Plasma HTTP Botnet Steals Passwords From Chrome, FileZilla

February 5, 2014

Last year we reported on the Athena HTTP botnet, which targets Windows XP systems, mostly for distributed denial-of-service attacks. Now we have examined the botnet Plasma HTTP, whose infections seem to be widespread and target all Windows systems. Attacker use this HTTP-based botnet primarily as a CPU and GPU cryptocurrency miner. Once a machine is infected, the bot can easily steal sensitive information such as usernames and passwords stored locally for the Google Chrome browser and FileZilla FTP client. We have seen a number of malicious websites hosting this botnet, most with a high infection rate. The following screenshot shows a panel with more than a thousand unique infections:

plasma_online_list

The bot sends system information such as operating system, CPU/GPU data, and security software installed to its control. The bot can stop or disable several security software apps. Here is an example of the information logged:

plasma_hwid_info

This information helps attackers run their malicious miners based on the GPU and CPU. Attackers can send a number of commands:

plasma_active_commands

The bot can also passwords from infected machines. It then logs all the entries on its control server. A sample statistics page:

plasma_stats

The bot has stolen more than 4,000 URLs and passwords stored in Chrome or FileZilla as we write this post. The password log page:

plasma_password_logs

The Plasma HTTP bot supports five categories of malicious commands:

DDoS

  • Slowloris
  • UDP
  • Arme
  • HTTP Post
  • HTTP Get
  • Condis
  • BwFlood
  • Stop DDos

Miner

  • CPU
  • GPU

Bot

  • Download
  • Update
  • Uninstall
  • Update Gate

Botkiller

  • Run Bot Killer Module
  • Run Hard Bot Killer Module
  • Enable Proactive Bot Killer
  • Disable Proactive Bot Killer

Misc

  • Hosts
  • Shell
  • Visit Hidden
  • Visit Visible
  • Torrent Seeder

 A look at network communication between bot and control server:

plasma_wireshark_capture

The request and response is simply a reversed Base64 string of the data sent and received. The decoded data:

plasma_decoded_base64

Once the bot sends information, its control server sends multiple commands separated by “*” to its bot, which then downloads CPU and GPU miner files and runs them silently. The bot next steals stored passwords from Google Chrome and sends all the password logs to its controller. The bot sends information to its server:

plasma_crypt2

The PHP files found in the bot panel are encoded using the ionCube loader–to prevent researchers quickly understanding the code. Here is a look at the encoded gate.php (which logs stolen data):

plasma_php_encoded

Once decoded, we can see the actual code:

plasma_decoded_php

Even though not sophisticated, the Plasma HTTP botnet offers several features. We have seen that attackers are using this bot especially for CPU and GPU mining, due to its ability to remain silent and undetected. The bot can kill other malicious programs such as remote-access tools or miners. The bot can also edit the hosts file, run shell commands, and display web pages. Plasma HTTP has infected the latest versions of Windows (using special social engineering techniques to gain the required privileges). The password logs we have seen show how dangerous this botnet can be and that your sensitive information is at risk.

The post Plasma HTTP Botnet Steals Passwords From Chrome, FileZilla appeared first on McAfee.