Backdoor.MSIL.CARBANAK.AA

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• server.sqlite - SQLite database

Other Details

This Backdoor requires the following additional components to properly run:

• {Malware filepath}\private.key
• {Malware filepath}\System.Data.Sqlite.DLL
• {Malware filepath}\config_server.xml - server configuration and client to connect.

It does the following:

• It requires password coming from its command manager/ host before it can accepts specific parameters.
• It displays the following upon execution:
  

It accepts the following parameters:

• video (off){optional} VideoName [ProcessName] = command video off disables video recording
• download [user$Username] {url | plugin name}
• {stops | starts | without paramenter} ammyy
• update [cold | hot ] plugin name (updates)
  • If cold (hot update) is not specified, then the specified update is loaded, the file is replaced at startup (service) and starts,
  • at the same time, the current bot is shutting down
  • If cold is specified, the specified update is loaded and the file is replaced in autoload (service)
  • update will take effect only after reboot
• updklgcfg = loading configuration file from admin for keyloger
• httpproxy = http proxy server on the specified port is enabled
• killos = OS is not bootable after reboot
• tunnel port {server | http | ip:port} = where:
  • port - port number that opens for connection from another bot
  • server - traffic is redirected to the server with which we connect this bot
  • http - http proxy is created to access the admin panel
  • ip:port - all traffic is redirected to the specified address
• adminka (http, https, socks5) ip:port [del, proxy authorization] = if the del parameter is specified, the proxy settings are removed and the bot connects directly
• server [force] ip:port [ip:port] [ip:port] = Specifies which ip to communicate with the server
• user {create | delete} username = creates or deletes a user with rights for RDP
• rdp {file | mem} = includes rdp on this computer (file - makes edits to the system files on the disk, as a result, after the reboot, the RDP will be enabled
• mem - edits are made only in memory)
• secure lsa plugin_name= loads and registers dll bot in HKLM\System\CurrentControlSet\Control\Lsa -v "Notification Packages"
• del {service | file} {service name | file name} = deletes the specified service or file
• startcmd any command with arguments = saves the command specified in the arguments in the bot settings and this command will be executed after the reboot
• runmem [user$Username] {url | plugin name} = file will be launched on behalf of the specified user
• logonpasswords {server | adminka} = removes logins and passwords using the mimikatz library, the result is sent to the admin area or the server
• screenshot [user$Username] [server|adminka] = screenshots/full_screen
• dupl {keylog | screenshot} [stop] = duplicates data sent to the admin in the bot folder files
• findfiles path mask {adminka|server|adminka_server} name = search for files by the mask mask in the path folder
• vnc {port | stop} = loads the vnc.plug plugin from the admin panel and starts the vnc session on the specified port, if the stop argument is specified, then the vnc session is closed
• runfile [user$Username] {file path} = runs the specified file
• killbot = self-destruction of the bot