Kardon Loader advertised in underground markets as an open beta product for sale the standalone built cost $50 and with separate charges for every additional rebuild or to build the Malware Distribution Network.
The malware strained dubbed Kardon Loader allowing it customer’s to create their own malware distribution networks and these networks are used by cybercriminals to create their own botnet for distributing various payloads, Ransomware and Trojans.
The advertisement first spotted On April 21, 2018, under the same user account Yattaze as ZeroCool botnet which was under development.
Now it has been rebranded to Kardon Loader and the author placed a professional looking advertisement with its own logo and the malware author also provided a disclaimer stating that “this software should not be used for malicious purposes“.
Functionality and Analysis – Kardon Loader
According to ASERT the malware author “initially conducted tests by leveraging a well-known botshop named Pink Panther’s automated loads shop (Pink)” and it was not yet widely distributed.
Kardon Loader Functionalities Advertised by Author
Bot Functionality Download and Execute Task Update Task Uninstall Task User-mode Rootkit RC4 Encryption (Not Yet Implemented) Debug and Analysis Protection TOR Support Domain Generation Algorithm (DGA)
For Command and Control Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded and it will send the HTTP POSTs to C&C server using following fields.
ID = Identification Number OS = Operating System PV = User Privilege IP = Initial Payload (Full Path) CN = Computer Name UN = User Name CA = Processor Architecture
The Kardon Loader contain’s a simple control panel with a dashboard that shows botnet distribution and installs statistics as a notable feature in admin panel is “the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters.
Researchers also leveraged Yara Rule, IOCs and Command and Control URLs to block the malicious activity.
The cybercrime continues to be a big business, last March DDoS Attack Services are advertised in Dark Web Markets for $10 per Hour and the codesigning certificates which proves the integrity of applications also sold in in dark web markets.