Backdoor.Win32.REVCODE.THDBABO

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

• %Application Data%\Downloads\Zoom.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\{random characters}.bat
• %Application Data%\Downloads\Zoom.exe:ZoneIdentifier

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• %User Temp%\ZoomInstaller.exe
  (Legitimate Zoom installer)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\notepad.exe "%Application Data%\Downloads\Zoom.exe"
• %User Temp%\{random characters}.bat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects codes into the following process(es):

• {malware fullpath}

Autostart Technique

This Backdoor drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• Zoom.vbs

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Add registry key
• Add registry value
• Change saved data on clipboard
• Clear clipboard
• Close all connections
• Copy file
• Delete file
• Delete key-log
• Delete registry key
• Delete registry value
• Download file
• Edit registry value
• Execute downloaded file
• Execute file
• Get all connections
• Get application list
• Get audio drivers list
• Get devices state list
• Get hardware information
• Get installed devices
• Get key-log information
• Get process list
• Get registry key list
• Get registry value list
• Get saved data on clipboard
• Get service list
• Get thumbnail
• Get webcam drivers
• Get webcam snapshot
• Open cmd
• Pause service
• PDG proxy start
• PDG proxy stop
• PDG screen stream start
• PDG screen stream stop
• Remote code execution
• Rename registry value
• Resume process
• Resume service
• Screen stream start
• Screen stream stop
• Set process priority
• SSL screen start
• SSL screen stop
• Start audio stream
• Start keylog stream
• Start service
• Start Wireless Access Point
• Stop audio stream
• Stop keylog stream
• Stop service
• Stop Wireless Access Point
• Suspend process
• Terminate process
• Uninstall application
• Uninstall service
• Upload file

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• dabm{BLOCKED}.wm{BLOCKED}.to

Stolen Information

This Backdoor sends the gathered information via HTTP POST to the following URL:

• https://213.{BLOCKED}.{BLOCKED}.96/recv7.php

Other Details

This Backdoor does the following:

• It terminates itself if the any of following processes is found:
  • aswidagent.exe
  • avastsvc.exe
  • avastui.exe
  • avgsvc.exe
  • avgui.exe
  • avp.exe
  • bdagent.exe
  • bdwtxag.exe
  • dwengine.exe
  • mpcmdrun.exe
  • msmpeng.exe
  • nissrv.exe
  • ollydbg.exe
  • procexp.exe
  • procexp64.exe
  • procmon.exe
  • procmon64.exe
  • windbg.exe
• It terminates itself when executed in the following Virtual Environments:
  • Kernel-based Virtual Machine
  • Microsoft Hypervisor
  • Parallels Hypervisor
  • VirtualBox
  • VMware
  • Xen Virtual Machine Manager
• It terminates itself if its file name is found similar to any of the following:
  • malware
  • sample
  • sandbox
• It gathers the following information:
  • Battery Information
    • Estimated Charge Remaining
    • Estimated Runtime
  • Computer Information
    • Domain
    • Last Bootup
    • Name
    • Uptime
    • Username
  • Desktop Monitor Information
    • Screen Height
    • Screen Width
  • Memory Information
    • RAM Capacity
    • RAM Manufacturer
    • RAM Speed
  • Network Adapter Configuration
    • MAC Address
    • LAN IP
  • OS Information
    • Architecure
    • Build Number
    • Language
    • Version
  • Processor Information
    • Max Clock Speed
    • Processor Name
  • Video Controller Information
    • Driver Version
    • Name