Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers.
While it isn’t the first of its kind to use Tor, the kit, nicknamed Atrax, is cheap and comes with a slew of capabilities including browser data extraction, Bitcoin mining and the capability to launch DDoS attacks.
Named after an Australian subfamily of spiders, Atrax runs for about $250 – Bitcoin only – making it one of the more relatively affordable kits available. Atrax comes with a few add-ons, including a plugin stealer ($110), an experimental add-on for coin mining ($140) and a form grabber ($300), according to Jonas Mønsted of the Danish security firm CSIS, who described the kit in depth in a blog entry earlier today.
While some of the add-ons, notably the form grabber, cost more than the actual kit, Atrax comes with free updates, support and bug fixes, perks that could catch an attacker’s eye.
In the Atrax rundown, Mønsted writes that “communication over TOR is already encrypted, so no extra communication encryption” is needed and that the kit doesn’t use “suspicious Windows APIs.”
The kit’s author claims Atrax’s size (1.2 MB) is due to “TOR integration and x64/x86 code.”
The plug-in stealer looks to have a wealth of functionality, boasting the ability to steal information from Chrome, Firefox, Safari, Internet Explorer and Opera browsers.
Atrax has opened its arms to the burgeoning world of Bitcoin as well as the kit’s author claims, it can steal information from users’ Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit) and also mine for Bitcoin and a lesser known alternative, Litecoin.
While CSIS has yet to track down an active sample of the Atrax kit, it sounds like it should fit alongside other recently discovered botnets and malware tools that also rely on the Tor network to propagate.
Mevade, one of the more popular Tor-based botnets gained unwanted publicity when it shifted to the covert communication protocol at the end of this past summer. Tor saw a gigantic uptick in users, up to 2.5 million from 500,000 in August thanks to the botnet, something that got it detected but didn’t prove to be its complete undoing.
Activity stemming from MEvade was later spotted in September by Microsoft lending a hand to Sefnit, a long thought dead strain of malware that was revived after it found a new component to carry out click fraud.