Installation
This malware family is made up of DLLs that are known to be loaded by the Angler Exploit Kit (detected as Exploit:JS/Axpergle).
They can sometimes be installed without creating any files by being loaded directly in memory by the exploit shellcode. They can also be written to disk as a 32-bit DLL (Backdoor:Win32/Bedep.A) or 64-bit DLL (Backdoor:Win64/Bedep.A). The DLL type depends on your version of Windows.
We have seen Bedep variants installed as:
They can also create the following registry entries:
In subkey: HKEY_CURRENT_USER\CLSID\%Random CLSID%\InprocServer32
Sets value: "ThreadingModel"
With data: "Apartment"
Sets value: "(Default)"
With data: "%Bedep File name%", for example "%ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll"
In subkey: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\%Random CLSID%
Sets value: "DriveMask"
With data: dword:ffffffff
Variants can use these registry entries to launch explorer.exe and inject malicious code into it.
Payload
Connects to a remote server
Bedep variants can connect to a command and control server using HTTP POST on port 443. Once connected they can be instructed to:
- Download other malware
- Collect information about your PC
- Update themselves
We have seen these threats connect to the following domains:
-
aohevoloaozrkak10.com
-
avuoujqzkfqimp.com
-
blrndbpidwnxbgj.com
-
dkatcqflcaqlumcxhd.com
-
dsricnohtnwbium.com
-
dsricnohtnwbium.com
-
emxgyboesbodszr6t.com
-
emxgyboesbodszr6t.com
-
ewhvktipgdwdhcxfv.com
-
ewhvktipgdwdhcxfv.com
-
exrhmkumgbuhq2g.com
-
favtcihswsqly.com
-
ggtjcszgresakw.com
-
hgfmdwdqutcwqlc.com
-
hnrmdcvwza0m.com
-
hppzynkovgjpth.com
-
hppzynkovgjpth.com
-
iqeuldlijtnnff.com
-
iwgqqmayowal.com
-
iwgqqmayowal.com
-
iyoxkwiwdvt6a.com
-
ndkcrwdfocxogjfxod.com
-
npbwstpnlqnrejm.com
-
npbwstpnlqnrejm.com
-
oyrqilsgusdcdvc4.com
-
oyrqilsgusdcdvc4.com
-
plwqwnzyigp7h.com
-
plwqwnzyigp7h.com
-
qibbfusbruoixkk.com
-
qysbxunmocpablwqmc.com
-
ynecbggcxu4x.com
-
ynecbggcxu4x.com
-
yrmbqqncmsevoxnoh.com
Downloads other malware
We have seen Bedep variants download other malware, including variants from the following malware families:
The downloaded files can be installed and run as:
-
<commonappdata>
\Windows Genuine Advantage\<GUID>\msiexec.exe, for example <commonappdata>\Windows Genuine Advantage\{928C853C-BDFF-4BC7-99C1-E7E71BF13117}\msiexec.exe
-
%windir%
\Installer\<GUID>\msiexec.exe, for example %windir%\Installer\{65AD4B7E-2946-48AF-B4AC-551395548435}\msiexec.exe
Analysis by Jonathan San Jose