Written by: Danielle Anne Veluz

Background

One of the major threat stories in 2013 was the sudden increase in Tor users in August that year. The MEVADE/SEFNIT botnet was the culprit—with the adoption of the Tor module in its operation, the number of Tor users increased from 1 million to more than 5 million within just weeks. The MEVADE/SEFNIT malware has long been associated click fraud since at least 2011. Research by Trend Micro security researchers further shows that the malware is likely sponsored by an Israeli with contractors based in Ukraine.

Enter the infection vectors, which include InstallBrain, a malware whose code is similar to MEVADE/SEFNIT in its way of contacting command-and-control (C&C) servers. Interestingly enough, there is strong evidence that Rotbrow, a Microsoft detection for adware Bprotect, was also seen installing MEVADE/SEFNIT malware in 2013. Both InstallBrain and Bprotect appear to have originated from an adware company named iBario, Ltd. located in Israel.

More details on the findings of the iBario-adware-MEVADE/SEFNIT connection are published in the Trend Micro Research Paper On the Actors Behind MEVADE/SEFNIT.

Attack Summary

The attack involves the adware InstallBrain that was found downloading the click fraud malware MEVADE/SEFNIT to millions of users. The malware MEVADE/SEFNIT was later on traced to threat actors operating from Kharkov, Ukraine and Israel, which have been active since at least 2010.

MEVADE/SEFNIT bots previously caused a dramatic increase in Tor users in August 2013. The Trend Micro™ Smart Protection Network™ infrastructure found infections in more than 68 countries—showing that the MEVADE/SEFNIT variants with Tor components were widespread. However, virtually none were found in Israel.

Figure 1. MEVADE/SEFNIT was seen in 68 countries but not in Israel.

It appears that the bad actors want to avoid Israel and chose not to infect users there. It is also possible that the actors did not want to have problems with Israeli law enforcement agencies. As it turns out, the MEVADE/SEFNIT can be traced to iBario Ltd., one of the world’s biggest Internet marketing companies. The whole empire happens to be funded by ads driven by their own ad networks, which reportedly serves more than 40 percent of the company’s revenues.

Based on our investigation, MEVADE/SEFNIT variants may be installed by adware such as Installbrain, one of iBario’s biggest revenue generators.

InstallBrain

InstallBrain serves as one of the infections vector for the installation of MEVADE/SEFNIT malware on victims’ computers. Other adware such as Bprotect and File Scout can also install MEVADE/SEFNIT malware.

Data from the Smart Protection Network shows that InstallBrain has been installed on millions of computers worldwide. There are currently more than 5 million different InstallBrain adware variants in the wild with detections in around 150 countries, which shows how widespread the adware are.

Figure 2. InstallBrain was detected in around 150 countries worldwide.

Microsoft has been explicit in saying it has seen InstallBrain install MEVADE/SEFNIT malware.

InstallBrain’s Creator, iBario

Installbrain is owned and created by an Internet company based in Israel named iBario. iBario engages in diversified activities all relating to its downloading platform. Its biggest revenue generator is the free software installation engine InstallBrain.

However, InstallBrain’s motto "Monetize On Non-buyers” speaks aptly of the business that it is—to make money at all costs. A big difference between iBario and other companies that simply push nonmalicious adware is that they went one step further by spreading MEVADE/SEFNIT malware across its vast network of InstallBrain-infected computers.

Since 2011, the corporate network of iBario appears to have been maintaining MEVADE/SEFNIT malware in a code repository system hosted on master.codeconst.com. This host name pointed to the IP address, 37.58.66.234, which belongs to an IP block owned by iBario in Israel. Further investigation shows that Ukrainian individuals working for iBario have been constantly tweaking InstallBrain to specifically evade anti-malware detection.

InstallBrain has subsequently been removed the the iBario website, but we believe that it continues to operate under the guise of a different software name, "UnknownFile."

Figure 3.InstallBrain website (http://www.installbrain.com) screenshot taken on June 27, 2014.

MEVADE/SEFNIT system impact

MEVADE/SEFNIT refer to malware that primarily commit click fraud and some Bitcoin mining.

It is known to communicate with its command and control (C&C) server using HTTP protocol. The commands it receives and executes include updating a copy of itself and connecting to specific location via SSH. These commands ensure that its communications remain secure.

A previous attack we wrote about show that users encounter the malware via a fake Adobe Flash Player update, or TROJ_DLOADE.FBV, which also downloads ADW_BPROTECT. MEVADE/SEFNIT’s final payload of downloading ADW_BPROTECT (or Bprotect) proves that the malicious actors behind this threat use the MEVADE/SEFNIT botnet to earn profit by peddling suspicious online ads.

Subsequent adware impact on users

Adware is often perceived as grayware or low-risk because they typically display unwanted popups and advertisements. Most adware programs are often downloaded with the user’s consent; however, they can pose serious security risks when used by adware companies to load malware into affected systems, without the user’s permission. Though ordinary users may feel that adware like InstallBrain don’t have any real impact apart from annoyance, adware can easily carry more destructive malware, such as in the case of MEVADE/SEFNIT.

Even though adware is nonmalicious in nature, when downloaded, these programs are typically packaged as free software, which area also able to gather and send out the affected system’s browsing information. This gathered data may be used by ad companies for marketing purposes.

In the case of Installbrain downloading MEVADE/SEFNIT variants, such routines include click fraud, leading to actual monetary fraud; and Bitcoin mining, which can consume a lot of processing power for cybercriminals’ financial benefit.

FROM THE FIELD: EXPERT INSIGHTS

"The history of MEVADE/SEFNIT demonstrates that adware can pose great risks to end users. Internet users are often misled to install stuff they do not want to. At any point in time, an adware company can decide to install more dangerous malware in users’ computers. iBario appears to be one such example."