The bread behind butter

The attackers behind butter are pros. They have managed to collect machines, stay active for several years and monetize their operations – and all this without being caught. By ‘laying low’ and avoid making attribution mistakes, they managed to stay stealthy with a relatively simple infrastructure.

At first, the Butter attackers deployed well-known payloads developed by other malicious actors. To grow their profit, they recently they branched out and wrote their own RAT with a cryptocurrency miner and DDoS capability.

Like many modern miners, the butter attackers mine Monero, a cryptocurrency focused on privacy and anonymity. So while we have our attackers preferred mining address, 45WHGeVZUKB4R9cWEQdSpofqz7VYR596vJ2vfRSgQWVNiywAUWFbaVWJGbYtkLiHF4Q4BJ5Y6DbRD2QRhBBZu4fk7K6Y5ez, we cannot track how much money our attackers earn.

Besides cryptocurrency mining, the Trojan puts its DDoS up for hire using two different methods. There are two DDoS attacks the malware is capable of, using HTTP and DNS. The HTTP attack method targets a domain over a specific port. The HTTP verb used is GET and the user agent is one of a few well-known browsers, such as Mac OS Safari or Chrome running on Ubuntu. The DNS DDoS attack looks like a DNS amplification attack based on the Mirai botnet flow.

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect.

US CERT

As part of Butter’s attention to detail, all the important strings such as C&C IPs, file names, and directory locations are kept encoded. This prevents easy analysis by malware analysis tools and typically requires human intervention to decode.

Samba’s encoding schema is simple but effective at hiding the strings. In each string, each character is shifted 3 positions “up” in the ASCII table and XORed with a value in a small cyclic buffer.

The code to decode all the strings is as follows: