BACKDOOR.MSIL.BLACKWORM.THABAGAH

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

• C:\Users\{Username}\Dropbox\cagohack.exe -> if Dropbox folder exists
• %User Temp%\Microsoft\svchost.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It drops the following files:

• %User Temp%\BlackData.dat - (check if cagohack.exe is running)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• ZhYmK@LHzYUg#9g

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ef781910bc5e8aab3761591acadf8bb6 = %User Temp%\Microsoft\svchost.exe

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\svchost.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows XP, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This Backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

Propagation

This Backdoor drops the following copy(ies) of itself in all removable drives:

• {Drive Letter}\cagohack.exe

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• ping - use to check the status of the victim
• CloseServer - terminates the application
• RestartServer - Restart the application
• sendfile - send file and execute
• download - download file from URL and execute
• UDP - ping flood target
• startSlowloris - Start Slowloris DDoS
• stopSlowloris - Stop Slowloris DDos
• OpenPage - Open URL
• BlockPage - adds the URL in the "C:\WINDOWS\system32\drivers\etc\hosts to block specified website by pointing the resolution to 127.0.0.1
• Logoff - Logout windows
• Restart - Restart System
• Shutdown - Shutdown System
• keystart - keylogging
• keydump - send logs of keystrokes
• getpass - get password
• getdesktop - get desktop screenshot
• custom - saving arbitrary file to temp folder
• execscrip - execute script
• transfer - Change Port and Host
• startransom - start ransomware
• stopransom - stop ransomware
• elevate - elevate privelages
• update - update itself
• uninstall - uninstall itself

It connects to the following websites to send and receive information:

• {BLOCKED}.{BLOCKED}.01:5050

Process Termination

This Backdoor terminates the following processes if found running in the affected system's memory:

• procexp
• SbieCtrl
• SpyTheSpy
• SpeedGear
• wireshark
• mbam
• apateDNS
• IPBlocker
• cports
• ProcessHacker
• KeyScrambler
• TiGeR-Firewall
• Tcpview
• xn5x
• smsniff
• exeinfoPE
• regshot
• RougeKiller
• NetSnifferCs
• taskmgr
• Reflector
• capsa
• NetworkMiner
• AdvancedProcessController
• ProcessLassoLauncher
• ProcessLasso
• SystemExplorer
• ApateDNS
• Malwarebytes Anti-Malware
• TCPEye
• SmartSniff
• Active Ports
• ProcessEye
• MKN TaskExplorer
• CurrPorts
• SystemExplorer
• DiamondCS Port Explorer
• VirusTotal
• Metascan Online
• Speed Gear
• The Wireshark Network Analyzer
• Sandboxie Control
• ApateDNS
• .NET Reflector

Other Details

This Backdoor does the following:

• Drops a copy of itself in the Dropbox folder:
  • C:\Users\{Username}\Dropbox\cagohack.exe
• enableLUA registry if the following strings are found in the OSversion:
  • Vista
  • 7
  • 8.1
  • 10
• Modifies all the .lnk files in desktop to execute the copy of the malware
• Capable of encrypting the following file extensions:
  • .txt
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .odt
  • .jpg
  • .png
  • .csv
  • .sql
  • .mdb
  • .sln
  • .php
  • .asp
  • .aspx
  • .html
  • .xml
  • .psd
• Appends the following extension on the encrypted file:
  • .bworm
• Remove restore point once the ransomware routine is initiated