Backdoor.PS1.ASYNCRAT.N

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It logs a user's keystrokes to steal information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• %User Temp%\Log.tmp → contains key logs

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• AsccMutexxxxxssmm1_{random}

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.15
• {BLOCKED}aupload.co
• {BLOCKED}upload.co
• {BLOCKED}.{BLOCKED}.{BLOCKED}.19
• {BLOCKED}c.serveftp.net
• {BLOCKED}ic236922.serveftp.net

It connects to the following uncommon ports:

• 3322

Information Theft

This Backdoor gathers the following data:

• HWID = Hardware Identifiers
• User = Username
• OS = OS Information
• Path = Path of the malware
• Admin = If the malware is running with Admin Access
• Performance = Current Active Window
• Antivirus = Antivirus applications in the system
• If the following cryptocurrency wallet and 2FA browser extensions exist in the affected system:
  • Firefox
  • MetaMask
  • Google Chrome
  • Authenticator
  • Binance (BEW Lite)
  • BitKeep (BitGet Wallet)
  • BitPay
  • Coinbase
  • Exodus (TronLink)
  • MetaMask
  • Phantom
  • Ronin
  • Trust
  • Brave
  • Authenticator
  • MetaMask
  • Phantom
  • Edge
  • Authenticator
  • Binance
  • MetaMask
• If the following cryptocurrency applications exist in the affected system:
  • Atomic
  • Binance
  • Bitcoin
  • Coinomi
  • Electrum
  • ErgoWallet
  • Exodus
  • Ledger Live
• LastTime = Last activity time of the affected system

It logs a user's keystrokes to steal information.

Other Details

This Backdoor does the following:

• It decrypts and executes an MSIL DLL loader directly in memory.
• It checks for the existence of the following files but displays a fake error regardless of whether they exist:
  • %Program Files%\AVG\Antivirus\AVGUI.exe
  • %Program Files%\Avast Software\Avast\AvastUI.exe
• It executes the following file and injects malicious code from an embedded MSIL EXE payload into the newly created process:
  • %Windows%\Microsoft.NET\Framework\{version}\{random exe file}

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)