WINWORD.exe creates a new process wtphjgf.exe using the downloaded PE file. The new process copies itself to new locations on the infected system, modifies the registry to gain persistency then starts svchost.exe and injects code in it. The following screenshots from NetWitness Endpoint show the host behavior as well as the module IIOC's for wtphjgf.exe:
Download Xtreme Rat
Xtreme can interact with the Windows Registry, which contains information, parameters, settings, options and other values of software and hardware installed on the system. This malware can exfiltrate and infiltrate data (i.e., download and upload files).
ShadowTechRAT, Dacls, Bandook and Orcus are some examples of other trojans within this category, however, malicious software can have varying capabilities/purposes such as data encryption (for ransom purposes), download/installation of additional malware, cryptocurrency mining and many others.
The software is also spread via trojans, illegal activation tools ("cracks"), fake updaters and untrusted download sources. As mentioned, malware can cause chain infections - this capability is possessed by some trojan-type programs.
Rather than activating licensed products, illegal activation ("cracking") tools can download/install malicious programs. Fake updaters infect systems by abusing weaknesses of outdated software or simply by installing malware rather than the promised updates.
Unofficial and free file-hosting sites, Peer-to-Peer sharing networks (BItTorrent, Gnutella, eMule, etc.) and other third party downloaders are untrusted and can offer malicious software for download under the guise of normal products, or packed with them.
Do not open dubious or irrelevant emails, especially those received from unknown or suspicious senders. All attachments or links present in this mail must not be opened, as doing so can result in a high-risk infection. Use only official and verified download channels.
Common features throughout the versions include: Windows registry management, running process/service manipulation, file upload/download, audio/video recording, screenshot capturing, keylogging, and infection of connected external storage devices (e.g., USBs).
Xtreme Download Manager is a powerful tool to increase download speed up-to 500%, save streamingvideos from websites, resume broken/deaddownloads, schedule and convert downloads.XDM seamlesslyintegrates with Google Chrome, Mozilla Firefox Quantum, Opera, Vivaldi and other Chroumium andFirefox based browsers, to take over downloadsand saving streaming videos from web.XDM has a built in video converter which lets you convert your downloaded videos to differentformats so that you can watch then on your mobile or TV (100+ devices are supported)
XDM can download streaming content from most websites. Thebest way of downloadingwebpage embedded videos from the Internet is here. After installing XDM, "Download Video"button pops up wheneveryou are watching a video anywhere in the Internet. Just click on the button to start downloadingclips.
XDM can accelerate downloads by up to 5 times due to its intelligent dynamic file segmentationtechnology. Unlike otherdownload managers and accelerators XDM segments downloaded files dynamically during downloadprocess and reuses availableconnections without additional connect and login stages to achieve best accelerationperformance.
XDM will resume unfinished download from the place where they left off. Comprehensive errorrecovery and resume capabilitywill restart broken or interrupted downloads due to lost or dropped connections, networkproblems, computer shutdowns,or unexpected power outages.
XDM can connect to the Internet at a set time, download the files you want, disconnect, or shutdown your computer whenit's done. XDM also supports speed limiter to allow browsing while downloading. XDM alsosupports queued download toperform downloads one by one
XDM supports all types of proxy servers including Windows ISA and different types of firewalls.XDM supports auto proxyconfiguration, NTLM, Basic, Digest, Kerberos, Negotiate algorithms for authentication, batchdownload etc.
Malwarebytes protects users from the installation of Backdoor.XTRat Malwarebytes detects and removes Backdoor.XTRat Remediation Malwarebytes can detect and remove many Backdoor.XTRat infections without further user interaction.Please download Malwarebytesto your desktop.
Double-click MBSetup.exeand follow the prompts to install the program.
When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
Click on the Get started button.
Click Scan to start a Threat Scan.
Click Quarantineto remove the found threats.
Reboot the system if prompted to complete the removal process.
Malwarebytes removal log A Malwarebytes log of removal will look similar to this:Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 3/23/18Scan Time: 1:03 AMLog File: 47faa719-2e68-11e8-8b80-00ffc8517b86.jsonAdministrator: Yes-Software Information-Version: 3.4.4.2398Components Version: 1.0.322Update Package Version: 1.0.4456License: Premium-System Information-OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: DE-WIN7\Fwiplayer-Scan Summary-Scan Type: Threat ScanResult: CompletedObjects Scanned: 297935Threats Detected: 24Threats Quarantined: 24Time Elapsed: 3 min, 3 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 0(No malicious items detected)Module: 0(No malicious items detected)Registry Key: 4Backdoor.HMCPol.Gen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\5D6J2PL7-665M-030P-4SMQ-7L1F1X7AS68U, Quarantined, [11996], [215597],1.0.4456Backdoor.HMCPol.Gen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\5D6J2PL7-665M-030P-4SMQ-7L1F1X7AS68U, Quarantined, [11996], [215597],1.0.4456Backdoor.Agent, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\5460C4DF-B266-909E-CB58-E32B79832EB2, Quarantined, [85], [163598],1.0.4456Backdoor.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\5460C4DF-B266-909E-CB58-E32B79832EB2, Quarantined, [85], [163598],1.0.4456Registry Value: 4Backdoor.HMCPol.Gen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKCU, Quarantined, [11996], [215597],1.0.4456Backdoor.HMCPol.Gen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKLM, Quarantined, [11996], [215597],1.0.4456PUM.Optional.UserWLoad, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWSLOAD, Quarantined, [13268], [251591],1.0.4456Backdoor.Agent.HKIGen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHKCU, Quarantined, [11625], [189233],1.0.4456Registry Data: 1Backdoor.XTRat, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWSLoad, Replaced, [621], [483292],1.0.4456Data Stream: 0(No malicious items detected)Folder: 0(No malicious items detected)File: 15Trojan.Agent.TMP, C:\USERS\FWIPLAYER\APPDATA\ROAMING\TMP.EXE, Quarantined, [3019], [232273],1.0.4456Backdoor.SpyNet.Trace, C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\iJune22.lnk, Quarantined, [697], [306250],1.0.4456Backdoor.NanoCore.Trace.Generic, C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\m095usKzjL.eu.url, Quarantined, [8678], [256248],1.0.4456Backdoor.HMCPol.Gen, C:\WINDOWS\INSTALLDIR\SERVER.EXE, Delete-on-Reboot, [11996], [215597],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\System32\Chrome.exe.lnk, Quarantined, [621], [483292],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\SYSTEM32\CHROME.EXE, Quarantined, [621], [483292],1.0.4456Backdoor.Agent, C:\USERS\FWIPLAYER\APPDATA\ROAMING\SYSTEM32\CHROME.EXE, Quarantined, [85], [163598],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT3.TXT.EXE, Quarantined, [621], [25406],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\APPDATA\ROAMING\M095USKZJL\M095USKZJL.SCR, Quarantined, [621], [483306],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT.EXE, Quarantined, [621], [494259],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT2.EXE, Quarantined, [621], [483306],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\IJUNE22.EXE, Quarantined, [621], [25406],1.0.4456Backdoor.XTRat, C:\USERS\FWIPLAYER\APPDATA\ROAMING\Microsoft\Windows\Recent\xtrat3.txt.lnk, Quarantined, [621], [25406],1.0.4456Backdoor.XTRat, D:\MALWARE_SAMPLES_WRITEUP_PROJECT\XTRAT3.TXT.EXE, Quarantined, [621], [25406],1.0.4456Physical Sector: 0(No malicious items detected)(end) Traces/IOCs You may see these entries in FRST logs:() C:\Windows\InstallDir\Server.exeFirewallRules: [FFBD928C-671A-470E-BD37-B4AA2D008DBF]=> (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\windows.exeFirewallRules: [DB40A1AF-FBB5-4F44-BC54-8767DF3F1E25]=> (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\windows.exeFirewallRules: [17C551F6-2EB6-4100-AA39-6267792D69E5]=> (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\server.exeFirewallRules: [2208C458-DEF4-4178-BC1F-79730E807115]=> (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\server.exeHKU\S-1-5-21-2165681608-3755637219-621560601-1000\...\Run: [HKCU]=> C:\Users\Fwiplayer\AppData\Local\Temp\System32\Chrome.exe [952832 2018-03-23] ()
It is common knowledge that pirated software might contain malware, yet millions still put themselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users. 2ff7e9595c
Comments