I recently obtained a copy of Megalodon HTTP’s web panel and builder(cracked). However, the builder turned out to be malicious, so I decided to look at the modules in the panel instead. Since Megalodon relies on downloading plug-ins, and almost nothing is placed inside the stub, this should be enough to show the details of Megalodon HTTP.
Megalodon HTTP’s panel had no obfuscation and no protection at all. The legendary miner turned out to be BFGMiner, which is in a folder called ‘out’. None of the files are renamed, and therefore I can work with it more easily. An interesting thing is that Megalodon kept all of the .txt files in the miner, including README, News,… which shows how this malware was made without care. Megalodon, instead of downloading all of the files directly, instead relies on a downloader to obtain the files from the server.
Conveniently, inside the bin folder, the output files are also not renamed. When I attempted to change the file extension from .bin to .exe for analysis, I got a few pop ups from Kaspersky Antivirus, of which one was very interesting:
Megalodon used NetPass for password recovery! Seriously, there are much better password recovery modules that are publicly available, but I guess since NetPass is popular, the developers chose it. The only advantage of using NetPass instead of other modules that I could think of is that it is very lightweight.
Using JetBrains dotPeek to reverse engineer the bins, I found them completely unobfuscated. For example, the Slowloris module uses the user agent “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36” and simply have no other header, which might causes WAF to check the browser/show a CAPTCHA.
Megalodon also feature an XML-RPC attack that uses the pingback function in XML-RPC to reflect the attack on other sites. This amplification method is a public one and is commonly used. The user-agent is not different from the above. While there is not much amplification in this attack, it does help masking the bot’s IP.
The Botkiller uses the worst technique I have ever seen. It checks under the Run registry key that points to an executable file that contains “conhost.exe”, if any is found, it will attempt to kill the process and remove the registry key. If you refer to my previous post about common malware process name, there are many other names such as Windows Update, Security Service,… However, it is better than nothing I guess.
The uninstaller simply deletes all of the registry keys under Run, and then exit. This is not really a smart idea, since the malware process will not be eliminated until the next reboot. Not good at all if you found out you are being analyzed.
Flood.bin file is the only find I found that was obfuscated. However, it is done with Confuser 220.127.116.11, which could easily be deobfuscated through public tools. Like seriously, if you are developing malware, you should do something along the line of manual obfuscation, then obfuscation using a private obfuscator. Confuser is old and obsolete, and unless you mod it, it is useless. However, the obfuscation gives me suspicions that this module is coded by someone else.
The Syn attack tool is also weak, as it uses only 5 threads. While this does not consume much resources and therefore less noticeable, it also does not oppose much power on the target.
There are a few other attack methods, however, they are obfuscated, and therefore I will attempt to deobfuscate them later on.
Another interesting module is the Homepage Changer. It is capable of changing the homepage of only Mozilla Firefox and Google Chrome. Well it is good enough for HF anyway, since these are the 2 most popular browsers. And seriously, if you are still using Internet Explorer and browsing my website, you should seriously consider an upgrade to Chrome/Firefox, or better yet, Tor browser and Epic browser.
So this is it for my analysis of Megalodon HTTP. I will be analyzing more malware in the future soon, and remember to share, like and tweet about this blog post!
And also since you read to the end of the post, I will give you a very interesting thing I found while browsing through the panel files: This error log shows us in plain text the username of the hosting account Bin4ry used for his site (bin4ry.com): http://www.zunzutech.com/blog/wp-content/uploads/2016/03/errors.txt