Backdoor.MSIL.ASYNCRAT.YXFGTZ

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

It gathers certain information on the affected computer.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• %Application Data%\System.exe → Copy of itself
• %User Temp%\tmp{4 Random Characters}.tmp.bat → Used to execute %Application Data%\System.exe and deletes itself

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"%Application Data%\System.exe"' & exit → Created a scheduled task to execute its copy on startup, only executed when the process is run with Administrative privileges
• %User Temp%\tmp{4 Random Characters}.tmp.bat
• %Application Data%\System.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• AsyncMutex_6SI8OkPnk

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
System = %Application Data%\System.exe → Only added if the process is executed normally

Other System Modifications

This Backdoor deletes the following files:

• %Application Data%\System.exe
• %User Temp%\tmp{4 Random Characters}.tmp.bat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• ResetHosts → Replaces %System%\drivers\etc\hosts with %System%\drivers\etc\hosts.backup if the backup file exists and returns success result status
• weburl → Downloads a file as %User Temp%\tmp{Random}.tmp.{String from C2 server} and executes it
• ResetScale → Resets DPI settings and sends out a success message
• pong → Ping test with the C2 server
• klget → Sends the key logs and the hashed HWID
• Block → Copies %System%\drivers\etc\hosts as %System%\drivers\etc\hosts.backup if the backup file does not exist, appends "127.0.0.1 {String from C2 Server}" to %System%\drivers\etc\hosts, and adds the process "cmd.exe /c taskkill.exe /im chrome.exe /f."
• killps → Terminates processes specified by the C2 server
• savePlugin → Creates registry key HKEY_CURRENT_USER\Software\{Hashed HWID}\{Identifier} with its value set to the loaded DLL in bytes and executes a plugin from the C2 server
• setxt → Clears or sets the value of clipboard data depending on the value received from the C2 server
• gettxt → Extracts the clipboard data and sends it to the C2 server
• plugin → Executes a plugin from the C2 server if the registry entry HKEY_CURRENT_USER\Software\{Hashed HWID}\{Identifier} does not exist, otherwise it retrieves and executes the value of the said registry
• getscreen, uacoff, WDExclusion, KillProxy, Net35, Avast, anydesk, backproxy → Executes a plugin from the C2 server and returns result status
• Chrome, passload, Wallets, Fox, DicordTokens, WebBrowserPass → Sends the hashed HWID, executes a plugin from the C2 server, and returns result status

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• tcp://nightmare15.{BLOCKED}led.net
• tcp://lastofdr51.{BLOCKED}e.org

However, as of this writing, the said sites are inaccessible.

It attempts to communicate with its C&C server using the following ports: $DATA$

• 6606
• 7707
• 8808

Information Theft

This Backdoor gathers the following information on the affected computer:

• HWID = Hashed value of number of processor, username, machine name, OS version, OS architecture (32-bit or 64-bit), and total size of %System% directory
• User = User Name
• OS = Version and architecture of the operating system
• Path = Malware file path
• Admin = If malware is executed with Administrative privileges
• Performance = Current active window
• Antivirus = List of antivirus installed in the affected system
• LastTime = Last activity time of the affected system
• If the following cryptocurrency wallet and 2FA browser extensions exists in the affected system:
  • Brave
  • Authenticator
  • MetaMask
  • Phantom
  • Google Chrome
  • Authenticator
  • Binance
  • BitKeep
  • BitPay
  • CoinKeep
  • Exodus
  • MetaMask
  • Ronin
  • TronLink
  • Trust Wallet
  • Phantom
  • Microsoft Edge
  • Authenticator
  • Binance
  • MetaMask
  • Mozilla Firefox
  • MetaMask
  • Opera
  • MetaMask
  • Opera GX
  • MetaMask
• If the following cryptocurrency applications are installed in the affected system:
  • Ergo Wallet
  • Ledger Live
  • Atomic
  • Exodus
  • Electrum
  • Coinomi
  • Binance
  • Bitcoin Core

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Backdoor does the following:

• If the malware is executed with Administrator privileges, it adds the following process:
  • "%System%\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"%Application Data%\System.exe"' & exit → Created a scheduled task to execute its copy on startup
• If the malware is not executed with Administrator privileges, It adds the following registry entry to enable its automatic execution at every system startup:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • System = %Application Data%\System.exe
• It prevents the system from sleeping.

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following scheduled tasks:

• If the malware is executed with Administrative privileges:
  • Name: System
  • Trigger: Runs every time any user logs on
  • Action: "%Application Data%\System.exe"

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)