Since September 2014 I’ve been seeing a FakeAV family pop up from time to time. This family is known under two names, Braviax and FakeRean. The family has been active for quite some years, it was first spotted by S!Ri back in April 2009. In this blogpost I will perform an analysis on the current version of this family making it’s rounds online and a history of it starting back in 2009. A big thank you goes out to S!Ri for sharing some historical data on this group.
The reason why I’m releasing this article now on a group active back in January of this year is that, if you follow the timeline I show below, is that they should have reappeared around this time of year (although I haven’t seen them yet).
The Braviax/Fakerean family has quite some similarities with the Tritrax (dubbed Namechanger FakeAV) family I analyzed and hunted down back in February 2014 (Post: Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit).
Braviax/Fakerean is also one constantly changing its name as you can see from a combination of screenshots made from samples starting in September 2014 until the start of January 2015:
As said, back in September 2014 this new variant became active. After seeing it pass by multiple times I decided to look into it a bit. At some point I started noticing the name changes due to the fact that the website, website banner and the actual ‘antivirus’ names didn’t match up at all, I tweeted about this on the 27th of September:
— Yonathan Klijnsma (@ydklijnsma)
From this point on I started looking into this FakeAV threat some more, it started to hit quite often. Quite quickly I could pin this as one as part of the Fakerean/Braviax family and started to analyze it.
Analysis: Spreading mechanism
We’ll start the analysis of this family with the method of how it was spread, simply by mail. Around the 18th of December 2014 fake FedEx emails began to appear, one of these carying methods of infecting victims with this FakeAV. The email looked like this:
In the emails’ attachment we find a JS file:
Inside of this script we find a large piece of obfuscated script:
If we clean it up we can see its just a simple downloader which tries to infect the user with 3 pieces of malware (shotgun approach much..):
From the three payloads only one is the interesting one for this article; its the Braviax/FakeRean sample. Would you want to perform a more detailed analysis (rather than the very short one below), the sample coming from this email and used further is: 1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901
Quick analysis: a Braviax/FakeRean sample
Because this article is more about the history of this family rather than the specifics of the FakeAV this part will be a very(!) short analysis of the sample.
When ran the FakeAV shows the usual pop-up with information on your system being infected:
Additionally when you close the window (or try to close the FakeAV program in any way) a fake Windows security center window will pop-up:
In the process of scaring the user the FakeAV copies itself to a new location and installs a registry startup key, the normal persistence method seen. The FakeAV also monitors processes that are running and kills the ones it doesn’t like which includes system utilities like taskmgr but also tools like wireshark and alike. All of this to convince the user into buying the ‘product’ to clean up the ‘infection’ that stops them from starting these processes.
The FakeAV also performs some C2 communication which includes information on the payment C2 service:
The client performs a request to the C2 server located at gelun-posak[.]com, the path is an encoded and base64’d unique system ID. The response contains a small config, the partially readable text string ‘eo-moquales[.]Nom’ is in fact the payment wall which (after decoding) is golen-mortales[.]com.
Overal this FakeAV is just alike any other I’ve written on in the past. Payment service runs on a seperate C2 server while the main C2 server is just for infection registration / statistics. Enough on the malware, lets move on to have a look at this family’s history.
The Braviax/Fakerean FakeAV family has been around for quite some time, @S!Ri first spotted them 6 years ago.
Back in around April 2009 samples started to appear for a FakeAV naming itself “Home Antivirus 2009″ and was the first of more to come:
Around the start of July it was followed by a 2nd version called “PC Security 2009″:
A 3rd version appeared at the end of July already, this time called “Home Antivirus 2010″ (even though still being 2009… they were ahead of time it seems):
Near the end of August the 4th installment of the family appeared, this time it was called “PC Antispyware 2010”. This one actually loaded an AV database, stolen from ClamAV (in fact an old one from 2007):
Then in September the 5th version appeared, “Antivirus Pro 2010”:
In 2009 5 versions of the Braviax/Fakerean family hit, from September until the end of January 2010 it was quiet; nothing new appeared. At the end of January a completely changed version appeared, this one changed it appearances depending on whether it ran on Windows XP, Vista or 7. Even under these platforms it had multiple names.
Under Windows XP it called itself one of the following names:
Antivirus XP 2010
XP Internet Security
Under Windows Vista it called itself one of the following names:
Vista Antivirus Pro 2010
Vista Internet Security 2010
Finally, under Windows 7 it called itself one of the following names:
Win 7 Antispyware 2010
Win 7 Internet Security 2010
An interesting move to have some name mangling dependent on the platform. After they pushed these it stayed quiet until November. In November they released a new version with similar names, only the year was bumped from 2010 to 2011. The Windows XP variants for example:
XP Security 2011
XP Antispyware 2011
In february 2011 a new version appeared with slightly updated names and GUI layout:
XP Anti-Virus 2011
XP Home Security 2011
In the end of June 2011 another updated version was released. Again some updated OS based name mangling changes and updated GUI:
XP Internet Security 2012
Win7 Internet Security 2012
Another slightly updated version appeared in the end of November 2011, still based on the OS based name mangling:
January 2012 a new updated version, GUI mostly, got pushed:
In the start of October 2012 another slightly updated version appeared. Mostly GUI changes and again still based on the OS version name mangling:
Then almost a year later at the start of September 2014 the version from my analysis appeared. An entirely updated GUI and new names showed a big change. It appeared under the following names (with OS version names displayed, although not all use it):
- Sirius (Win 7|Win 8|Vista) Protection 2014
- Zorton (Win 7|Win 8|Vista) Protection 2014
- Rango (Win 7|Win 8|Vista) Protection 2014
- A-Secure 2015
- AVbytes (Win 7|Win 8|Vista) Antivirus 2015
- AVC Plus
GUI wise it looks like this (name stripped as its templated in the GUI at runtime):
However in the end of September 2011 a sort of offspring appeared as well named Advanced PC Shield 2012, another one appeared in August 2012 called Win 8 Security System:
Eventhough this version is also ranked in the Braviax/Fakerean family it looks somewhat different in setup.
The Braviax/Fakerean family has been around for a long time appearing as early as April 2009 and seems to be a success as new reincarnations appear every year.
While they aren’t as big as a threat as banking malware or ransomware it does pay well for these criminals. Because of their ‘low’ volume and simply being scareware not a lot of attention is given to them. I’ll be keeping an eye on them for future campaigns for sure though 🙂
IOC’s & Samples
The following is a list of samples for the last version spreading from September 2014 to December 2014. No new ones have appeared as of writing this blog article.
The following domains and IP addresses were seen for those samples: