Home / malware Trojan:Win32/Barlaiy.A!dha
First posted on 10 November 2016.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Barlaiy.A!dha.
Explanation :
Installation
This trojan is dropped by another threat as the following file:
%APPDATA% \nx00615.ttf
It may have random hash value because the dropper, detected as TrojanDropper:Win32/Barlaiy.A!dha, appends a large amount of randomly generated data at the end of the DLL file before dropping it.
It is excecuted by the dropper Trojan using the legitimate Windows program rundll32.exe and by calling one of its export functions:
%SystemRoot% \system32\rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64
Upon execution, it deletes the dropper file.
It creates the following registry entries so that it executes at every startup:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "nxdisp"
With data: "rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "nxdisp"
With data: "rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64"
This trojan also contains code to register a window class and create a window with the following name:
TestWClass
It uses the created window as a mechanism to communicate with its other components.
Payload
Connects to multiples websites in stages
This trojan connects to an attacker-controlled forum, blog, or profile webpage on legitimate websites in order to retrieve embedded information about command-and-control (C&C) to be used in the next stage. The C&C information is in encoded form.
This behavior makes this threat a multi-stage remote access trojan. The technique, sometimes referred to as "dead drop resolver technique", is used by malware authors to make the initial network activity look like legitimate network traffic. This technique is also used to hide the actual C&C address in a webpage controlled by the attacker. This means that the attacker can update the C&C address anytime.
It then attempts to establish connection with the C&C node.
Additional information
This trojan creates the following mutex in order to make sure that only one instance is running on your PC:
win32_event_x86
Certain versions of this trojan also evades analysis by detecting tools such as resource monitors and debuggers, including:
- FileMon
- Immunity Debugger
- OllyDbg
- Process Monitor
- RegMon
- SoftICE Debugger
- WinDbg
When it detects that these tools are present, it stops running.
Analysis by Ramin NafisiLast update 10 November 2016