The backdoor that can execute criminals’ commands. Instances of spreading of the Trojan via targeted mass mailing to a number of Russian defense enterprises employees were detected. The emails were supposedly sent from headquarters. The emails were titled «Дополнение к срочному поручению от 30.03.15 № УТ-103» (“Addition to an urgent task as of 03/30/15 #UT-103”) and had an attached Microsoft Excel file under the name Копия оборудование 2015.xls (Copy equipment 2015.xls).
The file contains an exploit that uses the vulnerability CVE2012-0158 existing in some versions of Microsoft Excel. Once this file is opened on a targeted computer, the excel.exe process, in which this Trojan’s dropper is embedded, is being launched.
From its body, the dropper unpacks the backdoor BackDoor.Hser.1 and saves it on a disk under the name "C:\Windows\Tasks\npkim.dll", then it registers this library in the parameters of auto boot, modifying the system registry branch [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'mcsam' = "rundll32.exe C:\Windows\Tasks\npkim.dll,RooUoo". Then the Trojan launches the application cmd.exe to delete the process file excel.exe.
Once it is launched on the infected computer, BackDoor.Hser.1 decrypts the address of the control and command server that is stored in the body of the Trojan. For that purpose it uses a4-byte key, expanding it to a 256-byte key by copying. Next, it employs a usual algorithm RC4. Requests to the command and control server are fixed-length strings encrypted with the base64 algorithm. Before being encrypted with the base64 algorithm, zeroes are added to the string to make it of a necessary length.
The backdoor can execute the following commands:
- send to a server information about the system (operating system, presence of a proxy server in the network, name of the computer, IP address);
- assign ID (unique identifier of the affected computer);
- send to a server a list of active processes;
- “kill” the process with a specified PID;
- write data in a file (1 byte for every command);
- run a file;
- launch the console and execute input/output redirection to a control and command server.