From Georgia With Love: Win32/Georbot information stealing trojan and botnet

Malicious software that gets updates from a domain belonging to the Eurasian state of Georgia? This unusual behavior caught the attention of an analyst in ESET's virus laboratory earlier this year, leading to further analysis which revealed an information stealing trojan being used to target Georgian nationals in particular. After further investigation, ESET researchers were able to gain access to the control panel of the botnet created with this malware, revealing the extent and the intent of this operation.

Finding a new botnet is not unusual these days and most are not particularly interesting from a nerdy, techie point of view, but it turns out that this one (dubbed Win32/Georbot) is both unusual and interesting. Amongst other activities, it will try to steal documents and certificates, can create audio and video recordings and browse the local network for information. One unusual aspect is that it will also look for “Remote Desktop Configuration Files” that enables the people receiving these files to connect to the remote machines without using any exploit. That approach will even bypass the need for RDP exploits such as the one that was revealed last week (MS12-20).

Win32/Georbot features an update mechanism to get new versions of the bot as an attempt to remain undetected by anti-malware scanners. The bot also has a fall-back mechanism in case it can’t reach the C&C (Command and Control) server: in that case it will then connect to a special webpage that was placed on a system hosted by the Georgian government. This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised. It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own – still ongoing – monitoring, have cooperated with ESET on this matter.

ESET’s researchers were also able to get access to the bot’s control panel which displayed clear details about the number of affected machines, where they are, possible commands, and so on. The most interesting information found on the control panel was a list with all the keywords that were searched for in documents on infected systems (including a lot of three letter agencies like KGB, FSB and CIA).

Win32/Georbot uses various obfuscation techniques to make static analysis more difficult, but for experienced malware analysts that is not much of a problem to overcome, and Win32/Georbot was well worth the time it took to undertake a detailed analysis. The full white paper containing the detailed analysis can be found here

Author Righard Zwienenberg, ESET

  • emobuxuti

    It is interesting. Can you tell us how you gained access to bot web panel??

  • SPEC

    You must Notice, that Georgian Govermental Site was not Command and Control Server, it was one of the Defaced(someon hacked it) website, with injected scripts. Russian News Website-s are spreading Disinformation, that This Botnet was under control of Georgian Government. That's not true (every IT guy knows that Defacing and placing script or Iframe or it is made by Hackers)  ;)

    • David Harley

      In fact, Righard did say “This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised.” However, it’s misleading to equate infectious web sites with defacement: there are all too many clearly malicious web sites that are put up specifically in order to infect visitors with some form of malicious code. Naturally, we’re not saying that’s the case in this instance.

  • Patric

    After Georgian forces had been defeated in August 2008, Mikheil Saakashvili launched active cyber warfare against Russia. As a result, the Georgian security services regularly reported that they "unmasked" Russian spies who were not arrested in exchange for the anti-Russian publications. In 2010, one of the Georgian TV channels even staged "Russian invasion" in Georgia, provoking panic and heart attacks among people.
    Georgia found a successful strategy of cyber warfare involving Georgian students abroad. Their internet forums are under thorough supervision of security services. According to a Georgian youngster studying abroad, during his vacations in Tbilisi one of the security bodies invited him to install the software under the guise of creating a unified social network of Georgian compatriots abroad. It is obvious that an alliance of thousands of remote users in this network can be used to commit hacking attacks.
    As a result, Georgian students abroad became an effective instrument of the Georgian leadership to implement hidden cyber attacks on their opponents. This also explains the creation of the Department of Cybersecurity within the Georgian Ministry of Internal Affairs.

  • George

    Patric, are you **** kidding?
    What cyber warfare, what forum? Georgia has no such resources and there is nothing done like this, no any evidence of that. Please show us at least one report or evidence.
    Regarding Imedi TV – there was a TV show about that, people, who could join TV not from the start of course could would think about that. It's like 9/11 – some people thought that it was a joke or a move at start.

  • Robert Martin

    George, you are probably supporter of the Georgian government, and it can be seen from the bulshitting you are trying to sperad over here. From my Georgian friends, I know that this government is using worse methods of control, than the USSR did in its last years of existence. There is no freedom at all, and OSCE Chief called them "Leninists" recently. I am quite sure that even though the virus seems to be spread by hackers, don't be surprised that these hackers are working on the government of Georgia. That has nothing to do with Russia, this is a clear example of "Brain Police".

  • Zurab Akhvlediani

    More detailed report about Information stealing Trojan. 
    Zurab Akhvlediani .

  • Paul joyal

    I am not following your comment. Please explain 

  • Zurab Akhvlediani

    Hi Mr. Paul
    Here we go :)


  • Zurab Akhvlediani

    David, Thank you ! :) 

    • David Harley

      Actually it was Righard who drew my attention to it. :)

  • Ilia

    Patric, you are just trying to make people see things in the way you want, can you write any confirmed fact about it, do you know the population of Georgia, or number of Georgians abroad and how many of them could be involved in any cyber actions, can you compare it with the similar numbers of Russia? and by the way the staged "Russian invansion" had nothing common with cyber crime.
    Actually you did not say a word about massive DDoS and Deface throughout 2008 war, which took down most of Georgian government and news web-sites. As I can not post links, please search term "russia georgia cyber attack", so you will get a lof of information about it or search and read articles on international journals and websites with following names:
    1. Russian Cyber Attack on Georgia, Government Websites Down or Replaced With Fakes
    2. Expert: Cyber-attacks on Georgia websites tied to mob, Russian government
    3. Russian nationalists waged a cyber war against Georgia. Fighting back is virtually impossible.
    4. Georgian websites forced offline in 'cyber war'
    5. Georgian Websites Under Attack – Shadowserver Foundation

Follow us

Copyright © 2017 ESET, All Rights Reserved.