BackDoor.Mikroceen.11

Packer: absent

Compilation date : 06:45:11 14.01.2019

SHA1 hash :

• 2930efc03e958479568e7930f269efb1e2bcea5a

Description

BackDoor.Mikroceen.11 is a backdoor written in C++ and designed for 64-bit versions of the Microsoft Windows operating systems. Upon installing, it connects to the C&C server directly or using the proxy server and begins executing attackers’ commands. It can collect information about the infected computer and execute commands, redirecting the output of the command shell to the control server. It was used in targeted attacks [link to the study] on state institutions in Kazakhstan and Kyrgyzstan. In both incidents, this malware was installed on the domain controller.

Operating routine

The backdoor file represents a dynamic library with the single NwsapServiceMain export function. The sample in question was installed on the system as a service and located in the c:\windows\system32\nwsapagent.dll directory.

During the operation, it maintains an event log, which is stored in the %TEMP%\\WZ9Jan10.TMP file. The messages in this log are obfuscated, and their possible variants are shown below:

• WvSa6a7i — launch of the trojan;
• Dfi1r5eJ — direct connection to the C&C server;
• PVrVoGx0 — connection to C&C server through previously defined proxy server;
• Q29uUHJv — connection error;
• 10RDu6mf — proxy server connection error;
• 8sQqvdeX:%d — an error receiving the data from the C&C server;
• Lw3s1gMZ — proxy server connection error;
• IsEArF1k — successful connection;
• CcFMGQb8 %s:%d — connection to the proxy server, recorded in the netlogon.cfg;
• RWehGde0 %s:%d — — connection to the proxy server, received through the WZ9Jan10.TMP file parsing;
• PV2arRyn %s:%d — connection to the proxy server, found through the tcptable;
• W560rQz5 — SSL connection establishing.

All the relevant data, such as the C&C server address, is encrypted with a simple addition operation of the value with each byte of the string. The decrypting fragment is shown below:

for ( i = 0; i < lstrlenA(v4); ++i )
v4[i] += 32 - i;

BackDoor.Mikroceen.11 tries to directly connect to the C&C server. If failed, it tries to connect through the proxy server.

The connection is established when the trojan knows the proxy server address. Otherwise, it reads the %WINDIR%\\debug\\netlogon.cfg file, which must contain the IP:port line.

If the netlogon.cfg file is missing, or the trojan failed to connect to the address listed in it, the trojan reads the line from its own log file and parses IP:port from it.

If there is no connection, the trojan parses information about current connections and searches the connection with the MIB_TCP_STATE_ESTAB status and the following ports of the remote host: 80, 8080, 3128, 9080. Among the selected connections, it searches for the IP address from the following subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. The suitable address found is used as a proxy server address.

After successfully connecting, the trojan collects information about the infected system and fills the following structure:

#pragma pack(push, 1)
struct st_info
{
  _WORD osproducttype;
  _WORD processorarch;
  _DWORD osservicepackmajor;
  _DWORD osvermajor;
  _DWORD osverminor;
  _DWORD default_lcid;
  _DWORD dword30001; // 30001
  char id[16]; // "wsx"
  char ip[16];
  char hostname[32];
};
#pragma pack(pop)

BackDoor.Mikroceen.11 sends this information to the C&C server and waits for the reply. When exchanging commands, the text protocol is used, and the names of the commands are obfuscated. The list of commands is shown in the table below:

#pragma pack(push, 1)
        struct st_drive_info
        {
          char cmdid[9]; // "fqbnWkSA"
          _WORD disks_count;
          _DWORD disk_types[disks_count];
        }
        #pragma pack(pop)