Installation
Trojans in the Win32/Sathurbot family are Dynamic Link Library (.dll) files that are injected into running processes to perform their malicious routines.
They are usually bundled with other third-party installers and keygens. They can also be downloaded from malicious or hacked websites, and through peer-to-peer file sharing applications.
We have seen variants bundled with installers and keygens using file names designed to look like legitimate programs. Some of the installers we have seen include:
-
64bit_vuex91.exe
-
adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe
-
Awave Studio 10.6.exe
-
codec.exe
-
elfbowl.exe
-
Flash Player 11.0.1.60 Beta 1 (IE).exe
-
fo-gpp2.exe
-
idman612b.exe
-
IPNetCheckerSetup-x64.exe
-
Joboshare iPhone Rip Setup.exe
-
Keymaker.exe
-
K-Lite Codec Pack 9.0.exe
-
Mega Codec Pack 9.X.exe
-
PATCH.exe
-
Platinum Hide IP Setup.exe
-
PowerISO5.exe
-
SCANNER.EXE
-
Setup.exe
-
Setup.RemoteDesktopManager.6.1.7.0.exe
-
Sknote KickHaas VST v1.09.exe
-
sysrc.exe
-
typing.master.pro.v7.0.1.763.exe
-
uiso9_pe.exe
-
Wedding Album Maker Gold 3.50 Portable Serial Key.exe
-
WGA Patcher Cyclone 4.0 Setup.exe
-
Windows 7 Anytime Upgrade Keygen.exe
-
Windows.Loader.v2.1.3.exe
-
winrar-32Bit.exe
-
x264 Video Codecs XP-Win7.exe
-
xf-adsk2013_xXX.exe
-
Youtube Video Downloader PRO.exe
The installer could look like one of the following:
We have seen Win32/Sathurbot variants installed with the following file names and folders:
The trojans drop a malicious .dll and run it via rundll32.exe, using the following format:
Where <path> is the folder and file name the trojan was installed to.
They change the following registry entries:
In subkey: HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
Win32/Sathurbot is injected to any of the following processes.
-
explorer.exe
-
explorer64.exe
-
regsvr32.exe
-
regsvr64.exe
-
rundll32.exe
Payload
Contacts a remote server and opens a backdoor
We have seen variants in this family contact a remote server for a possible backdoor routine.
The server is random, but we have seen variants use the following servers:
-
aerofix.eu
-
cuptstech.eu
-
djigurda.eu
-
hujpizda.eu
-
inuxland.eu
-
prosmartraff.eu
-
qwertytraff.org
The backdoor can allow a hacker to perform the following actions on your PC:
- Run files
- Update the copy of the trojan
- Get information about your PC
Makes changes to security settings
Win32/Sathurbot can add themselves to your firewall exception list.
We have also seen variants stop the following security programs and services from running:
-
MpsSvc
-
msascui.exe
-
MSC
-
MsMpSvc
-
msseces.exe
-
SharedAccess
-
WinDefend
-
Windows Defender
-
wscsvc
-
wuauserv
Downloads other malware
Win32/Sathurbot variants can act as a peer-to-peer client.
It may do this to communicate with the command and control server as part of its backdoor payload.
Analysis by Ric Robielos
