Home / malware Backdoor:MSIL/Sorcas.A
First posted on 14 August 2018.
Source: MicrosoftAliases :
There are no other names known for Backdoor:MSIL/Sorcas.A.
Explanation :
Arrival
We have observed this backdoor being downloaded from hxxp://iqhost[.]us:99/a[.]zip.
It's installed as %Windows%\IME\svchost.exe.
Autostart technique
This backdoor is installed as a service named "gpmsvc" using Installutil.exe, an installer tool from .NET Framework Tools.
Backdoor capabilities
When run, it connects to the server hxxps://iqhost.us:3389/. It then waits for and executes commands, including but not limited to:
- Download and run files
- Run cmd.exe to execute shell commands
- Stop process
Analysis by: Jonathan San JoseLast update 14 August 2018
