Published on 9th April 2018, 10:03:17 UTC
In August 2017, I've blogged about Adwind, a cross-platform RAT written in Java that is also known as "jRAT" and "JSocket". The main infection vector for Adwind is via spoofed email. The attacker doesn't have to care about the recipients operating system (OS): Adwind works on Windows, macOS and Linux.
Recently, security researchers and AV vendors have published a handful interesting blog posts on Adwind. The recent uprise in Adwind campaigns seems to be related to Qrypter: a Malware-as-a-Service (MaaS) platform @Angelill0 blogged about in December 2017. The Qrypter MaaS platform is hosted in the Tor network, which makes it more resilient against takedowns and actions from law enforcement (LEA). However, the botnet controllers itself are hosted in the clear net. The following map shows the top Adwind C&C hosting countries in the past 6 months. In this period I've spotted almost 10'000 Adwind samples calling out to more than 2'800 distinct botnet controllers (C&Cs). Most of these Adwind samples are related to the Qrypter MaaS.
Looking at the top Adwind botnet C&C hosting countries, we can see that they are mostly hosted in the United States (US), followed by Netherlands (NL) and Great Britain (GB):
In my blog post on Adwind in August 2017, I've mentioned AnMaXX. AnMaXX was (and still is) one of the networks which is hostings a vast majority of the Adwind C&Cs. However, it's not just AnMaXX. A few days after I've published my Adwind blogpost I've came across another network called Gerber EDV-Dienstleistungen (aka gerber-edv.net). During my investigation, the network quickly raised my attention: Gerber EDV has, just like AnMaXX, no web site:
But not just that raised my suspicion. The fact that both, Gerber EDV and AnMaXX are hosted on the same IP address and even use the same mailserver (MX) doesn't make the situation any better:
anmaxx.net A 126.96.36.199 gerber-edv.net A 188.8.131.52 ;; QUESTION SECTION: ;mx.anmaxx.net. IN A ;; ANSWER SECTION: mx.anmaxx.net. 599 IN A 184.108.40.206 ;; QUESTION SECTION: ;mx.gerber-edv.net. IN A ;; ANSWER SECTION: mx.gerber-edv.net. 599 IN A 220.127.116.11
Is it possible that Gerber EDV is operated by the same guys as AnMaXX? It indeed seems so. The said IP address is also hosting another domain name: rivavpn.com
Taking a closer look at the netranges of Gerber associated with Qrypter reveals that they have one thing in common: They are all labeled with "Gerber non logging VPN Service". So it appears that Gerber sells VPN services, but I'm wondering how Gerber EDV advertises and sells their VPN services as their domain name doesn't host any website (uh?). As Gerber EDV-Dienstleistungen has their offices in Switzerland, I decided to vist them and ask them where all this abuse related to Adwind / Qrypter is coming from.
% Information related to '18.104.22.168 - 22.214.171.124' % Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' inetnum: 184.108.40.206 - 220.127.116.11 netname: Gerber_non-logging_VPN_service country: CH admin-c: JG8768-RIPE tech-c: JG8768-RIPE org: ORG-GE100-RIPE abuse-c: GE2550-RIPE status: ASSIGNED PA mnt-by: MNT-DA327 created: 2017-11-14T13:09:30Z last-modified: 2017-11-15T08:57:40Z source: RIPE organisation: ORG-GE100-RIPE org-name: Gerber EDV-Dienstleistungen org-type: OTHER remarks: **************************************************** remarks: Spamhaus, please note: remarks: remarks: THIS IP ADDRESS BELONGS TO A NON-LOGGING VPN SERVICE remarks: remarks: For further information please contact: remarks: remarks: email@example.com or firstname.lastname@example.org remarks: remarks: Thank you. remarks: **************************************************** address: Junkerngasse 44, 3011 Bern, Switzerland abuse-c: GE2550-RIPE mnt-ref: GERBER-MNT mnt-ref: MNT-DA327 mnt-by: GERBER-MNT mnt-by: MNT-DA327 created: 2017-11-04T22:44:21Z last-modified: 2017-11-09T11:29:29Z source: RIPE # Filtered
After a 1 1/2 hours train ride, I finally arrived in Bern. Gerber has their offices at Junkerngasse 44, which is in walking distance from the train station. So I decided to take a short walk:
After a 10 minutes walk I arrived at Junkerngasse 44 where Gerber supposes to have their office. It is a nice building in the old town of Bern. Actually, not a cheap place for renting an office. Will I find Gerber EDV here? I started having doubts...
Number 44. That must be it. But checking the sign at the front reveals: There is no Gerber EDV in this building. A quick cross check on the phone book proofs what I just saw: No Gerber EDV at this address:
As it might be possible that Gerber EDV moved their offices to a different location and forgot to update their RIPE record accordingly (actually, that's something I am confronted with very often: outdated RIPE records), I decided to have a quick look at the Central Business Name Index (Zefix) of the Federal Office of Justice. However, there is no registered company under that name in Switzerland:
Gerber (as well as AnMaXX) seems to be all fake. It is obviouse that both are operated by the same guys. There is no Gerber EDV-Dienstleistungen at Junkerngasse 44 in Bern and not even a registered company with that name in Switzerland. The sole purpose of Gerber and AnMaXX seems to be providing botnet hosting to Qrypter MaaS and other RATs such as NanoCore and RemcosRAT. I've also learned that RIPE requires that the information provided in the RIPE objects is correct. However, RIPE does not verify the provided information at all. I've submitted a complaint to RIPE regarding the incorrect information provided by Gerber EDV in the hope that RIPE can force them to reveal their real location (if there is any).
If you are a network- or sysadmin, I highly recommend you to block any incoming and outgoing traffic towards the follow prefixes that are owned / maintained by either Gerber EDV, AnMaXX or rivavpn.com:
18.104.22.168/27 gerber-edv.net AS9070 22.214.171.124/27 gerber-edv.net AS9070 126.96.36.199/26 gerber-edv.net AS51395 188.8.131.52/24 gerber-edv.net AS205406 184.108.40.206/28 gerber-edv.net AS57695 220.127.116.11/28 gerber-edv.net AS57695 18.104.22.168/27 gerber-edv.net AS205406 22.214.171.124/25 gerber-edv.net AS8473 126.96.36.199/26 anmaxx.net AS6830 188.8.131.52/26 anmaxx.net AS6775 184.108.40.206/26 anmaxx.net AS34304 220.127.116.11/25 anmaxx.net AS9125 18.104.22.168/27 anmaxx.net AS12389 22.214.171.124/27 anmaxx.net AS34547 126.96.36.199/24 anmaxx.net AS50841 188.8.131.52/24 anmaxx.net AS200995 184.108.40.206/24 anmaxx.net AS56630 220.127.116.11/26 anmaxx.net AS51395 18.104.22.168/24 anmaxx.net AS57944 22.214.171.124/26 anmaxx.net AS34989 126.96.36.199/24 anmaxx.net AS24961 188.8.131.52/24 anmaxx.net AS50113 184.108.40.206/24 anmaxx.net AS49981 220.127.116.11/24 anmaxx.net AS31103 18.104.22.168/24 anmaxx.net AS62240 22.214.171.124/26 anmaxx.net AS56630 126.96.36.199/26 anmaxx.net AS56630 188.8.131.52/29 anmaxx.net AS197155 184.108.40.206/27 anmaxx.net AS197155 220.127.116.11/29 anmaxx.net AS197155 18.104.22.168/29 anmaxx.net AS197155 22.214.171.124/29 anmaxx.net AS197155 126.96.36.199/30 anmaxx.net AS197155 188.8.131.52/26 anmaxx.net AS42160 184.108.40.206/24 rivavpn.com AS6775
In addition, I've seen the following netranges involved in massive Adwind botnet C&C hosting too, but couldn't map them to Gerber EDV or AnMaXX. I recommend you to block them as well on your network perimeter:
220.127.116.11/26 sklepkibicakonskie.pl AS8100 18.104.22.168/25 sklepkibicakonskie.pl AS36351 22.214.171.124/25 swiftway.net AS35017 126.96.36.199/27 host1plus.com AS37692 188.8.131.52/27 amanah.com AS32489 184.108.40.206/24 dediserv.eu AS60781 220.127.116.11/24 dediserv.eu AS60781 18.104.22.168/27 gigenet.com AS32181 22.214.171.124/28 globo.tech AS36666 126.96.36.199/25 webenlet.hu AS29278 188.8.131.52/27 netstyle.io AS199267 184.108.40.206/25 nobistech.net AS396362
The mentioned networks are not just used to host Adwind / Qrypter C&Cs, they also host plenty of other botnet controllers associated with dozens of different RATs and malware families, such as RemcosRAT, NanoCore and many more. If you want to convince yourself, you may want to take a look at the following list of 5'000+ botnet C&Cs I've seen in the past years being hosted in these networks:
More information about Qrypter MaaS can be found here: