Trojan:Win32/Barlaiy.A!dha

Installation

This trojan is dropped by another threat as the following file:

%APPDATA% \nx00615.ttf

It may have random hash value because the dropper, detected as TrojanDropper:Win32/Barlaiy.A!dha, appends a large amount of randomly generated data at the end of the DLL file before dropping it.

It is excecuted by the dropper Trojan using the legitimate Windows program rundll32.exe and by calling one of its export functions:

%SystemRoot% \system32\rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64

Upon execution, it deletes the dropper file.

It creates the following registry entries so that it executes at every startup:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "nxdisp"
With data: "rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64"

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "nxdisp"
With data: "rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64"

This trojan also contains code to register a window class and create a window with the following name:

TestWClass

It uses the created window as a mechanism to communicate with its other components.

Payload

Connects to multiples websites in stages

This trojan connects to an attacker-controlled forum, blog, or profile webpage on legitimate websites in order to retrieve embedded information about command-and-control (C&C) to be used in the next stage. The C&C information is in encoded form.

This behavior makes this threat a multi-stage remote access trojan. The technique, sometimes referred to as "dead drop resolver technique", is used by malware authors to make the initial network activity look like legitimate network traffic. This technique is also used to hide the actual C&C address in a webpage controlled by the attacker. This means that the attacker can update the C&C address anytime.

It then attempts to establish connection with the C&C node.

Additional information

This trojan creates the following mutex in order to make sure that only one instance is running on your PC:

win32_event_x86

Certain versions of this trojan also evades analysis by detecting tools such as resource monitors and debuggers, including:

• FileMon
• Immunity Debugger
• OllyDbg
• Process Monitor
• RegMon
• SoftICE Debugger
• WinDbg

When it detects that these tools are present, it stops running. 

Analysis by Ramin Nafisi