BKDR_CARETO.A


 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware, Spammed via email, Downloaded from the Internet

One of the Windows malware related to the Careto attack known for encoding its configuration data and encrypting its network traffic thus making analysis difficult.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals system information.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE, DLL

Memory Resident:

Yes

Initial Samples Received Date:

07 Feb 2014

Payload:

Collects system information, Compromises system security

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

  • %System%\awcodc32.dll - detected as BKDR_CARETO.A
  • %System%\awdcxc32.dll - detected as BKDR_CARETO.A
  • %System%\drivers\scsimap.sys - detected as BKDR_CARETO.A
  • %System%\jpeg1x32.dll - detected as BKDR_CARETO.A
  • %System%\mfcn30.dll - detected as BKDR_CARETO.A
  • %System%\vchw9x.dll - detected as BKDR_CARETO.A
  • %User Temp%\___{random number}.tmp - detected as BKDR_CARETO.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious file:

  • %System%\bootfont.bin

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • 36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap
ImagePath = "%System%\DRIVERS\scsimap.sys"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap

Backdoor Routine

This backdoor posts the following information to its command and control (C&C) server:

  • http://www.{BLOCKED}nt.com/server/ssl.htm
  • https://{BLOCKED}t.{BLOCKED}et.nu/cgi-bin/index.cgi
  • https://{BLOCKED}.{BLOCKED}.233.15/cgi-bin/index.cgi

As of this writing, the said servers are currently inaccessible.

Information Theft

This backdoor steals system information.

Other Details

This backdoor deletes itself after execution.

NOTES:

This backdoor has the following malicious components:

  • %System%\awcodc32.dll
  • %System%\awdcxc32.dll
  • %System%\drivers\scsimap.sys
  • %System%\jpeg1x32.dll
  • %System%\mfcn30.dll
  • %System%\vchw9x.dll
  • %User Temp%\___{random number}.tmp

The file awdcxc32.dll communicates with the modified scsimap.sys and loaded by vchw9x.dll.

The file scsimap.sys loads the malware components.

The file jpeg1x32.dll uninstalls the malware.

The file mfcn30.dll contains information where the malware can download an updated copy of itself.

The files awcodc32.dll and vchw9x.dll are used to communicate to the C&C server.

The file ___{random number}.tmp deletes the dropper that executes it.

It uses pipe \\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}.

"36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160" is decrypted from code section.

It uses "Caguen1aMar" as encryption key for communications with the C&C server.

It uses the following URL query parameters:

  • Data
  • Exec
  • Ack
  • Cmd
  • Raw
  • Id
  • Inst

  SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

10.600.08

FIRST VSAPI PATTERN DATE:

07 Feb 2014

VSAPI OPR PATTERN File:

10.601.00

VSAPI OPR PATTERN Date:

08 Feb 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\CurrentControlSet\Services\scsimap
    • ImagePath = "%System%\DRIVERS\scsimap.sys"

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\CurrentControlSet\Services
    • scsimap = ""

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_CARETO.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.