Ponmocup – A giant hiding in the shadows

Ponmocup threat report cover pagePonmocup, first discovered in 2006 as Vundo or Virtumonde, is one of the most successful botnets of the past decade, in terms of spread and persistence. The reasons why this botnet is considered highly interesting are that it is sophisticated, underestimated and is currently largest in size and aimed at financial gain.

This underestimated botnet is still in active use and under continuous development. Having established that Ponmocup’s primary goal is likely financial gain, it is interesting to look at its size. Fox-IT has determined that it has infected a cumulative total of more than 15 million unique victims since 2009. At its peak, in July 2011, the botnet consisted of 2.4 million infected systems, which as far as botnets go, is huge. Since then, the botnet has shrunk in size and is currently stable at around 500,000 active infections, as shown below:

Ponmocup botnet global infections

Compared to other botnets, Ponmocup is one of the largest currently active and, with 9 consecutive years, also one of the longest running. Ponmocup is rarely noticed though, as the operators take care to keep it operating under the radar.

Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system. On top of that, the operators have close to 10 years of experience with malware development. Their framework was developed over time, quality tested and then improved in order to increase robustness and reduce the likelihood of discovery.

The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.

Ponmocup is believed to be aimed at financial gain. Although it is difficult to quantify the exact amount of money earned with the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now. There are multiple reasons to assume this is the case. Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks. Secondly, they operate, maintain and monitor their comprehensive infrastructure with a group of operators and are quickly able to mitigate potential risks that are discovered. Thirdly, the malware itself is sophisticated and aimed at avoiding detection and analysis. Fox-IT believes, based on the earlier mentioned reasons, that they are protecting a very well run organization and infrastructure, for their main goal: financial gain.

Download the threat report ‘Ponmocup – a giant hiding in the shadows

Liveblog: Malvertising from Google advertisements via possibly compromised reseller

We are currently observing a large scale malvertising campaign originating from all the Google advertisement services resold from engagelab.com. It appears as if if all of engagelab.com its advertisement & zone ID’s are currently redirecting to a domain, which in its turn is redirecting to the Nuclear Exploit Kit, indicating a possible compromise at this reseller of Google advertisement services. This Nuclear Exploit kit targets vulnerabilities in Adobe Flash, Oracle Java and Microsoft Silverlight software.

Fox-IT observed the first redirect to the malicious domain on April 7th 2015 on 15:41:42 (CEST/GMT +02:00). The Fox-IT SOC has detected a relatively large amount of infections and infection attempts from this exploit kit among our customers. We suspect that this malvertising campaign will be of a very large scale.

The domains for the exploit kit itself aren’t directly used for redirection; a secondary site is used as an intermediate. The domains and IP’s used for the exploit kit are constantly changing, to mitigate the threat for now we suggest blocking the website between the legitimate websites and the exploit kit. We have observed the following being in constant use (we will update if anything changes):

  • foley.go2lightuniversity.com / 85.143.217.196

Domains observed for the Nuclear Exploit Kit:

  • banking.techpool.org / 62.76.44.174
  • soaring.betsystemreviews.com / 62.76.44.174
  • supervision.sactown.us (currently offline)

Though we have yet to identify the exact malware variant victims are currently being infected with via the exploit kit we have identified the command and control server used:

  • alfiantoys.com/wp-news.php / 174.36.217.82

To limit damage we recommend the following steps

  • Block access to 85.143.217.196
  • Use an adblocker
  • Update Java, Silverlight and Flash to the latest versions

Google has been notified of the issue.

Update #1: Added image (see below) to illustrate the malvertising redirection chain (21:49 CEST/GMT +02:00)

Update #2: Though we have not received any official confirmation, we are currently no longer observing malicious redirects from the advertisement reseller (22:54 CEST/GMT +02:00)

Update #3: After analysis the payload has been identified as Pony Loader, malware able to steal credentials and install other types of malware. VirusTotal link with basic information: https://www.virustotal.com/en-gb/file/33ea978af4508cf411fa04a7e25e060e8e6932a07cdc2608a83886d3f551f2ec/analysis/ (18:27 CEST/GMT +02:00)

Keep an eye on this blog for updates on the situation.

The following image illustrates the malvertising chain from a website using Doubleclick to the Nuclear exploit kit (for a more thorough explanation of what malvertising is, please see: Malvertising: not all Java from Java.com is legitimate):
Malvertising via Doubleclick