BKDR_MATSNU

April 30, 2014
 ALIASES:

Trustezeb

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

MATSNU is a family of backdoors can perform different commands such as downloading and executing files, update itself and its C&C server -- all of which are common to backdoors. However, one unique capability of MATSNU is its ability to lock or unlock computer for ransom through commands.

Upon execution, it modifies certain registries to enable its copies to run every system start and to disable some of the processes such as the registry editor and task manager. It also deletes certain registries to disable user from starting the computer in safe mode.

  TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Application Data%\{random folder name}\{random file name 1}.exe
  • %User Temp%\{random file name 2}.pre

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
taskmgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msconfig.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
regedit.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random folder name}\{random file name 1}.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegedit = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableRegedit = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = "1"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}hi.com/images/1.php
  • http://{BLOCKED}isx.com/ca.php
  • http://{BLOCKED}isxf.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}ldezovc.com/img/1.php
  • http://{BLOCKED}solde.com/images/1.php
  • http://{BLOCKED}rfe.com/img/1.php
  • http://{BLOCKED}rz.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}z.com/ad.php
  • http://{BLOCKED}pvsje.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}soldevsje.com/af.php
  • http://{BLOCKED}xdv.com/img/1.php
  • http://{BLOCKED}-oum.com/twep.php
  • http://{BLOCKED}xrz.com/as.php
  • http://{BLOCKED}zxrz.com/inbox.php
  • http://{BLOCKED}zxrz.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}esscorn.net/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}fwieg.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}wieg.com/aa.php
  • http://{BLOCKED}wieg.com/inbox.php
  • http://{BLOCKED}wiw.com/img/1.php
  • http://{BLOCKED}dkiu.com/odriwsd/forum.php
  • http://{BLOCKED}ebspace-apo.com/inbox.php
  • http://{BLOCKED}ebspace-apo.com/user-057708/forumv.php
  • http://{BLOCKED}ehppf.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}nlines.com/inbox.php
  • http://{BLOCKED}hppf.com/aa.php
  • http://{BLOCKED}omn.com/images/1.php
  • http://{BLOCKED}online.com/inbox.php
  • http://{BLOCKED}solderx.net
  • http://{BLOCKED}solderx.net/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}solderxx.com/ag.php
  • http://{BLOCKED}solderxx.com/inbox.php
  • http://{BLOCKED}story.net/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}rect-proxy.com/inbox.php
  • http://{BLOCKED}nvw.com/TPR0-QQWSKA-423PZS.php
  • http://{BLOCKED}-gt.com/inbox.php