It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. Our analysis indicates the embedded code acts as a modular backdoor platform. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value). The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. ![]() The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. ![]() Only when triggered by the first layer of C&C servers does the backdoor activate its second stage
0 Comments
Leave a Reply. |