Home / malware

PDF

Backdoor:Win32/Vawtrak

First posted on 04 May 2019.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Vawtrak.

Explanation :

Installation

When run, this threat drops aDLL component in %ALLUSERPROFILE%AppData using a random file name with a DAT extension. Some of the file names it has been known to use are:

degwbxm.dat dqxcovwm.dat ejrtzpaz.dat fvvifvwz.dat iopwark.dat uvfuvwog.dat wthejcy.dat xausgo.dat zlbgqk.dat

The DLL file is then injected into a running process, for example, any of the following:

chrome.exe explorer.exe firefox.exe iexplore.exe

This threat creates the following registry entry so that its DLL component automatically runs every time Windows starts:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: "regsvr32.exe /s "%ALLUSERSPROFILE%AppData.dat""

For example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "bqbclrtr"
With data: "regsvr32.exe /s "C:Documents and SettingsAll UsersApplication Dataqbclrtr.dat""

Payload

Changes Internet Explorer settings

This threat changes the following Internet Explorer settings:

Disables the home page warning message when Internet Explorer is opened for the first time:

In subkey: HKCUSoftwareMicrosoftInternet ExplorerMain
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"

Sets tabs and frames to run within the same process in IE:

In subkey: HKCUSoftwareMicrosoftInternet ExplorerMain
Sets value: "TabProcGrowth"
With data: "dword:00000000"

Lowers Internet zone security settings:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "2500"
With data: "dword:00000003"

Lets a malicious hacker access your PC

This backdoor threat contacts a malicious hacker by connecting to a certain server. Some of the servers it has been known to connect to are:

188.190.126.87 188.190.127.87 195.137.188.50 195.191.56.247 195.210.47.173 afg.com.tw countdown.com.tw miison.com.tw

Once connected, the malicious hacker can do any of the following:

Log your keystrokes Take screenshots of your desktop Open a remote command shell Download and run files Find out what processes are running in your PC Get a list of your visited websites Delete your browser cache Delete files Steal digital certificates saved in your PC Steal IE and Firefox cookies Start or stop processes like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager Change Firefox settings

Steal information

This backdoor threat can steal information such as your user names and passwords for certain websites. We have observed this threat to steal this information if you visit any of these websites:

caixaebanking.cgd.pt chaseonline.chase.com

Note that the monitored websites can vary.

This threat also tries to steal cached passwords and keywords from Internet Explorer.

It also tries to steal stored user name and password information from these programs, which are mostly file transfer and email programs:

32BitFtp 3D-FTP ALFTP AceBIT BitKinex BlazeFtp Bullet Proof FTP COREFTP CUTEFTP ClassicFTP CoffeeCup Software Cryer Cyberduck DeluxeFTP Directory Opus EasyFTP ExpanDrive FFFTP FTP CONTROL FTP Commander FTP Explorer FTP Navigator FTP++.Link FTPGetter FTPInfo FTPNow FTPRush FTPShell FTPVoyager Far FTP Plugin FastStone Browser FileZilla FlashFXP Fling FreshFTP Frigate3 Global Downloader GoFTP Leapftp LeechFTP LinasFTP Martin Prikryl Mozilla Thunderbird My FTP NetDrive NetSarang NexusFile Notepad++ NovaFTP Odin Pocomail PuTTY Remote Desktop RimArts Robo-FTP SecureFX SmartFTP SoftX.org Staff-FTP TurboFTP UltraFXP Visicom Media WS_FTP WebDrive WinFTP WinZip FTP Windows Commander Windows Mail

The stolen credentials are then sent to the malicious hacker.

Prevents your AV software from running

This backdoor threat makes changes to your software restriction policies, which prevents certain AV software from running on your PC. If you have any of these AV software installed, they might not be running as expected:

a-squared Anti-Malware a-squared HiJackFree Agnitum Alwil Software AnVir Task Manager ArcaBit AVAST Software AVG Avira BitDefender BlockPost DefenseWall HIPS DrWeb ESET F-Secure FRISK Software G Data K7 Computing Kaspersky Lab Lavasoft McAfee Norton AntiVirus Online Solutions P Tools Panda Security Positive Technologies Sandboxie Security Task Manager Spyware Terminator Sunbelt Software Symantec Trend Micro UAenter Xore Zillya Antivirus

Analysis by Ric Robielos and Vincent Tiu

Last update 04 May 2019

 

TOP