BKDR_REDLEAVES.LCLF

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

• svchost.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• E67568Sj

It injects codes into the following process(es):

• created svchost.exe

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Execute commands using command prompt
• Send the following system information:
  • System name
  • System architecture
  • Operating system minor and major version
  • Memory
  • CPU information
  • Language
  • Privlige of the current process
  • Group permissions
  • System uptime
  • IP address
• Upload/Download files
• Update itself
• List drives, files and folders
• Delete files
• Create/Read/Write to a *.tmp file
• Execute files
• Terminate processes

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• https://{BLOCKED}edupdatecenter.{BLOCKED}y.com

As of this writing, the said sites are inaccessible.

Other Details

This Backdoor requires the existence of the following files to properly run:

• VMwareHostOpen.exe → Non-malicious, executable that calls the malicious export located within the malware.
• hgfs.dll → Non-malicious, needed by VMwareHostOpen.exe to properly run.
• VMware.S82D → encrypted shellcode used by the malware.

It does the following:

• It requires the following arguments to decrypt and execute the encrypted component:
  • VMwareHostOpen.exe --url VgTpIeYVjUdZiNYr_{path and filename of encrypted component}