New crimekit Atrax exploits Tor, mines Bitcoin and much more

Atrax, yet another commercial crimekit on the black market, a malware able to exploit Tor and that implements numerous features including Bitcoin mining.

Atrax is the name of the last crimekit that is sold in the underground market, its particularity is the capability to exploit Tor networks to communicate with Command & Control infrastructure. Jonas Mønsted of the Danish security firm CSIS, published  a blog post that describes in depth the crimekit. The malware isn’t the first agent that adopted as communication channel the Tor network, we found in the past other botnets exploiting the same trick to high malicious traffic, recently Mevade was responsible for the spike in the Tor traffic, while going further back in time we can mention Skynet The Atrax crime kit is cheap, it is available for runs about $250, and appears very attractive due a series of features like Bitcoin mining, Litecoin mining, browser data extraction and a component to launch DDoS attacks. The DDoS module offer complete support for both Full IPv6 and IPv4 and implements principal attack techniques including UDP Flood,TCP Flood,TCP Connect Flood, HTTP Slowloris and many other methods. The recent explosion in Bitcoin value is attracting cybercrime, for this reason authors of Atrax included in the crimekit dedicated features including the capability to steal information from users’ Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit).

As many other crimekit, Atrax was designed with a modular structure, a series of add-ons implements the above functionalities and follow an efficient model of sale, a plugin stealer is sold for $110, the form grabber for $300 and an experimental add-on for coin mining at $140, surprising the fact that Atrax comes with free updates, bug fixes and support. Below a list of standard features present in the Atrax crimekit:

• Kill
• Update
• Download (over Tor), Execute (Commandline-Parameter allowed)
• Download (over Tor), Execute (Commandline-Parameter allowed) in memory
• Install Plugin
• Installation List (A list with all installed applications

“Apparently the author admits that the main component, which has a fairly big size of ~1,2 MB is due to TOR integration and x64/x86 code. However a first stage free assembler web downloader ~2KB is also available making the infection process slighly lightweight.” has written Mønsted.

The plug-in stealer according the author is very efficient and implements a wealth of functionality:

• Steals all current browser versions.
• Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)
• If you need something more -> ask me.
• Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!
• Bitcoin / Litecoin Miner

It it so able to operate with principal browsers available on the market. No doubt, Atrax crimekit has all the characteristics to succeed in the underground criminal.

Pierluigi Paganini

(Security Affairs –  Atrax crimekit, Tor, malware)