Kaspersky researchers say that the malware samples examined from the CCleaner infections have code similarities to a threat group known as Group 72. HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 This method makes detection by researchers more difficult, this is because the executable files are never stored on the file system, and are just run through memory.Īn encoded PE is put into the following registries: Using a trojanized binary, attackers can decode and execute a PE (Portable Executable) in the register, this PE performs queries to the C2 servers and executes in-memory PE files. The 64-bit version drops a trojanized EFACli64.dll named SymEFA, which is a filename used by Symantec Endpoint, none of the files dropped are signed. The 32-bit version uses a trojanized TSMSISrv.dill, which drops VirtCDRDrv, this is the filename of a legitimate executable used by Corel(digital drawing suite). The stage 2 installer is named “GeeSetup_x86.dll”, this installer identifies the OS version on the system, and drops either a 32-bit or 64-bit version of the trojan. These checks are to determine whether or not the infected system should have the Stage 2 payload delivered. The malicious PHP script compares the infected system that is calling to the C2 server with three values $DomainList, $IPList, and $HostList. The C2 server initiated a series of checks to determine if it should proceed with standard operations or redirect to the legitimate Piriform website. A symlink, which is used to make a symbolic link in PHP, was used to redirect all regular traffic that was requesting ‘index.php’, to the ‘x.php’ file (this contained the malicious PHP script). Kaspersky researchers have claimed that the malware samples have code similarities to a Chinese affiliated APT known as Group 72.Ī series of PHP files were discovered on the attackers C2 (Command and Control) server. Researchers at Talos (Cisco cyber threat intel), have confirmed that at least 20 machines were infected with this secondary payload, even though Piriform initially stated that none of its customers were affected by this second payload. The predefined list used in the configuration of the C
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |