Rootkit.Win64.FETNILTER.A
Trojan:Win64/Retliften.A (MICROSOFT)
Windows
Threat Type: Rootkit
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.
It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
Arrival Details
This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be dropped by the following malware:
Other System Modifications
This Rootkit adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\ROOT\Certificates\
FEF8C731E0E7B3D13E221C7595BE3EA270B58863
Blob = {certificate data blob}
Backdoor Routine
This Rootkit connects to the following websites to send and receive information:
- http://{BLOCKED}.{BLOCKED}.4.180:2081/u
- Query configuration information
- http://{BLOCKED}.{BLOCKED}.4.180:2081/p
- Request for proxy settings to be written in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
- http://{BLOCKED}.{BLOCKED}.4.180:2081/s
- Query list of target IP addresses that will redirect to {BLOCKED}.{BLOCKED}.10.244:{BLOCKED} upon connection
- http://{BLOCKED}.{BLOCKED}.4.180:2081/h?
- Ping C2
- http://{BLOCKED}.{BLOCKED}.4.180:2081/c
- Query root certificate to be written in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
- http://{BLOCKED}.{BLOCKED}.4.180:2081/v?v={Number}&m={Hash}
- Updates itself to latest version
However, as of this writing, the said sites are inaccessible.
Other Details
This Rootkit adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\ROOT\Certificates\
FEF8C731E0E7B3D13E221C7595BE3EA270B58863
It does the following:
- It must be registered kernel driver service to continue with its malicious routine.
SOLUTION
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Disable this malware service
- netfilter
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FEF8C731E0E7B3D13E221C7595BE3EA270B58863
- Blob = {certificate data blob}
- Blob = {certificate data blob}
Step 6
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FEF8C731E0E7B3D13E221C7595BE3EA270B58863
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netfilter
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as Rootkit.Win64.FETNILTER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.