Arrival and Installation
This backdoor employs a number of social engineering lures, including pretending to be installers or updates to popular applications:
-
chrome_update.exe
-
chrome_plugin_netinstall.exe
-
fp_setup.exe
-
shockwave_setup_winax.exe
-
zerno.exe (fake Adobe Flash Player)
We've observed this backdoor being downloaded from the following domains:
When executed, this backdoor drops the following file:
Payload
Connects to Command-and-control (C&C) server
This backdoor connects to the following C&C to download a file:
hxxp: // rozhlas . site / news / business / release.bin
The said C&C is inaccessible as of this writing.
Gathers information about infected PC
This backdoor gathers information from your PC and attempts to send them to the same C&C:
hxxp: // rozhlas . site / news / business / release.bin
It checks running processes against a hardcoded list of banking-related process names:
| _ClientBank.exe |
CliBank.exe |
GPBClient.exe |
productprototype.exe |
| _ftcgpk.exe |
CliBankOnlineEn.exe |
GpbClientSftcws.exe |
quickpay.exe |
| ADirect.exe |
CliBankOnlineRu.exe |
ibconsole.exe |
rclaunch.exe |
| ant.exe |
CliBankOnlineUa.exe |
IbcRemote31.exe |
rclient.exe |
| arm.exe |
client.exe |
icb_c.exe |
retail.exe |
| arm_mt.exe |
client2.exe |
ICLTransportSystem.exe |
retail32.exe |
| ARMSH95.EXE |
Client2008.exe |
IMBLink32.exe |
RkcLoader.exe |
| asbank_lite.exe |
Client32.exe |
intpro.exe |
rmclient.exe |
| bank.exe |
client6.exe |
ip-client.exe |
Run.exe |
| bank32.exe |
clientbk.exe |
iscc.exe |
saclient.exe |
| BankCl.exe |
CLMAIN.exe |
ISClient.exe |
scardsvr.exe |
| Bankline.EXE |
clntstr.exe |
kabinet.exe |
SGBClient.ex |
| bbclient.exe |
clntw32.exe |
kb_cli.exe |
SGBClient.exe |
| bbms.exe |
cncclient.exe |
KLBS.exe |
srcbclient.exe |
| bc.exe |
contactng.exe |
KlientBnk.exe |
SRCLBClient.exe |
| BC_Loader.exe |
Core.exe |
lfcpaymentais.exe |
SrCLBStart.exe |
| BClient.exe |
cshell.exe |
loadmain.exe |
sx_Doc_ni.exe |
| bk.exe |
cws.exe |
lpbos.exe |
translink.exe |
| BK_KW32.EXE |
cyberterm.exe |
mebiusbankxp.exe |
twawebclient.exe |
| bnk.exe |
dsstart.exe |
mmbank.exe |
unistream.exe |
| CB.exe |
dtpaydesk.exe |
MWClient32.exe |
UpMaster.exe |
| cb193w.exe |
eelclnt.exe |
ONCBCLI.exe |
Upp_4.exe |
| cbank.exe |
el_cli.exe |
pcbank.exe |
uralprom.exe |
| cbmain.ex |
elbank.exe |
pinpayr.exe |
vegaClient.exe |
| CbShell.exe |
etprops.exe |
Pionner.exe |
w32mkde.exe |
| cbsmain.dll |
eTSrv.exe |
pkimonitor.exe |
wclnt.exe |
| CBSMAIN.exe |
EximClient.exe |
pmodule.exe |
wfinist.exe |
| CL_1070002.exe |
fcclient.exe |
pn.exe |
winpost.exe |
| clb.exe |
FColseOW.exe |
postmove.exe |
wupostagent.exe |
| CLBANK.EXE |
GeminiClientStation.exe |
prclient.exe |
Zvit1DF.exe |
| CLBank3.exe |
|
|
|
It checks if the following folder patterns exist in %PROFILE%, %APPDATA%, %PROGRAMFILES%, and %SYSTEMDRIVE%:
-
*gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\bc.exe,*\*\intpro.exe,*cft,agava,*R-Style,*AKB Perm
- *ELBA,*ELBRUS
- *SFT,*Agava,*Clnt,*CLUNION.0QT,*5NT,*BS,*ELBA,*Bank,ICB_C,*sped,*gpb0
It also checks your browsing history in Firefox, Chrome, and Opera for the following string patterns:
- *ICPortalSSL*
- *isfront.priovtb.com*
- *ISAPIgate.dll*
- *bsi.dll*
- *PortalSSL*
- *IIS-Gate.dll*
- *beta.mcb.ru*
- *ibank*
- *ibrs*
- *iclient*
- *e-plat.mdmbank.com*
- *sberweb.zubsb.ru*
- *ibc*
- *elbrus*
- *i-elba*
- *clbank.minbank.ru*
- *chelindbank.ru/online/*
- *uwagb*
- *wwwbank*
- *dbo*
- *ib.*
With these information gathered, it then attempts to send this information to the C&C.
As the C&C is inaccesible, we were not able to observe succeeding behavior. However, based on this backdoor's code, when it receives a reply from the C&C, it performs the following:
- Saves the C&C reply (the payload) as a file and decrypts it
- Runs the command prompt to wait and then deletes itself
- Runs the downloaded malware
