Man Linked to Auto Parts Store Behind Bachosens Malware

Share this…

A man linked to an auto parts store in a disputed territory of Moldova is behind the Bachosens malware, a backdoor trojan used in a very small number of attacks, but one of the most advanced threats of its kind.

For the past seven years, the Bachosens trojan has been linked to only three malware infections. Due to the malware’s advanced features and its limited usage, the security company investigating these attacks understandably thought this was the work of a nation-state actor.


This initial assessment was based on an analysis of the malware’s features, which according to Symantec — the company that discovered the trojan — were right up there with the features someone finds in malware developed by nation-state hackers. These features included:

↗ The use of rarely used covert communication channels, such as DNS, ICMP, and HTTP, to communicate with the malware’s C&C server.
↗ The encryption of stolen victim data before transmitting it to the C&C server.
↗ The malware used a set of ephemeral AES keys to encrypt the stolen data.
↗ The use of IPv6 instead of IPv4.
↗ The use dynamic DNS (DDNS) and domain generation algorithms (DGA).

It was no surprise that after seeing what they’ve uncovered, Symantec’s research team thought they’ve stumbled upon a new malware strain used for cyber-espionage.

Nonetheless, the more they dug into past attacks were Bachosens had been deployed, the more they realized they were dealing with an amateur.

Actor behind Bachosens made a lot of mistakes

Despite Bachosens possessing such an advanced set of features, the person behind the Bachosens campaigns made a lot of mistakes that are usually made by beginners, just entering the malware distribution scene.

The more past attacks researchers found, the more mistakes they found, some of which were just ridiculous, and certainly something that a nation-state actor would never make. For example:

↘ The Bachosens author had misconfigured the DGA system to use only 13 domains per year. Usually, DGAs produce tens of unique C&C server URLS per day. This misconfiguration defeats the purpose of using a DGA altogether.
↘ The Bachosens author uploaded his malware to VirusTotal, exposing it to security researchers.
↘ The Bachosens author wasn’t careful about his operational security and kept leaving clues behind about his persona and location, including in domain registration data.
↘ Researchers found Bachosens packed together with an unobfuscated keylogger. A nation-state actor would never make such a basic mistake of leaving code unobfuscated.
↘ Researchers found Bachosens bundled with an online video game, another tactic that’s very rarely used by nation-state attackers.

All of these mistakes have helped researchers understand they weren’t dealing with an APT, but a basic cyber-criminal engaged in petty crimes.

Moldavian man behind Bachosens trojan

Clues left in past attacks and the Bachosens trojan allowed Symantec researchers to track down the malware to a person living in Tiraspol, a city in the Russian-controlled region of Tiraspol, a disputed territory in eastern Moldova.

Based on a timeline of attacks researchers were able to reconstruct, they felt positive this man, who they nicknamed Igor, had deployed Bachosens only for his personal gains.

Despite not having any evidence of a compromise, Symantec believes Igor first deployed Bachosens in 2009, when he compromised a Chinese auto-tech company from where he stole their proprietary car diagnostics software.

Researchers believe this based on an alert put out by the Chinese company that warned customers of unauthorized websites selling illegal copies of its software.

Symantec says it linked those websites to Igor, who was peddling the Chinese company’s software for a fraction of its original price of $1,100. Because of his affiliation with a car parts store in Tiraspol, researchers feel pretty confident the man they identified is the man behind the Bachosens attacks.

 2009  Chinese auto-tech company issues alert about unauthorized sellers of its software. Domains mentioned in alert linked to Igor.
 2013  Variant of keylogger first spotted.
 2014  Bachosens malware first seen in submission to Virus Total.
 February 2016  Earliest Bachosens infection seen in the wild.
 April 2016  Phishing email containing Bachosens malware sent to online gambling company.
 September 2016  Bachosens malware found on airline systems.

For his attacks, researchers believe Igor used spear-phishing to deploy Bachosens at the affected companies.

What researchers couldn’t explain is the recent attacks trying to spread Bachosens to other companies. This includes a failed spear-phishing attempt to deploy Bachosens at an online gambling company, and a successful spear-phishing campaign that delivered Bachosens at an airline company. It may be safe to argue that Igor is trying to boost his profits via new campaigns.

One mystery remains

The last mystery surrounding Bachosens is who developed this advanced piece of malware. While it could be argued that Igor bought the malware from someone else, this isn’t a plausible theory because the original Bachosens author never used it or sold it to anyone else. Malware authors generally don’t develop malware — and especially malware so sophisticated — just to sell to one customer.

A more plausible theory would be that Igor developed it himself. If this is true, it’s clearly evident that Igor is wasting his skills working in the car parts industry, as the malware he created is well above the norm of day-to-day malware we see produced by many long-standing malware developers.