Backdoor Uses Legit Video App

Monday, July 17, 2017 @ 12:07 PM gHale


There is a new backdoor that can video record victims’ actions, researchers said.

The malware Backdoor.DuBled, which is written in .NET, ends up sent out via a JS file containing an executable that installs itself under a random name, said researchers at Malwarebytes. “There is a growing trend among malware authors to incorporate legitimate applications in their malicious package,” the researchers said. “This time, we analyzed a malware downloading a legitimate ffmpeg.”

RELATED STORIES
Companies Held for Ransom: Report
Monitoring Network Could Help Find Attack
Grid Attack: Understand ‘What We Will See Tomorrow’
Ukraine Attack: An Insider’s Perspective

To achieve persistence, the threat uses a run key, while also dropping a copy of itself in the startup folder.

The threat downloads the legitimate applications Rar.exe and ffmpeg.exe, along with related DLLs (DShowNet.dll and DirectX.Capture.dll) and uses them for its own application, researchers said in a post.

FFmpeg is a “complete, cross-platform solution to record, convert and stream audio and video.”

During run, the malware creates unencrypted .tmp files inside its installation folder, containing keystrokes and logging the running applications. It was also observed closing and deleting some applications from the compromised machine.

Communication with the command and control (C&C) server is performed over TCP using port 98. Initial beaconing is performed by the server via a command “idjamel,” to which the threat responds with information about the victim’s machine, including name/username, operating system, and a list of running processes.

Next, the server sends the configuration, which includes a list of targeted banks which the malware saves the list to registry. The C&C also sends a set of Base64 encrypted PE files, including non-malicious helper binaries, and a URL to download the FFmpeg application.

The analyzed sample ended up packed via CloudProtector, which decrypts the payload using a custom algorithm and a key supplied in the configuration. The decrypted executable is then loaded in memory using process hollowing (or the RunPE technique).

“The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it and read the code,” Malwarebytes explains.

The threat was designed to spy on users and backdoor the infected machines. It can record videos using the FFmpeg application, snap screenshots, and log keystrokes.

Video recording starts when the user accesses a site related to online banking, which means the bad guys want to spy on victims’ banking activities.

“This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated,” the researchers said. “The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. It’s capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly because even a simple threat actor can cause a lot of damage when neglected.”



Leave a Reply

You must be logged in to post a comment.