JS_KOPILUWAK.B

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• exit - exit the script and upload the file %Application Data%\Microsoft\Protect\~~.tmp
• upld - upload a file
• inst - install a script or download and execute a file
• wait - exit the script
• dwld - download a file

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://www.{BLOCKED}a.uk/wp-content/plugins/woocommerce/includes/class-wc-log.php
• http://{BLOCKED}rare.com.hk/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/xrstf/Composer52/LogsLoader.php