Home / malwarePDF  

Backdoor.Proxyback


First posted on 30 December 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Proxyback.

Explanation :

When this Trojan is executed, it creates the following mutexes:PB_SN_MUTEX_GL_F348B3A2387PB_MAIN_MUTEX_GL_63785462387PB_SCH_MUTEX_GL_A58B78398f17
The Trojan then creates the following copies of itself: %UserProfile%\Application Data\[FOUR UPPERCASE LETTERS]\[EXISTING .EXE FILE NAME][VARIABLE ONE].exe%UserProfile%\Application Data\[FOUR UPPERCASE LETTERS]\nt[EXISTING .EXE FILE NAME].exe
Note: [VARIABLE ONE] can be any of the following: cencenter-center_centercontrol-cntr_cntrctrl_ctrl-ctrl-mntr_mntrmon_mon-monmonitor-monitor_monitorpatch_patchpatcher-patcher_patcher_service-service_svc-svcupd_upd-update_updateupdater-updater_updater
The Trojan creates the following registry entry so that it runs every time Windows starts:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows DCOM Server Process Launcher" = "%UserProfile%\Application Data\[FOUR UPPERCASE LETTERS]\[EXISTING .EXE FILE NAME][VARIABLE ONE].exe"
The Trojan also creates the following registry entry to add itself to the Authorized Apps list in the firewall settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\[FOUR UPPERCASE LETTERS]\[EXISTING .EXE FILE NAME][VARIABLE ONE].exe" = "%UserProfile%\Application Data\[FOUR UPPERCASE LETTERS]\[EXISTING .EXE FILE NAME][VARIABLE ONE].exe:*:Enabled:Windows DCOM Server Process Launcher"
Next, the Trojan creates the following registry entries: HKEY_CURRENT_USER\Software\Mnto2\"h" = "7fc"HKEY_CURRENT_USER\Software\Mnto2\"hl" = "Base64 string"HKEY_CURRENT_USER\Software\Mnto2\"name" = "Windows DCOM Server Process Launcher"HKEY_CURRENT_USER\Software\Mnto2\"cat" = "[FOUR UPPERCASE LETTERS]"HKEY_CURRENT_USER\Software\Mnto2\"chk" = "[EXISTING .EXE FILE NAME][VARIABLE ONE].exe"
The Trojan then checks for the OS version on the compromised computer.

Next, the Trojan tries to connect to any of the following command and control (C&C) servers:bugertwist.comcreativanalyticks.comczonainsit4e.comdepasistat.comdrythisworld.comhclickmeterg.comheljeanvos.comiholpforyou4.comlancer-moto.commarkovqwesta.commasyaget.commintoolses.comnsit4esite.compapausafr.compllsest2.comqforumjail.comrobjertovines.comsinglearthousse.comskyjfasters.comsolocoufandle.comsweedfolz.comtexasgodchang.comtruedonell.comuarushelp.comxclotusm.com
The Trojan may then perform the following actions:Update itselfDownload filesExecute commands

Last update 30 December 2015

 

TOP