Home / malware Backdoor.Netduke
First posted on 01 August 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Netduke.
Explanation :
When the Trojan is executed, it checks to see if the computer has an AMD64 architecture before running. The Trojan also only runs on weekdays after April 3rd, 2015 and waits for a few minutes before starting.
Next, the Trojan creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"DisableFirstRunCustomize" = "1"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Check_Associations" = "no"
The Trojan then connects to a Twitter account for command-and-control (C&C) purposes. It uses an algorithm to generate the relevant Twitter URL every week. It swaps the capitalization of the Twitter URL each day to evade network detection services.
After connecting to the Twitter account, the Trojan searches through the account for a tweet with a hashtag and a link to another site, such as a GitHub account. The Trojan then follows this link to store the contents of this site, such as image files, on the computer's Temporary Internet Files cache in the following folders: %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\%UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\
The Trojan then decrypts encrypted data stored within the cached image files using the hashtag included in the tweet with the original link. The hashtag is presented in the following format: #[ENCRYPTED DATA OFFSET IN NUMBERS][PARTIAL DECRYPTION KEY]
Once this data is decrypted, the Trojan uses it to perform any of the following actions: Drop binary files to either the %UserProfile%\Application Data\Adobe or %Temp% folders and executes themRun PowerShell scriptExecute command line
The Trojan also removes the cached image files.Last update 01 August 2015