Home / malware Trojan:Win32/Detrahere
First posted on 15 February 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Detrahere.
Explanation :
Arrival
This malware's main dropper can come bundled with freeware or shareware installers. It may also be installed by InstallCore, a potentially unwanted application (PUA). It may disguise itself as a device driver, often a Bluetooth driver.
Installation
All components are dropped and installed by a main executable. All components and their versions are stored in password-protected .zip archives embedded as resources.
In order to run its malicious routines, the main executable typically requires the parameter -insta to be passed. The malicious code then starts to extract and install components one by one.
First, it unpacks and runs the msidntld component, which is an altered NetFilter service executable. This component is responsible for injecting a trusted root certificate that most of browsers use. For Firefox and Opera, it can install the root certificate in these browsers' custom certificate stores. This component is also responsible for contacting command-and-control (C&C) servers, as well as for injecting script tags into web network traffic.
It then unpacks and installs the NetFilter driver. The malware package comes with six versions of this driver and installs the most suitable version based on the OS version. Drivers for Windows XP, 7, and 8, both 32- and 64-bit versions are installed accordingly. The OS requires drivers to be digitally signed, so this threat's drivers are signed with an expired certificate.
The certificate used by these drivers was issued for "Handan City Congtai District LiKang Daily Goods Department" by Thawte Code Signing CA - G2, Thawte, Inc., US, valid between Thursday, June 27, 2013 4:00:00 p.m. and Saturday, June 28, 2014 3:59:59 p.m., with thumbprint 62 c5 1f 2d 23 70 ff 72 5b 6f 06 cf c5 05 43 b2 0e 14 f1 26.
The driver doesn't appear to have been altered, and it serves the purpose of enabling real-time network traffic inspection and injection.
The main executable then drops and installs the radardt driver, which comes with 32- and 64-bit versions that are installed accordingly based on the OS version. The 32-bit version is protected with VMProtect.
The radardt driver is a rootkit and is responsible for blocking access to researcher tools and executables related to antivirus applications. It does this by checking against a comprehensive lists of vendor executable names and code signing company names. It also makes sure it doesn't block the browsers and other apps known to display ads from an HTTP source.
The last component is a service called windowsmanagementservice that is dropped in the %TEMP% folder and registered as system service. Although it packs a lot of library code for handling communication on protocols like HTTP, HTTPS, FTP, SMTP, it seems to be under heavy development and is not yet fully using its potential capabilities.
Some more recent versions don't include this last component. Instead, another driver called udisk, which also comes in 32- and 64-bit versions, is used. This driver is signed with the same certificate. This driver assures direct access to disk drives, including MUP, HGFS, and LanmanRedirector devices. This latest addition hints at possible shifting of the attacker's purpose, but it can also just be enhancing the control it can get on the infected computer.
After everything is installed, this threat checks for the presence of an antivirus software. If it finds an active AV software, it triggers a system restart, after which it runs and prevents the AV software from running.
Payload
This threat can intercept all network traffic on the machine. It does this primarily to inject ads. However, we have observed that this malware's code is continuously being improved, with new features added every month. This means that attackers can shift this threat's purpose.
Analysis by: Danut Antoche-Albisor
Last update 15 February 2019
