BKDR_LUMINOSITY.C

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %Application Data%\WinRAR\nwtray.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following file(s)/component(s):

• %Application Data%\WinRAR\nvvswc.exe(watchdog) - also detected as BKDR_LUMINOSITY.C

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

• svchost.exe
• AppLaunch.exe
• vbc.ex
• RegAsm.exe
• RegSvcs.exe

Autostart Technique

This backdoor modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = "%Application Data%\WinRAR\nvvswc.exe"

(Note: The default value data of the said registry entry is "".)

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Downloads and executes arbitrary files
• Downloads and executes custom Crypto Miner
• Downloads custom password recovery tool
• Searches for files
• Performs DDOS
• Modifies HOSTS file to redirect hosts/URLs
• Visits arbitrary websites (browser can be hidden and have muted audio)
• Seeds torrent
• Updates itself
• Updates backup C&C
• Remotes Desktop Control
• Remotes shell
• Remotes Script
• Records audio using system's microphone
• Controls Webcam
• Uninstalls itself
• Executes/Terminates/Disables Task Manager
• Executes/Terminates/Disables Command Prompt
• Executes/Terminates/Disables Registry Editor
• Hides/Shows Taskbar
• Hides/Shows Desktop
• Opens/Closes CD-ROM door
• Turns on/off user's monitor
• Enables/Disables Keyboard
• Enables/Disables Mouse
• Swaps/Resets Mouse
• Deletes Restore points
• Enables/Disables input
• Logs off User
• Hibernates
• Shutdowns system
• Reboots System
• Performs network speed test
• Manage Files
• Manage Processes
• Gathers the following information:
  • Client Overview:
  • Client ID used
  • Country
  • Software Information:
  • User Privelege
  • Machine Name
  • Hardware Information:
  • Machine Type
  • CPU Information
  • GPU Information
  • RAM Information
  • Battery
  • Monitor Count
  • Network Information:
  • WAN address
  • Download Speed
  • LAN Address
  • MAC Address
  • Others:
  • Security information
  • Uptime
  • Active Windows
  • Current malware file location
  • Full OS version
  • Keystroke logs
  • Stored passwords

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• kelelumi77.{BLOCKED}s.net:6318

NOTES:

This malware is capable of proactively blocks anti-malware services by querying the installed anti-malware/firewall product in the system. Once an anti-malware/firewall is found, it terminates the corresponding anti-malware service/process.

It does not have rootkit capabilities.

It does not exploit any vulnerability.