Using Security Software to Download Trojan

Wednesday, November 11, 2015 @ 04:11 PM gHale

A new Trojan uses security software installed on the user’s computer to side-load dynamic link libraries (DLLs) needed to download itself.

This new Trojan called Bookworm has similarities with the PlugX RAT, said researchers at Palo Alto Networks which found the malware.

DDoS Attacks Hit MySQL Servers
New Types of DDoS Attacks
More NTP Holes Fixed
Malware Growing by the Minute

The Trojan has been active in the campaigns of an advanced persistent threat (APT) group activating only in Thailand, Palo Alto researchers said.

Bookworm seems to be part of the new, rising trend of modular malware, malicious threats that slowly install themselves in multiple steps to avoid detection, while also using a remote C&C server to control what components to load based on the profile of infected targets, Palo Alto researchers said.

The internal architecture of a Bookworm Trojan is simple, researchers said. Multiple malicious DLLs end up encrypted using an XOR algorithm and bunched together into a readme.txt file.

This readme.txt file then ends up put together with clean executables and some DLLs into a self-extracting RAR archive, which in turn ends up encapsulated with the Smart Installer Maker, an application for building installation packages.

The installer this application produces is the one hackers are distributing. When executed, the installer triggers the self-extracting hardware that unloads the malicious readme.txt, the clean DLLs, and the clean EXE.

After the installer finishes, it also automatically launches the clean EXE it just extracted, the researchers said. This executable starts to look for executables from Microsoft Malware Protection (MsMpEng.exe) and Kaspersky Anti-Virus (ushata.exe).

When it finds one, it side-loads the clean DLLs into these executables and uses the permissions of those applications to install itself as a Microsoft service, the researchers said.

At that point, Bookworm has all the permissions it needs to extract other modules from the readme.txt file, start communications with its C&C server, load other modules, and send stolen data to the C&C server.