Backdoor.Win32.REMCOS.YABCR

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

• %Application Data%\IDMComp\UltraEdit\autorec\SyncHost.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\Takeup
• %User Temp%\SpanielPolymorph.dll
• %User Temp%\{Random Characters}.lnk -> points to %Application Data%\IDMComp\UltraEdit\autorec\SyncHost.exe
• %Windows%\Tasks\SyncHost.job
• %Application Data%\remcos\logs.dat -> contains the stolen information

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following non-malicious files:

• %User Temp%\releases\bot-trap\glimpse\delegates.xml
• %User Temp%\releases\bot-trap\glimpse\kbarticle.xml
• %User Temp%\releases\bot-trap\glimpse\x-cobol.xml
• %User Temp%\releases\bot-trap\glimpse\clstencilui.dll
• %User Temp%\releases\bot-trap\glimpse\sbsVsaVb7rt.dll
• %User Temp%\releases\bot-trap\glimpse\org.gnome.Logs.gschema.xml
• %User Temp%\magazine\arts\crtowordsde.dll
• %User Temp%\magazine\arts\dumpbin.exe
• %User Temp%\magazine\arts\vswebdesignedui.dll
• %User Temp%\m\remote-browser.xml
• %User Temp%\m\tcprops.dll
• %User Temp%\cv\24.opends60.dll
• %User Temp%\cv\sqlleUI.dll
• %User Temp%\cv\DbgUrtMnu.dll
• %User Temp%\cv\pgort80ui.dll
• %User Temp%\cv\spro5000.xml
• %User Temp%\cv\iptables-xml
• %User Temp%\cv\gif.xml
• %User Temp%\cv\ConmanClient2.exe
• %User Temp%\zoom\02\ConmanClient2.exe
• %User Temp%\zoom\02\x-pagemaker.xml

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\rundll32.exe TubeHygrostat,Xerophytes
• "%System%\cmd.exe"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Mutex_RemWatchdog
• Remcos_Mutex_Inj

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Remcos-YAKX39
exepath = {Hex Values}

HKEY_CURRENT_USER\Software\Remcos-YAKX39
licence = {Hex Values}

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Open and Close Camera
• Download and Upload Files
• Enumerate Files
• Execute Files
• Delete Files
• Rename Files
• Change File Attributes
• Start and Stop Keylogger
• Retrieve and Clear login data and cookies from the following web browsers:
  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
• Play, Pause, and Stop an Alarm
• Play, Pause, Stop, and Record Audio
• Change Desktop Wallpaper
• Enumerate Running Processes
• Create and Terminate Processes
• Manage Registry Keys and Entries (Create, Enumerate, Modify, and Delete)
• Manage Services (Create, Enumerate, Modify, Start, Stop, and Delete)
• Create Image
• Save Image
• Screen Capture user's desktop
• Set, Copy, and Clear Clipboard Data
• Restarts the affected machine
• Sleeps the affected machine
• Logs off the affected machine
• Shutdown the affected machine
• Pop-up a Messagebox

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• veintiunoremco.{BLOCKED}s.org

Information Theft

This Backdoor gathers the following data:

• Computer Name
• Username
• Windows Architecture (32-bit or 64-bit)
• Locale Info
• User Privileges (Admin or not)
• Clipboard Data
• Keyboard Input
• Mouse Activity
• User Keystrokes
• User Activity (Idle Time)
• Memory Information
• System Drive Information

Other Details

This Backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Remcos-YAKX39

It does the following:

• This Backdoor changes the file attributes of its dropped file to Hidden

It adds the following scheduled tasks:

• Name: SyncHost
  Trigger: After triggered, repeat every 00:04:00 for a duration of 1 day
  Action: Start a program %Application Data%\IDMComp\UltraEdit\autorec\SyncHost.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)