Hacktool.Win32.BackdoorDiplomacy

Overview

Type: HackTool
Destruction Level: High
Prevalence: Moderate

Malware Name(s)

  • Hacktool.Win32.BackdoorDiplomacy (Padvish )
  • Win32/Korplug.A (Eset)
  • Backdoor.Win32.Gulpix.ab (Kaspersky)
  • Trojan:Win32/Plugx.B (Microsoft )

What is HackTool?

Hacktools are tools designed to facilitate intrusion. These tools can be used by an intruder to siphon data from the victim organization’s network. These tools are commonly used to siphon the validation information of sensitive victim servers. For example, an intruder can use hacktools to guess passwords based on Brute Force attacks. In some cases, to escalate access levels and exploit existing vulnerabilities, hackTools are used. In general, hack tools can crash the computer and network security barriers and provide various capabilities to infiltrate systems.

What is BackdoorDiplomacy malware?

BackdoorDiplomacy malware is classified as a Remote Access Tool (RAT), offering intruders the capability to take full control over a victim’s system. This sophisticated malware comprises a set of plugins that afford attackers an extensive array of features, including:

  • Making modifications to files and folders
  • Logging all keystrokes on the computer keyboard
  • Capturing the victim’s screen
  • Executing files or commands
  • Accessing the database within the victim’s system and executing SQL queries on it

Technical Review

Indicators of Compromise (IoC)

🔸The presence of the \AllUsersProfile%\SxS% directory including the following files:

  • Nv.exe
  • NvSmartMax.dll
  • NvSmart.chm or data files with varying extensions
  • Files featuring the .plg extension

🔸Additionally, The presence of an Autorun service, along with an entry for the existing executable (.exe) file within the path of the malware files.

Performance Description

BackdoorDiplomacy malware files often contain a malicious library file and a data file, which is actually a compact and obscure PE (exe. file). BackdoorDiplomacy malware uses a technique called DLL Hijacking to execute itself (Autorun), in which malicious files are placed next to a clean executable file. The malicious malware library file is loaded by the clean exe. file, and in this way the data file is also loaded in the memory, decompressed, and executed, which ultimately leads to the execution of the malicious operation of the malware.
A variant of this malware uses the legitimate Nv.exe file of the NVIDIA application to execute itself. Files related to this type of malware include the following:

File Name Description
Nv.exe Legitimate program associated with the NVIDIA application that inadvertently loads the malicious malware library file.
NvSmartMax.dll یا Max.dll Malicious library file of the BackdoorDiplomacy malware, designed to load and execute the data file.
NvSmart.chm یا Nv.mpc Pseudo-code file that, in reality, is a compressed and obscured PE file containing the primary operations of the BackdoorDiplomacy malware.

Network Operation

After execution, BackdoorDiplomacy malware initiates communication with its command and control servers. The method of communication with the remote server is determined by the initial configuration of the malware, allowing for connectivity over TCP, UDP, ICMP, or HTTP protocols. Once connected to its designated server, the malware proceeds to execute the corresponding plugins based on commands received from the attacker. The following is a list of servers associated with this malware:

▪️picture[.]efanshion[.]com

▪️mail[.]popanalysis[.]com

▪️dl-adobe[.]com

Malware Plugins

As previously discussed, the BackdoorDiplomacy malware comprises a set of plugins, each serving a distinct purpose. The following table delineates the respective objectives and commands executable within each plugin, providing an illustrative overview of the malware’s functionality.

Command Subcommand Function
Option

▪️0x2000

▪️0x2001

▪️0x2002

▪️0x2003

▪️0x2005
  • Locking (user’s system) workstation
  • Force shutdown request
  • Reboot the system
  • System shutdown request (enables the user to perform activities before shutdown)
  • Requesting to display the intruder’s desired messages on the screen
Disk

▪️0x3000

▪️0x3001

▪️0x3002

▪️0x300A

▪️0x3004

▪️0x3007

▪️0x300D

▪️0x300C

▪️0x300E
  • Request to count the number of drives
  • Request to search for the desired file
  • Request to recursively search the file
  • Create a directory
  • Request to read the file
  • Request to write to the file
  • Request to copy/rename/delete and move the desired file
  • Create a new desktop and run a process in it
  • Request for an ‘expanded environment string
Screen

▪️0x4000

▪️0x4004

▪️0x4005

▪️0x4006

▪️0x4100
  • Request remote capabilities for a desktop
  • Send mouse events
  • Send keyboard events
  • Send CTRL-Alt-Delete
  • Request to capture a screen shot at the moment
Process

▪️0x5000

▪️0x5001

▪️0x5002
  • Request to create a process
  • Request to count running processes
  • Terminate and kill a process
Service

▪️0x6000

▪️0x6001

▪️0x6002

▪️0x6003

▪️0x6004
  • Querying a service configuration
  • Change the desired service configuration
  • Request to start a service
  • Request to control a service
  • Request to delete a service
Shell 0x7002
  • Request to run CMD
Telnet 0x7100
  • Request to start the Telnet service
RegEdit

▪️0x9000

▪️0x9001

▪️0x9002

▪️0x9003

▪️0x9004

▪️0x9005

▪️0x9006

▪️0x9007
  • Enumerate available registry keys
  • Create the desired key
  • Delete the desired registry key
  • Copy the desired registry key
  • Count the values in a specific registry key
  • Set a value for a registry key
  • Delete a value of a key
  • Enter a value for the value of a key
Nethood 0xA000
  • Request to count network resources
Portmap 0xB000
  • Command to initiate port mapping
SQL

▪️0xC000

▪️0xC001

▪️0xC002
  • Request information about data resources
  • Request to receive information about its driver
  • Execute SQL query
Netstat

▪️0xD000

▪️0xD001

▪️0xD002
  • Retrieve table of TCP connections
  • Retrieve table of UDP connections
  • Set a value in the TCP connection table.
Keylogger 0xE000
  • Command to initiate the Keylogger thread

How to deal with and clean the system?

✔️ Padvish antivirus detects and removes this particular malware from your system. To proactively safeguard your system against such threats, it is advisable to consider caution and avoid clicking on suspicious links. Additionally, routinely scan email attachments and portable devices before saving/inserting them into your system.

✔️ Maintain the security of your system by consistently updating both your operating system and antivirus software to ensure the highest level of protection against evolving threats.

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>