SHA1:
crypt | 21226cb1361f46d6262cddb756b24b47d86dfb96 |
bot | f11da165d898f35809c69fba00d21b1d1c916f00 |
mimikaz | 3ce415ce0efe8436750a328d8fc698d6a9ead08c |
JUPITER.32 | b36abe9a5336ac9baa468e3bae30950ceec5eb05 |
JUPITER.64 | 695f9f570ca56e3211bf37527ab9f34b2bd3c388 |
A multicomponent polymorphic file virus that can infect file objects on 32-bit and 64-bit versions of Microsoft Windows. It is designed to perform web injections, intercept traffic, take screenshots, to execute keylogging functions, and to steal login credentials for online banking applications. It can also establish reverse RDP connections (back connect) and launch a local SOCKS5 proxy server and HTTP server in order to perform CMD commands. The virus is known to inherit several characteristic features from Trojan.Carberp and Trojan.PWS.Panda (Zeus).
As Carberp’s successor, Trojan.Bolik.1 has borrowed the presence of a virtual file system, which the Trojan saves to one of system directories or to the user folder. Like Zeus, the Trojan has the JUPITER web injection mechanism; yet, it was considerably modified. In particular, Trojan.Bolik.1 uses JSON for data sharing and numeric codes are replaced with line parameters in the configuration block.
Trojan.Bolik.1 intercepts traffic in such browsers as Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox by intercepting function calls. The Trojan steals private information by using the analog of mimikatz designed to steal passwords in the Windows open sessions. The malware program also uses the monguse library to create an HTTP server.
The Trojan communicates with the C&C server over HTTP protocol by sending POST requests encrypted with AES CBC 128. An encryption key is generated using the curve25519 elliptic curve. Integrity check is performed by means of hmac-sha1 and sha1. All transmitted information is encrypted with a special algorithm and is then compressed using the zlib library.
Judging from the corresponding lines in the configuration file received from the server, only Russian bank clients suffer from web injections performed by the Trojan:
}, {
"Mask" : "*Бухгалтерия*",
"Count" : 1
}, {
"Mask" : "*iBank2*",
"Count" : 1
}, {
"Mask" : "*ts.letok2.ru*",
"Count" : 1
}, {
"Mask" : "*Кассир*",
"Count" : 1
}, {
"Mask" : "*KASSA*",
"Count" : 1
}, {
"Mask" : "*Internet-Банкинг*",
"Count" : 1
}, {
"Mask" : "*Банкинг*",
"Count" : 1
}, {
"Mask" : "*jp2launcher.exe*",
"Count" : 1
}
],
The Trojan also uses the following masks:
"Mask" : "*bitcoin*",
"Count" : 1
}, {
"Mask" : "*BSS*",
"Count" : 1
}, {
"Mask" : "*Банк*",
"Count" : 1
}, {
"Mask" : "*ЗАО*",
"Count" : 1
}, {
"Mask" : "*Клиент*",
"Count" : 1
}, {
"Mask" : "*eToken*",
"Count" : 1
}, {
"Mask" : "*Remote Desktop*",
The self-spreading ability of the Trojan is activated once the following command is received from the server:
{"WormConfig":{"USBEnabled":true,"NetworkEnabled":true}}
Then Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Trojan.Bolik.1 can compromise either 32-bit or 64-bit applications. Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1.
The virus has an incorporated polymorphic decryptor that is inserted into the input point of the infected file. The decryptor decrypts data located in the resource section that also contains the Trojan itself in encrypted form. It calculates the key in several iterations and decrypts the shell code by this calculated key. Besides, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques that consist of different loops and repeating instructions.