Library
My library

+ Add to library

Profile

BackDoor.Andromeda.1407

Added to the Dr.Web virus database: 2016-01-29

Virus description added:

SHA1:

  • 39688eb28fb982df31b59a1098554ffa47bf56da

A multicomponent backdoor Trojan designed to execute cybercriminals’ commands. The examined sample was spread with the help of another downloader Trojan called Trojan.Sathurbot.1. The sample consists of two sections: the first one stores a code of a main module loader and encrypted code fragments for unpacking and import initialization; and the second contains a main module of the malicious program.

The backdoor’s main module

Once launched, it checks a command line for the presence of the “/test” key. If the key is detected, it prints to the console a message containing the following text: “\n Test - OK”. In 3 seconds, it terminates itself. Probably, this function was intended to test program packers. Shortly after that, the Trojan checks whether some of the following processes are running on the infected machine, by determining their hash names (RtlComputeCrc32):

CRC32Process
99DD4432vmwareuser.exe
2D859DB4vmwareservice.exe
64340DCEvboxservice.exe
63C54474vboxtray.exe
349C9C8Bsandboxiedcomlaunch.exe
3446EBCEsandboxierpcss.exe
5BA9B1FEprocmon.exe
3CE2BEF3regmon.exe
3D46F02Bfilemon.exe
77AE10F7wireshark.exe
F344E95Dnetmon.exe
2DBE6D6Fprl_tools_service.exe
A3D10244prl_tools.exe
1D72ED91prl_cc.exe
96936BBEsharedintapp.exe
278CDF58vmtoolsd.exe
3BFFF885vmsrvc.exe
6D3323D9vmusrvc.exe
D2EFC6C4python.exe
DE1BACD2perl.exe
3044F7D4avpui.exe

Once the malicious application finds any of these processes running, it goes to an infinite sleep mode.

After that, BackDoor.Andromeda.1407 gets the system volume ID (GetVolumeInformationW), which is then actively used while generating values of different named objects—in particular, it saves a path to the dropper directory under the name of = 'src' ^ VolumeID in an environment variable. It then attempts to inject its code into another process. To do that, it launches a process with the CREATE_SUSPENDED flag. Depending on the operating system capacity, it selects a process belonging to either the %windir%\system32\msiexec.exe or %windir%\SysWOW64\msiexec.exe application.

If successful, the loader body places itself into RAM and modifies all values into zeros. The Trojan then initializes sockets using the WSAStartup function, gets a value of the UserAgent line (ObtainUserAgentString), and checks the operating system version (GetVersionExW) and its capacity (NtQueryInformationProcess(0x1a ProcessWow64Information)). In addition, it gains debugger privileges (SeDebugPrivilege) and determines its privileges level. The Trojan also checks which language keyboard layouts are selected on the computer. If such keyboards as 419h (RU), 422h (UA), 423h (BL), or 43Fh (KZ) are found, the backdoor terminate its operation as soon as possible and deletes itself from the system.

It deletes the value of the following system registry key:

HKLM\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe, Debugger.

Then it gets the value of exact time referring to port 123 (NTP) of the following servers:

  • europe.pool.ntp.org
  • north-america.pool.ntp.org
  • south-america.pool.ntp.org
  • asia.pool.ntp.org
  • oceania.pool.ntp.org
  • africa.pool.ntp.org
  • pool.ntp.org

If it fails to receive a response from these servers, it gets system time using the GetSystemTimeAsFileTime function and launches a separate thread in which the time value is increased every second. The time value is actively used by the Trojan's plug-ins during its operation.

The backdoor disables demonstration of system notifications in the Windows settings:

[hklm\software\microsoft\windows\currentversion\policies\Explorer]
"TaskbarNoNotification"=1
"HideSCAHealth"=1
 
[hkcu\software\microsoft\windows\currentversion\policies\Explorer]
"TaskbarNoNotification"=1
"HideSCAHealth"=1

System services that the Trojan disables in Windows 7 are the following:

  • wscsvc
  • wuauserv
  • MpsSvc
  • WinDefend

The following system services are disabled in Windows XP:

  • wscsvc
  • wuauserv
  • SharedAccess

Elevation of privileges

If the infected computer runs the operating system older than Windows 8, and the integrity level of the Trojan's process has the SECURITY_MANDATORY_LOW_RID (0x1000) or SECURITY_MANDATORY_MEDIUM_RID (0x2000) value, the malicious program tries to elevate its privileges by means of ShellExecuteExW. The backdoor continues using current privileges if it fails to elevate them during 5 iterations. In Windows 7, BackDoor.Andromeda.1407 disables User Accounts Control (UAC):

[hklm\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0

The backdoor’s installation and launch

The Trojan disables demonstration of hidden files in Windows Explorer:

[hkcu\software\microsoft\windows\currentversion\explorer\advanced]
"ShowSuperHidden"=0
"Hidden"=2

Then it refers to several system and user profile folders, trying to find one open for write:

%ALLUSERSPROFILE% (C:\ProgramData)
%APPDATA% (C:\Users\<username>\AppData\Roaming)
%USERPROFILE% (C:\Users\<username>)

This procedure is performed by creating a file with the DELETE_ON_CLOSE flag that is then deleted once this file is closed. After that, using the system volume ID, the backdoor generates a line, which consists of 3 to 5 arbitrary characters, and a name according to the “ms%s.exe” template. The dropper copies itself to a selected folder under a new name. This file is assigned with the “hidden” and “system” attributes (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM) in order to conceal it from the user. Time of its creation is replaced with the creation time of the host process, in which the injection has been performed. Zone.Identifier is then deleted.

Finally, BackDoor.Andromeda.1407 modifies the system registry branches, so the main module of the malware program can be launched automatically. It attempts to modify the following branches:

HKLM\software\microsoft\windows\currentversion\Policies\Explorer\Run
HKCU\software\microsoft\windows nt\currentversion\Windows, Load
HKCU\software\microsoft\windows\currentversion\Run

Communication with the command and control server

The backdoor establishes connection to the C&C server with the help of a special encrypted key that is then modified into a text message. The servers’ IPs are encrypted and hard-coded in the Trojan’s body. To decrypt them, the key is flipped.

BackDoor.Andromeda.1407 identifies the infected computer’s IP address by referring to port 80 of the following servers:

  • microsoft.com
  • update.microsoft.com
  • bing.com
  • google.com
  • yahoo.com

The information is encrypted and transmitted using JSON (JavaScript Object Notation).

The Trojan generates the JSON request according to the {"id":%lu,"bid":%lu,"os":%lu,"la":%lu,"rg":%lu,"bb":%lu} template—for example, {"id":3088609340,"bid":12385,"os":97,"la":167772687,"rg":1,"bb”:0} where

  • id—VolumeID;
  • bid—botid / buildid constant;
  • os—operating system version;
  • la—local IP address;
  • rg—administrator privileges flag;
  • bb—keyboard layout flag (1 is for RU UA BL KZ, 0—for other languages).

Other information can be added to the request. Then the data is encrypted using the RC4 algorithm (the Trojan’s encryption key) and sent to the server as the POST request. The Trojan receives JSON encrypted by the same key. The server can respond with the following commands:

  • Download and run an executed file
  • Download and install a plug-in
  • Update the Trojan
  • Delete all plug-ins
  • Delete the Trojan

Plug-ins

The Trojan stores downloaded and encrypted plug-ins in alternative threads of the dropper. The plug-ins are encrypted using the CRYPT32!CryptProtectData method and can be decrypted only on the infected machine.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android