{
	"id": "c5e7d80a-8b7a-40cf-846c-01e263c5392c",
	"created_at": "2026-04-06T00:06:09.958499Z",
	"updated_at": "2026-04-10T03:33:01.231825Z",
	"deleted_at": null,
	"sha1_hash": "b4358d0b620348c1f78be6b217189b3590bd825a",
	"title": "Dissecting the “Kraken”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 593777,
	"plain_text": "Dissecting the “Kraken”\r\nBy Paul Rascagnères\r\nPublished: 2017-05-11 · Archived: 2026-04-05 17:03:21 UTC\r\n05/07/2015\r\nReading time: 6 min (1553 words)\r\nIn January 2015, unidentified attackers attempted to infiltrate a multi-national enterprise based in the United Arab\r\nEmirates, using a spear phishing attack with a crafted MS Word document attached to the message. Once it has\r\nreached its target, the payload used was designed to work as an information stealer and reconnaissance tool. G\r\nDATA’s security experts identified the malware behind this attack and reveal information about the actual power\r\nof the malware’s tentacles. In this article, the G DATA SecurityLabs will have a look at the following topics: * an\r\nexample of the spear phishing campaign, sent only a few days after the malware has been advertised * the\r\nmarketing approach to sell the malware * the analysis of some of Kraken’s features * theories about why Kraken\r\nhas been used as malware in a targeted attack\r\nInfection Vector\r\nThe attacker(s) sent a specially crafted email to at least one employee of the attacked enterprise. The email’s body\r\nreveals a business-related topic: an offer to become member of this year’s International Trade Council.\r\nNevertheless, the offer is directed at the Philippine National Bank, not the enterprise actually receiving the email.\r\nThis could be a trick to make the recipient even more curious to look at the attached document, because he/she\r\nreceived documents not issued for him/her.\r\nThe G DATA experts alerted the aeCERT about the incident and their analysis results.\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 1 of 8\n\nIn this case, the attachment is a Microsoft Word document which tries to exploit the vulnerability described in\r\nCVE-2012-0158 in order to drop and execute malware dubbed “Kraken HTTP”. \r\nThe G DATA security solutions detect the malicious document (08E834B6D4123F0AEA27D042FCEAF992) as\r\nExploit.CVE-2012-0158.AH and G DATA’s proactive Exploit Protection technology also prevents the attack\r\nbefore the PC can be infected.\r\nThe Malware, advertised on the Underground Market\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 2 of 8\n\n“Kraken HTTP” is sold on at least one underground market as a commercial product. Someone, who claims not to\r\nbe the author of the malware, promoted the malware with a kind of banner which has quite a visual impact. Have a\r\nlook at the “ad” that was published back in December 2014.\r\nThe banner describes the botnet:\r\nits technical features\r\nthe available commands (classic ones, such as visiting a website using the infected bot, download and\r\nexecute a command or a library, update and uninstall)\r\nthe plugins one can use: file stealer, ad-clicker, form grabber, …\r\nThe command “visiting a website” using the infected bot could be used by the attackers as an entry point for\r\nblackmailing the infected user. The attackers could visit websites that are regarded as illegal in the respective\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 3 of 8\n\ncountry and could then ask for ransom and threaten to release information about the alleged violation to any\r\nseemingly official entity who would then investigate against the victim. \r\nThe flyer also reveals the price of the malware: The basic binary costs $320 and each plugin must be paid for\r\nseparately, for example $50 for the file stealer, $60 for the ad-clicker and up to $350 for a configurable form\r\ngrabber. Accepted payment methods are the usual virtual currencies and pre-paid options. \r\nA price list found on a different website, also posted in December 2014, lists the binary’s price as $270 and some\r\nadditional modules, such as a “Edit Hosts module” ($15), a “Botkill module” ($30) and a “Bitcoin monitor\r\nmodule”($20).\r\nFurthermore, “Kraken HTTP” is advertised as “a new, revolutionary botnet […] and very noob-friendly”. Noob is\r\na word describing “that someone is new to a game, concept, or idea; implying a lack of experience.” But now let’s\r\nhave a look at what the botnet really is.\r\nMarketing vs. Reality\r\nAfter having a glimpse at the ad designed to promote the malware, we analyzed a sample of it:\r\n3917107778F928A6F65DB34553D5082A, which is detected as Gen:Variant.Zusy.118945. We decided to analyze\r\nsome features mentioned in the flyer and on the other website to evaluate their power and implementation.\r\nFeature: “Bypass UAC”\r\nAs expected, the malware does not really bypass the UAC. It rather uses a classic trick already used by several\r\nmalware instances. It uses a legitimate Microsoft binary in order to execute itself with administrator permissions.\r\nWe already presented this technique in our\r\nG DATA SecurityBlog article about the Beta Bot.\r\nFeature: “Anti-VM”\r\nThe flyer explains that the botnet won’t work in a virtual machine. To detect whether the malware is running in a\r\nvirtual machine, the malware author checks if the following directories and the one file exist:\r\nC:\\Program Files\\VMWare\\VMware Tools\\\r\nC:\\Program Files (x86)\\VMware\\WMware Tools\\\r\nC:\\WINDOWS\\system32\\VBoxtray.exe\r\nFurthermore, the malware checks if following applications analysts usually use are being executed:\r\nWireshark: a network analyzer\r\nFiddler: a web proxy used to debug HTTP flow.\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 4 of 8\n\nWe can see the tools detection:\r\nIf one of the elements mentioned above is detected, the malware will display a rather poetic dialog popup:\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 5 of 8\n\nSo, the anti-VM is really rudimentary. If the additional tools are not installed on the virtual machine the malware\r\ncan be perfectly executed.\r\nFeature: “Folder, Bot file \u0026 All file dropped are hidden”\r\nThe folders \u0026 bot files simply have the “hidden” attribute set in Microsoft Windows. If you configure you system\r\nto show hidden files and directories, you can perfectly see them:\r\nFeature: “Process \u0026 registry persistence”\r\nThe malware persistence uses a registry key in order to be executed automatically in case the system is rebooted.\r\nThe key is HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows:\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 6 of 8\n\nThe malware repeatedly checks whether this entry is removed. In case the entry is removed, the malware will\r\ncreate a new one. However, instead of removing it, we can simple rename the path to the executable in order to\r\nswitch off the persistence mechanism.\r\nSo, the malware does not have any clever persistence features either.\r\nFeature: “Path \u0026 variable encrypted”\r\nWe identified two kinds of “encrypted” data:\r\nSome paths are encoded using base64 algorithm, such as: JVdJTkRJUiUA (%WINDIR%) and\r\nJWFwcGRhdGElaa== (%appdata%)\r\nSome data is encrypted (RC4), such as the C\u0026C  information:\r\nFeature: “Bitcoin monitor plugin”\r\nThe Bitcoin monitor plugin is even more amusing. It is not advertised on the flyer but on the other website we\r\nfound. The malware monitors the infected user’s clipboard. If the user copies a Bitcoin address to the clipboard, it\r\nwill be replaced by an address pre-configured by the botmaster. A Bitcoin address is an identifier of 26-35\r\nalphanumeric characters which represent the owner of a Bitcoin wallet, for example something like\r\n3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy.\r\nWe can easily imagine that the plugin’s “test” is prone to produce false positives, because any alphanumeric text\r\ncopied by the user will be automatically changed without reason if it has a length between 26 and 35 characters.\r\nOk, we admit that the German word “Kraftfahrzeughaftpflichtversicherung” (36) would not be harmed when\r\ncopied, but what about “Bundesausbildungsfoerderungsgesetz” (34) or “radioimmunoelectrophoresis” (27)? Just\r\nkidding. But any string, from strong passwords to bank account numbers and more could be affected.\r\nFeature: “Download \u0026 Execute”, the next Step\r\nThis feature allows installing further malware on the affected PC in case the attackers decide the current machine\r\nis interesting enough. “Kraken HTTP” is only the first stage in this attack and can be seen as reconnaissance tool.\r\nAdministration Panel\r\nThe experts of the G DATA SecurityLabs had access to the panel used by “Kraken HTTP” but the source code is\r\nprotected by a commercial packer called IonCube loader. Nevertheless, we can reveal some screenshots of the\r\nadministration panel which are available on the underground. Note that some of the texts contain mistakes:\r\nConclusion\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 7 of 8\n\nWe suppose that the Kraken botnet was developed by a beginner. The malware does not include advanced\r\nmalware technologies and no groundbreaking innovations, even though those were advertised. Many sensitive\r\nstrings are not encrypted, such as installation paths, anti-virus listings, insults against the analysts and much more.\r\nTo sell the botnet malware, the author used a quite sexy marketing flyer, but, actually, the malware turned out to\r\nbe rather simple.\r\n“Kraken HTTP” was said to be used during an espionage campaign against the energy sector, especially against\r\ntargets in the UAE. We have now identified a specific target from this geographical region and have obtained one\r\nof the spear phishing emails used. Even though the targets that are known by now are rather high-level targets, the\r\nmalware code as well as its features is not advanced.\r\nWe are surprised to see this piece of code has been used carrying out targeted attacks rather than broader criminal\r\nactivities. It is not surprising that attackers use vulnerabilities that are older, because, unfortunately, many\r\ncomputers are likely to be still out of date and so the attack works. Despite the fact that the vulnerability used is\r\nnot a new one, the malware does not have the common features that we saw during other targeted attack\r\ncampaigns. Compared to incidents like Uroburos, the Kraken malware is not good enough to “catch the big fish”\r\nif we want to stick with to the metaphor. So, from the current point of view, there are three theories:\r\nThe attackers who developed the Kraken malware might have chosen to diversify their business and chose\r\nto attack special interest targets themselves.\r\nThe attackers identified infected machines in the business sector and followed the tracks to see what else\r\nthey might be able to get from the companies.\r\nThe actual espionage team voluntary chose to use a kind of usual and rather simply botnet malware in\r\norder to distract analysts from seeing a deeper meaning behind this attack and make them disregard it as\r\n‘daily cybercrime business’.\r\nShare Article\r\nSource: https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nhttps://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken"
	],
	"report_names": [
		"24280-dissecting-the-kraken"
	],
	"threat_actors": [
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433969,
	"ts_updated_at": 1775791981,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4358d0b620348c1f78be6b217189b3590bd825a.pdf",
		"text": "https://archive.orkl.eu/b4358d0b620348c1f78be6b217189b3590bd825a.txt",
		"img": "https://archive.orkl.eu/b4358d0b620348c1f78be6b217189b3590bd825a.jpg"
	}
}