Installation
This threat can arrive as a DLL component installed by TrojanDropper:Win32/Warood.A . We have seen the following file names in the wild:
The trojan might be installed in the %SystemRoot% or %TEMP% directories. However, it can also be run from memory, from where it will also delete any files that it has used. This means there may be no obvious trace of the trojan on your PC.
It might also masquerade as svchost.exe (a legitimate Windows file).
The trojan This backdoor trojan is installed and runs as a service.
It begins with a call into WSAStartup() and an event name rawdoor created through a call to CreateEvent() to ensure the server thread starts before the remote client thread sends a request.
The threat can then start receiving commands from a remote attacker. During this session, the backdoor can collect the time it was last accessed and can send the backdoor to sleep.
It will attempt to create a file called debug.dat in the %SystemRoot% directory to store temporary information.
It ensures that its remote shell activity passes through the firewall. First it checks if the OS version is below dwMajorVersion 6, if it is then it adds a firewall rule named "Core Networking - IPv4". Otherwise, it enables the backdoor to open a port using the TCP and UDP protocols.
The remote attacker can make the threat delete the firewall rule it created when they close the connection.
The malware creates a registry entry based on the name of the service it creates. For example, we've seen the following subkeys created by the malware:
In subkey: HKLM\Software\Clients\Netrau or HKCU\Software\Clients\Netrau
In subkey: HKLM\Software\Clients\Netraw or HKLM\Software\Clients\Netraw
It then sets the following values for the subkey:
Sets value: "EnabledWeb"
With data: "<location of the malware>", for example "EXAMPLE"]
Payload
Allows remote access and control of your PC (backdoor functionality)
This backdoor trojan is a 64-bit DLL file. It allows a remote malicious hacker to:
- Open and run a cmdshell
- Open and run a Windows PowerShell session
- Run a backdoor-specific command (referred as selfcmd).
- Uninstall (remove or delete) the backdoor's installer.
- Hide traces of the backdoor's installation, including if it has used an injected DLL and its module.
- Open, stop, delete, and register a service.
- Save and restore a registry key. It may create and delete a file ~DFREG<time file is created>.tmp in the %TEMP% directory, which contains temporarily stored information.
- Update the backdoor trojan.
- Collect installation information about the threat and the infected operating system
Collects and sends information
The threat can collect and send the following information:
- Computer name
- Installation time
- Installation service name
- Installation file name with full path
The backdoor is password protected, which means only a specific remote user or attacker can access the infected PC.
The selfcmd command includes the following feature with descriptions of the commands available:
- DIR - show files and directory. It can execute this command within connected drives as described by its usage, DIR [drive:][path][filename].
- CD - change directory. It can execute this command within connected drives as described by its usage, CD [drive:][path].
- DEL - delete files. It can execute this command within connected drives as described by its usage, DEL [drive:][path].
- TASKLIST- list process. This specifically refers to the following usage:
- Parameter -l - process's name
- Parameter -s - process's full path
- Parameter -a - details such as program ID (PID), SessionID, Priority, Username, and ProcessName
- DOWNLOAD - download a file. The backdoor code provides an example to download a file from a server to a local directory on the PC.
- START - run an application. The backdoor code contains an example to run an executable file in a local directory.
- HELP - displays description and command usage.
The backdoor sends reports to the remote attacker about failures related to its activities. Some of these failures include:
- Failure to download a file from the Internet.
- Failure to run an application.
- Failure to create or execute a shell.
- Failure to create a pipe shell.
- Failure to read a shell session.
- Failure to create a PowerShell process.
- Failure to create the console screen buffer.
- Failure to write data to the console input buffer.
Uses HTTP GET requests
The backdoor sends a HTTP GET request with a user-agent string WinInetGet/0.1. This activity can indicate any of the following:
- HTTP access for language translation.
- Download and run a backdoor update. The downloaded file is temporarily stored in the %TEMP% directory, with the file name tmp<strings>.exe. The variable <strings> could be any string of characters.
Analysis by Methusela Cebrian Ferrer
