Backdoor.MSIL.PLASMA.AB

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

• With Admin rights:
  • %System%\Paypal
• Without Admin rights:
  • %ProgramData%\Paypal

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 4919245

Autostart Technique

This Backdoor adds the following Winlogon registry entry/entries to enable automatic execution at a specific Winlogon event:

HKEY_CURRENT_USER\Software\Microsoft\
WindowsNT\CurrentVersion\Winlogon
shell = explorer.exe,\{file path}\

Other System Modifications

This Backdoor deletes the following files:

• {Executable path}:Zone Identifier

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• zeykoo.{BLOCKED}o.org:3389

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• RECONNECT: restarts connection
• seed: seeds torrent using one of the following clients
  • Vuse
  • BitTorrent
  • uTorrent
• miner.start: downloads, installs a miner and starts mining by injecting into one of the following processes
  • cvtres.exe
  • vbc.exe
  • csc.exe
  • ngen.exe
• miner.stop: terminates the miner
• miner.gpu.start: if not windows XP: downloads, installs a miner and starts GPU mining by injecting into one of the following processes
  • csc.exe
  • vbc.exe
• miner.reset: resets the miner
• miner.gpu.stop: terminates the gpu miner
• FileManager:
  • keylogger.send: uploads keylogs
  • keylogger.delete: empties keylogs file
  • keylogger.search: searches for specific string in the logger and uploads when found
  • download: downloads and executes a file
  • updatebot: updates the bot
  • visit: visits a specified website
  • ddos.slowloris.start: starts Slowloris DDOS attack on a specified host
  • ddos.arme.start: starts arme DDOS attack on a specified host
  • ddos.posthttp.start: starts post http DDOS attack on a specified host
  • ddos.httpget.start: starts get http DDOS attack on a specified host
  • ddos.bwflood.start: starts BW DDOS attack on a specified host
  • ddos.udp.start: starts UDP flood DDOS attack on a specified host
  • ddos.condis.start: starts Condis DDOS attack on a specified host
  • host: adds a host
  • .avdetails: gathers and uploads AVdetails and Firewall details
  • ftp: gathers and uploads ftp data connections
  • browsers: gathers and uploads login credentials
  • info: gathers and uploads executable path details
  • pcspecs: gathers and uploads CPU, GPU, RAM details
  • shells: executes a shell commands
  • removebot: uninstalls itself in the system
• mute: toggle mute flag
• inject:
  • reflect: injects code to itself
  • runpe: injects code to vbc.exe
• .stop:
  • udp: stops UDP flood DDOS attack
  • arme: stops arme DDOS attack
  • slowloris: stops slowloris DDOS attack
  • httpget: stops get http DDOS attack
  • bwflood: stops BW DDOS attack
  • posthttp: stops post DDOS attack
  • condiss: stops condis DDOS attack
• botkiller:
  • hardbk: modifies the permissions of the following and its contents
  • HKEY_Current_User\software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_Current_User\software\Microsoft\Windows\CurrentVersion\RunOnce
  • %UserStartup%
  • enable: enables hardbk proactively
  • disable: disables hardbk proactively
  • run: flag to terminate processes and modify startup items

Process Termination

This Backdoor terminates the following processes if found running in the affected system's memory:

• arcavir
• avast
• avg
• avira
• bkav
• bullguard
• emsisoft
• anti-malware
• eset
• nod32
• f-prot
• f-secure
• gdata
• ikarus
• k7
• kaspersky
• lavasoft
• adaware
• malwarebytes
• mcafee
• security
• norman
• norton
• outpost
• panda
• firewall
• antivirus
• antimalware
• antispyware
• anti-spyware
• rising
• sophos
• trend
• vipre
• webroot
• defender
• zomealarm
• comodo
• agnitum
• ahnlab
• antiy
• bytehero
• quickheal
• clamav
• commtouch
• drweb
• fortinet
• jiangmin
• kingsoft
• microworld
• nano
• nprotect
• pctools
• symantec
• thehacker
• totaldefense
• trendmicro
• vba32
• checkpoint
• tuneup
• spybot
• iobit
• keyscrambler
• zoner
• vipre
• virusbuster
• virus
• nano
• immunet
• antivirus
• solo
• escan
• combofix
• hijackthis
• onlinescanner
• roguekiller
• spybot
• blacksheep

Dropping Routine

This Backdoor drops the following file(s), which it uses for its keylogging routine:

• %Application Data%\DllHost.ini

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\VB abd VBA Program Settings\
Microsoft\Sysinternals
PROCID = {random number between 1000 and 9999}

It deletes itself after execution.

It checks if the following virtual machine or sandbox related module(s) is loaded in the affected system:

• virtual
• vmware
• parallels
• vm additions