SHA1:
- 39688eb28fb982df31b59a1098554ffa47bf56da
A multicomponent backdoor Trojan designed to execute cybercriminals’ commands. The examined sample was spread with the help of another downloader Trojan called Trojan.Sathurbot.1. The sample consists of two sections: the first one stores a code of a main module loader and encrypted code fragments for unpacking and import initialization; and the second contains a main module of the malicious program.
The backdoor’s main module
Once launched, it checks a command line for the presence of the “/test” key. If the key is detected, it prints to the console a message containing the following text: “\n Test - OK”. In 3 seconds, it terminates itself. Probably, this function was intended to test program packers. Shortly after that, the Trojan checks whether some of the following processes are running on the infected machine, by determining their hash names (RtlComputeCrc32):
| CRC32 | Process |
|---|---|
| 99DD4432 | vmwareuser.exe |
| 2D859DB4 | vmwareservice.exe |
| 64340DCE | vboxservice.exe |
| 63C54474 | vboxtray.exe |
| 349C9C8B | sandboxiedcomlaunch.exe |
| 3446EBCE | sandboxierpcss.exe |
| 5BA9B1FE | procmon.exe |
| 3CE2BEF3 | regmon.exe |
| 3D46F02B | filemon.exe |
| 77AE10F7 | wireshark.exe |
| F344E95D | netmon.exe |
| 2DBE6D6F | prl_tools_service.exe |
| A3D10244 | prl_tools.exe |
| 1D72ED91 | prl_cc.exe |
| 96936BBE | sharedintapp.exe |
| 278CDF58 | vmtoolsd.exe |
| 3BFFF885 | vmsrvc.exe |
| 6D3323D9 | vmusrvc.exe |
| D2EFC6C4 | python.exe |
| DE1BACD2 | perl.exe |
| 3044F7D4 | avpui.exe |
Once the malicious application finds any of these processes running, it goes to an infinite sleep mode.
After that, BackDoor.Andromeda.1407 gets the system volume ID (GetVolumeInformationW), which is then actively used while generating values of different named objects—in particular, it saves a path to the dropper directory under the name of = 'src' ^ VolumeID in an environment variable. It then attempts to inject its code into another process. To do that, it launches a process with the CREATE_SUSPENDED flag. Depending on the operating system capacity, it selects a process belonging to either the %windir%\system32\msiexec.exe or %windir%\SysWOW64\msiexec.exe application.
If successful, the loader body places itself into RAM and modifies all values into zeros. The Trojan then initializes sockets using the WSAStartup function, gets a value of the UserAgent line (ObtainUserAgentString), and checks the operating system version (GetVersionExW) and its capacity (NtQueryInformationProcess(0x1a ProcessWow64Information)). In addition, it gains debugger privileges (SeDebugPrivilege) and determines its privileges level. The Trojan also checks which language keyboard layouts are selected on the computer. If such keyboards as 419h (RU), 422h (UA), 423h (BL), or 43Fh (KZ) are found, the backdoor terminate its operation as soon as possible and deletes itself from the system.
It deletes the value of the following system registry key:
HKLM\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe, Debugger.Then it gets the value of exact time referring to port 123 (NTP) of the following servers:
- europe.pool.ntp.org
- north-america.pool.ntp.org
- south-america.pool.ntp.org
- asia.pool.ntp.org
- oceania.pool.ntp.org
- africa.pool.ntp.org
- pool.ntp.org
If it fails to receive a response from these servers, it gets system time using the GetSystemTimeAsFileTime function and launches a separate thread in which the time value is increased every second. The time value is actively used by the Trojan's plug-ins during its operation.
The backdoor disables demonstration of system notifications in the Windows settings:
[hklm\software\microsoft\windows\currentversion\policies\Explorer]
"TaskbarNoNotification"=1
"HideSCAHealth"=1
[hkcu\software\microsoft\windows\currentversion\policies\Explorer]
"TaskbarNoNotification"=1
"HideSCAHealth"=1
System services that the Trojan disables in Windows 7 are the following:
- wscsvc
- wuauserv
- MpsSvc
- WinDefend
The following system services are disabled in Windows XP:
- wscsvc
- wuauserv
- SharedAccess
Elevation of privileges
If the infected computer runs the operating system older than Windows 8, and the integrity level of the Trojan's process has the SECURITY_MANDATORY_LOW_RID (0x1000) or SECURITY_MANDATORY_MEDIUM_RID (0x2000) value, the malicious program tries to elevate its privileges by means of ShellExecuteExW. The backdoor continues using current privileges if it fails to elevate them during 5 iterations. In Windows 7, BackDoor.Andromeda.1407 disables User Accounts Control (UAC):
[hklm\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0The backdoor’s installation and launch
The Trojan disables demonstration of hidden files in Windows Explorer:
[hkcu\software\microsoft\windows\currentversion\explorer\advanced]
"ShowSuperHidden"=0
"Hidden"=2
Then it refers to several system and user profile folders, trying to find one open for write:
%ALLUSERSPROFILE% (C:\ProgramData)
%APPDATA% (C:\Users\<username>\AppData\Roaming)
%USERPROFILE% (C:\Users\<username>)
This procedure is performed by creating a file with the DELETE_ON_CLOSE flag that is then deleted once this file is closed. After that, using the system volume ID, the backdoor generates a line, which consists of 3 to 5 arbitrary characters, and a name according to the “ms%s.exe” template. The dropper copies itself to a selected folder under a new name. This file is assigned with the “hidden” and “system” attributes (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM) in order to conceal it from the user. Time of its creation is replaced with the creation time of the host process, in which the injection has been performed. Zone.Identifier is then deleted.
Finally, BackDoor.Andromeda.1407 modifies the system registry branches, so the main module of the malware program can be launched automatically. It attempts to modify the following branches:
HKLM\software\microsoft\windows\currentversion\Policies\Explorer\Run
HKCU\software\microsoft\windows nt\currentversion\Windows, Load
HKCU\software\microsoft\windows\currentversion\Run
Communication with the command and control server
The backdoor establishes connection to the C&C server with the help of a special encrypted key that is then modified into a text message. The servers’ IPs are encrypted and hard-coded in the Trojan’s body. To decrypt them, the key is flipped.
BackDoor.Andromeda.1407 identifies the infected computer’s IP address by referring to port 80 of the following servers:
- microsoft.com
- update.microsoft.com
- bing.com
- google.com
- yahoo.com
The information is encrypted and transmitted using JSON (JavaScript Object Notation).
The Trojan generates the JSON request according to the {"id":%lu,"bid":%lu,"os":%lu,"la":%lu,"rg":%lu,"bb":%lu} template—for example, {"id":3088609340,"bid":12385,"os":97,"la":167772687,"rg":1,"bb”:0} where
- id—VolumeID;
- bid—botid / buildid constant;
- os—operating system version;
- la—local IP address;
- rg—administrator privileges flag;
- bb—keyboard layout flag (1 is for RU UA BL KZ, 0—for other languages).
Other information can be added to the request. Then the data is encrypted using the RC4 algorithm (the Trojan’s encryption key) and sent to the server as the POST request. The Trojan receives JSON encrypted by the same key. The server can respond with the following commands:
- Download and run an executed file
- Download and install a plug-in
- Update the Trojan
- Delete all plug-ins
- Delete the Trojan
Plug-ins
The Trojan stores downloaded and encrypted plug-ins in alternative threads of the dropper. The plug-ins are encrypted using the CRYPT32!CryptProtectData method and can be decrypted only on the infected machine.