Home / malware

PDF

Backdoor:MSIL/Soybalek

First posted on 12 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Soybalek.

Explanation :

Payload

Steals usernames, passwords, and other information

When successfully loaded by an Outlook Web Access (OWA) server, the threat will log username and password credentials that are being used from OWA. In the wild, we have observed it use one of the following hardcoded file names for the log:

• C:\log.txt
• C:\Windows\Logs\HealthMailbox.dll
• C:\Windows\Logs\HomeGroup.dll

Other components may steal the log files and send it to a remote attacker.

The threat can also perform the following actions:

Enumerate local drives Get DirectoryInfo from specific directories Delete a specific directory Write to a file Copy an entire directory into another Change the creation time of a specified file or directory Send a HTTP GET request to a specified URI Run a specified file Run a specified SQL query

Analysis by Mathieu Letourneau

Last update 12 April 2016

 

TOP