MEVADE Serves Adware, Hides Using SSH and Tor

Written by: Oscar Celestino Angelo Abendan ll

Security researchers have noted a sudden increase in Tor traffic during the latter part of August 2013. According to reports, the reason for this notable spike is the botnet known as MEVADE, which adopted the Tor module in its operation. Because of the anonymity of Tor traffic, security researchers and law enforcement agencies may find it difficult to track down the perpetrators and halt the botnet's operations.

Based on feedback from the Trend Micro™ Smart Protection Network™, two different sets of MEVADE variants were spotted between the latter part of August to early September 2013. The first batch uses SSH communications and serves adware, while the second set of samples contains the Tor module.

Trend Micro senior researcher Feike Hacquebord believes that the people behind this threat are also associated with adware installation and hijacking search results. They may have used MEVADE botnet as a way to generate revenue by way of installing adware and toolbars in affected systems.

The malicious actors behind MEVADE operate from Kharkov, Ukraine, and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”, while another actor goes by the handle “Dekadent”.

How do users encounter MEVADE malware?

Users encounter the MEVADE malware via a fake Adobe Flash Player update (FlashPlayerUpdateService.exe), or TROJ_DLOADE.FBV. This is in fact a malicious .EXE file that downloads a MEVADE variant, BKDR_MEVADE.A. The fake update also downloads ADW_BPROTECT.

The MEVADE malware variants with the Tor component are BKDR_MEVADE.B and BKDR_MEVADE.C, though the initial infection vector is still undetermined. Other malware variants may also download MEVADE as a final payload.

Based on our investigation, MEVADE variants may also be installed by adware such as “Installbrain.”

What does MEVADE do to an infected system?

BKDR_MEVADE.A communicates to its command and control (C&C) server using HTTP protocol. The commands it receives and executes include updating a copy of itself and connecting to specific location via SSH. These commands ensure that its communications remain secure.

The URLs that TROJ_DLOADE.FBV connects follows a certain pattern listed below. Its IP addresses are located in Russia:

http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

Throughout the course of our investigation, we also noted that TROJ_DLOADE.FBV downloads ADW_BPROTECT, which proves that the malicious actors behind this threat use the MEVADE botnet to earn profit by peddling suspicious online ads.

The latter versions of MEVADE (BKDR_MEVADE.B and BKDR_MEVADE.C) use the Tor client to connect to its C&C server. Aside from this different method to mask their activities, the propagation and behavior of the MEVADE samples we gathered are identical.

Which countries are affected by this threat?

Based on the Smart Protection Network™ feedback, some of countries affected by MEVADE variants include the United States, Japan, France, India, and Brazil among others. This also proves that MEVADE is being distributed by other malware. Japan and the United States were the countries most affected by the malware TROJ_DLOADE.FBV.

It is also worth noting that there was no infection found in Israel as seen in the fact that there was no surge of Tor usage in that country. This is probably due to malicious actors operating an adware company in Israel and to prevent problems with the local law enforcement agencies.

Why should users be concerned with this threat?

MEVADE’s backdoor component communicates via SSH to remote hosts, which makes data theft highly possible.

The Tor component also provides a good cover up for the bad guys’ operations, as they can hide their C&C servers using this and taking down hidden Tor service is virtually impossible.

What can users do to prevent this threat?

Users can prevent this threat by observing the following computing practices:
  • Download the software updates from the vendor’s official website/page to avoid installing malware disguised as updates
  • Refrain from visiting unverified websites, pages to prevent downloading malware
  • Be wary of clicking links contained in email messages, instant messages, and private messages even if these may come from seemingly known sources

Are Trend Micro users protected from this threat?

Trend Micro protects users from this threat via File Reputation Services, which detects and deletes the related malware once found in the system. With web reputation services, it blocks access to the related malicious URLs and C&C servers.


“The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications.Trend Micro thinks the actors operate an adware company in Israel and that they also work from the Ukraine."

- Feike Hacquebord, Senior threat researcher

“This downloading of adware is consistent with our findings that the MEVADE botnet is possibly monetized via installing adware and toolbars.”

- Roddell Santos, threat analyst