We informed NetSarang of the compromise and they immediately responded by pulling down the compromised software suite and replacing it with a previous clean version. Kaspersky Lab products detect and protect against the backdoored files as “”. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software. The attackers behind this malware have already registered the domains covering July to December 2017, which indirectly confirms alleged start date of the attack as around mid July 2017.Ĭurrently, we can confirm activated payload in a company in Hong Kong. The remote access capability includes a domain generation algorithm (DGA) for C&C servers which changes every month. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. Our analysis indicates the embedded code acts as a modular backdoor platform. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value). The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. Only when triggered by the first layer of C&C servers does the backdoor activate its second stage
0 kommentar(er)
