KIRPICH

KIRPICH is a family of backdoors which arrives via exploited documents. It is also known as RegSubDat botnet. Its name is probably from its code being stored in an encrypted .DAT file. This design is to avoid detection for both the binary component (decrypter) and the .DAT file (encrypted code).

Once executed, KIRPICH downloads other malware such as ransomware, scareware, and clickware. Thus, it compromises the security of infected systems.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\Microsoft\ Messenger\SpeechEngines\xpmsgr.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\Microsoft\Messenger\Plugin\msgslang.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\ Adobe\Plugins\AcroRd32Info.exe"

NOTES:

It drops the following binary components:

• %User Profile%\Application Data\Microsoft\Messenger\SpeechEngines\xpmsgr.exe
• %User Profile%\Application Data\Microsoft\Messenger\Plugin\msgslang.exe
• %User Profile%\Application Data\Adobe\Plugins\AcroRd32Info.exe

It drops the following configuration files:

• %Cookies%\winifg.dat
• %Cookies%\wineck.dat
• %Cookies%\winddh.dat
• %Cookies%\winggf.dat

It drops the following encrypted code:

• %Application Data%\Microsoft\Media Player\wmpaud1.wav
• %Application Data%\Microsoft\Media Player\SOUND735.WAV
• %Application Data%\Microsoft\Windows\Usrdpa.dat

It drops the following registry hive:

• %User Profile%\a.hiv
• %User Profile%\b.hiv
• %User Profile%\ha.hiv
• %User Profile%\hb.hiv
• %User Profile%\1.hiv
• %User Profile%\2.hiv

It connects to any of the following C&C servers:

• {BLOCKED}a-online.us:80
• {BLOCKED}a.dyndns-ip.com:80
• {BLOCKED}t.mynumber.org:443
• {BLOCKED}dia-time.net