Threat behavior
Backdoor:MSIL/Twoeebot.A is a detection for a malware generator and editor used to create a bot server. The bot server retrieves commands from posts in specified Twitter accounts.
Backdoor:MSIL/Twoeebot.A usually arrives in the system using the following file name:
It displays the following interface upon execution:
It creates the server component using the Twitter username (for the TwitterUsername field) and the template file named "Stub.exe", which is detected as Backdoor:MSIL/Twoeebot.B. When the Build button is pressed, the generator creates the output file "TwitterNET.exe", which is also detected as Backdoor:MSIL/Twoeebot.B.
The output file monitors the specified Twitter account page for specific posts, which act as commands from a remote attacker. The following actions maybe performed by the attacker:
- Download and execute file
- Perform distributed denial of service (DDoS) attacks
- Visit specified webpages
- Remove itself
Analysis by Elda Dimakiling
Prevention
