Win32/Bedep

Installation

This malware family is made up of DLLs that are known to be loaded by the Angler Exploit Kit (detected as Exploit:JS/Axpergle). 

They can sometimes be installed without creating any files by being loaded directly in memory by the exploit shellcode. They can also be written to disk as a 32-bit DLL (Backdoor:Win32/Bedep.A) or 64-bit DLL (Backdoor:Win64/Bedep.A). The DLL type depends on your version of Windows.

We have seen Bedep variants installed as:

• %ProgramData% \<GUID>\<file name>.dll, for example %ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll

They can also create the following registry entries:

In subkey: HKEY_CURRENT_USER\CLSID\%Random CLSID%\InprocServer32

Sets value: "ThreadingModel"
With data: "Apartment"

Sets value: "(Default)"
With data: "%Bedep File name%", for example "%ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll"

In subkey: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\%Random CLSID%
Sets value: "DriveMask"
With data: dword:ffffffff

Variants can use these registry entries to launch explorer.exe and inject malicious code into it.

Payload

Connects to a remote server

Bedep variants can connect to a command and control server using HTTP POST on port 443. Once connected they can be instructed to:

• Download other malware
• Collect information about your PC
• Update themselves

We have seen these threats connect to the following domains:

• aohevoloaozrkak10.com
• avuoujqzkfqimp.com
• blrndbpidwnxbgj.com
• dkatcqflcaqlumcxhd.com
• dsricnohtnwbium.com
• dsricnohtnwbium.com
• emxgyboesbodszr6t.com
• emxgyboesbodszr6t.com
• ewhvktipgdwdhcxfv.com
• ewhvktipgdwdhcxfv.com
• exrhmkumgbuhq2g.com
• favtcihswsqly.com
• ggtjcszgresakw.com
• hgfmdwdqutcwqlc.com
• hnrmdcvwza0m.com
• hppzynkovgjpth.com
• hppzynkovgjpth.com
• iqeuldlijtnnff.com
• iwgqqmayowal.com
• iwgqqmayowal.com
• iyoxkwiwdvt6a.com
• ndkcrwdfocxogjfxod.com
• npbwstpnlqnrejm.com
• npbwstpnlqnrejm.com
• oyrqilsgusdcdvc4.com
• oyrqilsgusdcdvc4.com
• plwqwnzyigp7h.com
• plwqwnzyigp7h.com
• qibbfusbruoixkk.com
• qysbxunmocpablwqmc.com
• ynecbggcxu4x.com
• ynecbggcxu4x.com
• yrmbqqncmsevoxnoh.com

Downloads other malware

We have seen Bedep variants download other malware, including variants from the following malware families:

• Dofoil
• Ursnif
• Zemot
• Fareit

The downloaded files can be installed and run as:

• <commonappdata> \Windows Genuine Advantage\<GUID>\msiexec.exe, for example <commonappdata>\Windows Genuine Advantage\{928C853C-BDFF-4BC7-99C1-E7E71BF13117}\msiexec.exe
• %windir% \Installer\<GUID>\msiexec.exe, for example %windir%\Installer\{65AD4B7E-2946-48AF-B4AC-551395548435}\msiexec.exe

Analysis by Jonathan San Jose