "Obviously, those botmasters are either not concerned about going to jail or just plain stupid," he says.

Another clue that the perpetrators either weren't worried about, or aware of, getting caught: Unveillance researchers say one of the arrested men used the same email address to register multiple domains for the botnet, and even used his real name and address at times.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.