Inside Braviax/FakeRean: An analysis and history of a FakeAV family

Since September 2014 I’ve been seeing a FakeAV family pop up from time to time. This family is known under two names, Braviax and FakeRean. The family has been active for quite some years, it was first spotted by S!Ri back in April 2009. In this blogpost I will perform an analysis on the current version of this family making it’s rounds online and a history of it starting back in 2009. A big thank you goes out to S!Ri for sharing some historical data on this group.
The reason why I’m releasing this article now on a group active back in January of this year is that, if you follow the timeline I show below, is that they should have reappeared around this time of year (although I haven’t seen them yet).

The Braviax/Fakerean family has quite some similarities with the Tritrax (dubbed Namechanger FakeAV) family I analyzed and hunted down back in February 2014 (Post: Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit).
Braviax/Fakerean is also one constantly changing its name as you can see from a combination of screenshots made from samples starting in September 2014 until the start of January 2015:
Inside Braviax/FakeRean: An analysis and history of a FakeAV family

As said, back in September 2014 this new variant became active. After seeing it pass by multiple times I decided to look into it a bit. At some point I started noticing the name changes due to the fact that the website, website banner and the actual ‘antivirus’ names didn’t match up at all, I tweeted about this on the 27th of September:

From this point on I started looking into this FakeAV threat some more, it started to hit quite often. Quite quickly I could pin this as one as part of the Fakerean/Braviax family and started to analyze it.

Analysis: Spreading mechanism

We’ll start the analysis of this family with the method of how it was spread, simply by mail. Around the 18th of December 2014 fake FedEx emails began to appear, one of these carying methods of infecting victims with this FakeAV. The email looked like this:
image
In the emails’ attachment we find a JS file:
image
Inside of this script we find a large piece of obfuscated script:
image
If we clean it up we can see its just a simple downloader which tries to infect the user with 3 pieces of malware (shotgun approach much..):
image
From the three payloads only one is the interesting one for this article; its the Braviax/FakeRean sample. Would you want to perform a more detailed analysis (rather than the very short one below), the sample coming from this email and used further is: 1d01611a1f88c7015c54efedacfcbc8fec55ad6de9a438087abff3be78c19901

Quick analysis: a Braviax/FakeRean sample

Because this article is more about the history of this family rather than the specifics of the FakeAV this part will be a very(!) short analysis of the sample.
When ran the FakeAV shows the usual pop-up with information on your system being infected:
image
Additionally when you close the window (or try to close the FakeAV program in any way) a fake Windows security center window will pop-up:
image
In the process of scaring the user the FakeAV copies itself to a new location and installs a registry startup key, the normal persistence method seen. The FakeAV also monitors processes that are running and kills the ones it doesn’t like which includes system utilities like taskmgr but also tools like wireshark and alike. All of this to convince the user into buying the ‘product’ to clean up the ‘infection’ that stops them from starting these processes.
The FakeAV also performs some C2 communication which includes information on the payment C2 service:
image
The client performs a request to the C2 server located at gelun-posak[.]com, the path is an encoded and base64’d unique system ID. The response contains a small config, the partially readable text string ‘eo-moquales[.]Nom’ is in fact the payment wall which (after decoding) is golen-mortales[.]com.
Overal this FakeAV is just alike any other I’ve written on in the past. Payment service runs on a seperate C2 server while the main C2 server is just for infection registration / statistics. Enough on the malware, lets move on to have a look at this family’s history.

The Family

The Braviax/Fakerean FakeAV family has been around for quite some time, @S!Ri first spotted them 6 years ago.
Back in around April 2009 samples started to appear for a FakeAV naming itself “Home Antivirus 2009″ and was the first of more to come:

image

Around the start of July it was followed by a 2nd version called “PC Security 2009″:

image

A 3rd version appeared at the end of July already, this time called “Home Antivirus 2010″ (even though still being 2009… they were ahead of time it seems):
image

Near the end of August the 4th installment of the family appeared, this time it was called “PC Antispyware 2010”. This one actually loaded an AV database, stolen from ClamAV (in fact an old one from 2007):
image

Then in September the 5th version appeared, “Antivirus Pro 2010”:
image

In 2009 5 versions of the Braviax/Fakerean family hit, from September until the end of January 2010 it was quiet; nothing new appeared. At the end of January a completely changed version appeared, this one changed it appearances depending on whether it ran on Windows XP, Vista or 7. Even under these platforms it had multiple names.
Under Windows XP it called itself one of the following names:

Antivirus XP 2010
image

XP Guardian
image

XP Internet Security
image

Under Windows Vista it called itself one of the following names:

Vista Antivirus Pro 2010
image

Vista Internet Security 2010
image

Finally, under Windows 7 it called itself one of the following names:

Win 7 Antispyware 2010
image

Win 7 Internet Security 2010
image

An interesting move to have some name mangling dependent on the platform. After they pushed these it stayed quiet until November. In November they released a new version with similar names, only the year was bumped from 2010 to 2011. The Windows XP variants for example:

XP Security 2011
image

XP Antispyware 2011
image

In february 2011 a new version appeared with slightly updated names and GUI layout:

XP Anti-Virus 2011
image

XP Home Security 2011
image

XP Anti-Spyware
image

In the end of June 2011 another updated version was released. Again some updated OS based name mangling changes and updated GUI:

XP Internet Security 2012
image

Win7 Internet Security 2012
image

Another slightly updated version appeared in the end of November 2011, still based on the OS based name mangling:
image

January 2012 a new updated version, GUI mostly, got pushed:
image

In the start of October 2012 another slightly updated version appeared. Mostly GUI changes and again still based on the OS version name mangling:
image

Then almost a year later at the start of September 2014 the version from my analysis appeared. An entirely updated GUI and new names showed a big change. It appeared under the following names (with OS version names displayed, although not all use it):

  • Sirius (Win 7|Win 8|Vista) Protection 2014
  • Zorton (Win 7|Win 8|Vista) Protection 2014
  • Rango (Win 7|Win 8|Vista) Protection 2014
  • A-Secure 2015
  • AVbytes (Win 7|Win 8|Vista) Antivirus 2015
  • AVC Plus

GUI wise it looks like this (name stripped as its templated in the GUI at runtime):
image

However in the end of September 2011 a sort of offspring appeared as well named Advanced PC Shield 2012, another one appeared in August 2012 called Win 8 Security System:
imageimage

Eventhough this version is also ranked in the Braviax/Fakerean family it looks somewhat different in setup.

Conclusion

The Braviax/Fakerean family has been around for a long time appearing as early as April 2009 and seems to be a success as new reincarnations appear every year.
While they aren’t as big as a threat as banking malware or ransomware it does pay well for these criminals. Because of their ‘low’ volume and simply being scareware not a lot of attention is given to them. I’ll be keeping an eye on them for future campaigns for sure though 🙂

IOC’s & Samples

The following is a list of samples for the last version spreading from September 2014 to December 2014. No new ones have appeared as of writing this blog article.

The following domains and IP addresses were seen for those samples:

IP Address Domain
146.185.239.110        evcash.net
146.185.239.110        softrango.com
146.185.239.111        ltsectur2.com
146.185.239.111        ltsectur9.com
146.185.239.111        fscurat20.com
146.185.239.111        fscurat21.com
146.185.239.112        fastprodst5.com
146.185.239.112        fflord25.com
146.185.239.112        fflord30.com
146.185.239.112        giron32.com
146.185.239.112        glorius11.com
146.185.239.112        golus27.com
146.185.239.112        gshsol4.com
146.185.239.112        holipolks12.com
146.185.239.112        scara123.com
146.185.239.112        scara124.com
146.185.239.112        smart-filins.com
146.185.239.112        srut12.com
146.185.239.112        srut19.com
146.185.239.113        gskskkksa4.com
146.185.239.113        jarr62737.com
146.185.239.114        gislat2for8.com
146.185.239.114        gislat4se2.com
146.185.239.114        gladi-toriusa.com
146.185.239.114        holisak-tasek.com
146.185.239.114        hysotasl.com
146.185.239.114        kaaalosa-set.com
146.185.239.114        shatiko-mero.com
146.185.239.114        svars-sta.com
146.185.239.114        tauruk-felon.com
146.185.239.114        trader562.com
146.185.239.114        veret-sapan.com
146.185.239.114        vertus-adusa.com
146.185.239.114        vesm-arast.com
146.185.239.114        zemo-numeros.com
146.185.239.114        zumo-afetuk.com
146.185.239.114        zumo-alibabs.com
146.185.239.114        zumo-archib.com
146.185.239.114        tauruk-felon.com
146.185.239.248        gelun-posak.com
146.185.239.248        fulo-centums.com
62.122.74.111        golen-mortales.com

By admin