Library
My library

+ Add to library

Profile

BackDoor.Neutrino.50

Added to the Dr.Web virus database: 2015-05-02

Virus description added:

SHA1 fcf7197bbae81292dc9e444dd9ee1fb6f510cd05 (packed)
a2b801df9bd8438adcf3c08d44bc42e34a83f7d8 (unpacked)

A multicomponent backdoor that can infect POS terminals. It can exploit the CVE-2012-0158 vulnerability to spread.

Once launched, the backdoor checks its environment for the presence of virtual machines as follows:

  1. Using API IsDebuggerPresent, checks for the presence of a debugger
  2. Using API CheckRemoteDebuggerPresent, checks for the presence of a debugger
  3. Checks whether the user name is similar to any of the following ones:
    • MALTEST
    • TEQUILABOOMBOOM
    • SANDBOX
    • VIRUS
    • MALWARE
  4. Converts the file name to lowercase and checks whether it is similar to any of the following ones:
    • SAMPLE
    • VIRUS
    • SANDBOX
  5. Checks for export of "wine_get_unix_file_name" to kernel32.dll
  6. Checks availability of "HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"
  7. Compares the value of the "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier" switch with "VMWARE", "VBOX", "QEMU"
  8. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion" switch with "VBOX", "QEMU", "BOCHS"
  9. Checks availability of "HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"
  10. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\VideoBiosVersion" switch with "VIRTUALBOX"

If a virtual machine is detected, the Trojan displays the following error message: “An unknown error occurred. Error - (0x[random number])”. After that, BackDoor.Neutrino.50 initiates a self-removal process.

While the Trojan is installed, it creates the "%AppData%\\W2VTWFFiQQ" directory replicating itself there and modifies "Software\\Microsoft\\Windows\\CurrentVersion\\Run" to ensure its autorun. The branch (HKLM/HKCU) is chosen based on the availability of administrator privileges.

As a parameter name, the Trojan chooses a file from the %windir% directory matching one of the following masks:

install*.exe
setup*.exe
update*.exe
patch*.exe

If there is no matching file, the Trojan uses the "svchost.exe" name.

The malware copies the creation date of "explorer.exe" and assigns the file with the “hidden” and “system” attributes.

Then the Trojan initiates a separate thread that monitors the status of the switch responsible for autorun. If the switch is modified or missing, the Trojan adds it again.

Once launched successfully, the backdoor starts gathering information on the infected system, in particular, GUID values ("HKLM\\Software\\Microsoft\\Cryptography\\MachineGuid"), OS version, architecture type, anti-virus software type and version.

Moreover, the Trojan can remove some malicious programs found in the system. For that, it checks all executable files in %APPDATA%, %TEMP%, and %ALLUSERSPROFILE% using the WinVerifyTrust function. If verification returns negative results, and a relevant process is found, the backdoor removes it from autorun modifying "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"; at that, the branch (HKLM/HKCU) is chosen based on the availability of administrator privileges. After that, the malicious program deletes the file.

Simultaneously, the backdoor counts the number of removed viruses and forwards this data to the command and control server.

Aside from being able to operate on POS terminals, this Trojan can steal information stored by the Microsoft Mail client and account details used to get access to resources from a number of well-known FTP clients over the FTP protocol:

filezilla.exe
ftprush.exe
winscp.exe
coreftp.exe
freeftp.exe
far.exe
ftpte.exe
smartftp.exe
flashfxp.exe
totalcmd.exe

Among running processes, the Trojan looks for the following browser processes:

firefox.exe
chrome.exe
iexplore.exe
opera.exe

intercepting data sending functions (PR_Write, send, WSASend, HttpSendRequestW, and InternetWriteFile). The malware sends the command and control server data from POST requests containing the "ocsp" or "application/ocsp-request" substrings. For Internet Explorer, data from all POST requests is sent.

The "rate" switch of the "HKCU\\Software\\N3NNetwork\\" branch contains the data on time interval between requests sent to the server. The backdoor reads this value and multiplies it by 60 seconds. The result cannot exceed 1 hour.

Data is sent as a "cmd=1&uid=%s&os=%s&av=%s&version=%s&quality=%i" string, where uid indicates the infected computer GUID, os indicates data on the OS, av indicates the installed anti-virus, version is the version of the backdoor, quality stands for the number of detected viruses.

The command and control server list is hard-coded in the Trojan's body. It is implemented as a UNICODE string encrypted with base64. The string can contain several server addresses separated by '*'. During initialization, the backdoor checks all the servers until it finds one that replies to a PING request.

Server reply to a PING request can look as follows:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>
The requested URL /ionocube_/tasks.php was not found on this server.</BODY></HTML>
<!-- DEBUGcG9uZw==DEBUG -->

From the reply, the backdoor retrieves the payload contained between the "DEBUG" and "DEBUG" strings encrypted with base64.

The Trojan extracts the command and control server address from the registry, decrypts it, and generates a request as follows:

"POST <!target> HTTP/1.0\r\n"
                    "Host: \r\n"
                    "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0\r\n" "Content-type: application/x-www-form-urlencoded\r\n" "Cookie: authkeys=21232f297a57a5a743894a0e4a801fc3\r\n" "Content-length: <!len>\r\n" "\r\n" "<!payload>\n",

where the target and host values are retrieved from the address of the server to which data should be forwarded, len indicates the payload length, payload indicates the string encrypted with base64.

Bank card information is sent in the following package:

d=1&type=%s&data=%s

where type indicates the "Track1" or "Track2" strings and data indicates the information extracted from the process memory.

The backdoor can execute the following commands:

cmdCommand
botkillerRemove other malicious programs
cmdForward the command to the command interpreter (cmd.exe)
dwfloodFlood a remote host with requests to download a file (file is downloaded, deleted, and downloaded once again)
findfileFind and upload the specified file to the remote server
httpSend a GET or a POST request
httpsLaunch an HTTPS Flood attack
infectInfect computers on a LAN and removable media
keyloggerRun keylogger (logs clipboard history and key strokes and takes screenshots upon pressing the mouse button)
loaderDownload a .dll file and run it using the regsvr32 tool
rateSet the time interval between requests to the server
slowSend a POST request bearing the "X-a: b\r\n" payload
tcpLaunch a TCP Flood attack
udpLaunch a UDP Flood attack
updateUpdate itself (update is downloaded at the link from the command)

The backdoor can be detected in the system as follows:

Mutex—"W2VTWFFiQQ"
Directory—"%AppData%\\W2VTWFFiQQ"
Presence of the "HKCU\\Software\\N3NNetwork\\" branch

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android