search

Backdoor.PS1.BUMBLELOADER.ARC

June 30, 2023
 Analysis by: Raymart Christian Yambot
 ALIASES:

Other:Malware-gen [Trj] (AVAST)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

6,311,936 bytes

File Type:

PS1, Other

Memory Resident:

Yes

Initial Samples Received Date:

26 Mar 2023

Payload:

Connects to URLs/IPs, Terminates self, Checks for VM-related registry keys and entries

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

  • %System%\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file quotefile.ps1

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It injects codes into the following process(es):

  • powershell.exe

It terminates itself if it finds the following processes in the affected system's memory:

  • ollydbg.exe
  • ProcessHacker.exe
  • tcpview.exe
  • autoruns.exe
  • autorunsc.exe
  • filemon.exe
  • procmon.exe
  • regmon.exe
  • procexp.exe
  • idaq.exe
  • idaq64.exe
  • ImmunityDebugger.exe
  • Wireshark.exe
  • dumpcap.exe
  • HookExplorer.exe
  • ImportREC.exe
  • PETools.exe
  • LordPE.exe
  • SysInspector.exe
  • proc_analyzer.exe
  • sysAnalyzer.exe
  • sniff_hit.exe
  • windbg.exe
  • joeboxcontrol.exe
  • joeboxserver.exe
  • joeboxserver.exe
  • ResourceHacker.exe
  • x32dbg.exe
  • x64dbg.exe
  • Fiddler.exe
  • httpdebugger.exe

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.7:148
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.40:496
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.160:468
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.34:316
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.128:416
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.104:154
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.45:466
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.251:443
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.178:331
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.11:355
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.94:203
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.132:221
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.194:351
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.182:247
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.159:458
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.34:126
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.104:472
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.138:443
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.235:351
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.32:451
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.210:220
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.52:115
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.64:365
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.186:115
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.180:486
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.121:128
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.255:264
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.224:141
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.142:413
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.136:398
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.168:242
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.48:481
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.202:444
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.184:478
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.57:206
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.169:349
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.214:383
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.52:420
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.98:214
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.232:132
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.13:370
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.87:100
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.6:419
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.22:278
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.32:153
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.7:315
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.42:167
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.229:329
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.67:487
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.27:351
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.44:306

Other Details

This Backdoor does the following:

  • It hooks APIs of the current process.
  • It terminates itself if it finds the following virtual machine/sandbox file artifacts in the affected system:
    • %System%\drivers\VBoxMouse.sys
    • %System%\drivers\VBoxGuest.sys
    • %System%\drivers\VBoxSF.sys
    • %System%\drivers\VBoxVideo.sys
    • %System%\vboxdisp.dll
    • %System%\vboxhook.dll
    • %System%\vboxmrxnp.dll
    • %System%\vboxogl.dll
    • %System%\vboxoglarrayspu.dll
    • %System%\vboxoglcrutil.dll
    • %System%\vboxoglerrorspu.dll
    • %System%\vboxoglfeedbackspu.dll
    • %System%\vboxoglpackspu.dll
    • %System%\vboxoglpassthroughspu.dll
    • %System%\vboxservice.exe
    • %System%\vboxtray.exe
    • %System%\VBoxControl.exe
    • %System%\drivers\balloon.sys
    • %System%\drivers\netkvm.sys
    • %System%\drivers\pvpanic.sys
    • %System%\drivers\viofs.sys
    • %System%\drivers\viogpudo.sys
    • %System%\drivers\vioinput.sys
    • %System%\drivers\viorng.sys
    • %System%\drivers\vioscsi.sys
    • %System%\drivers\vioser.sys
    • %System%\drivers\viostor.sys
  • It terminates itself if it finds the following virtual machine/sandbox directory artifacts in the affected system:
    • %Program Files%\oracle\virtualbox\guest additions
    • %Program Files%\qemu-ga
    • %Program Files%\SPICE Guest Tools
  • It terminates itself if it finds the following virtual machine/sandbox processes in the affected system's memory:
    • vboxservice.exe
    • vboxtray.exe
    • VMSrvc.exe
    • VMUSrvc.exe
    • qemu-ga.exe
    • vdagent.exe
    • vdservice.exe
    • prl_cc.exe
    • prl_tools.exe
  • It terminates itself if it finds the following virtual machine/sandbox network shares in the affected system:
    • VirtualBox Shared Folders
  • It terminates itself if it finds the following virtual devices in the affected system:
    • \.\VBoxMiniRdrDN
    • \.\VBoxGuest
    • \.\VBoxTrayIPC
    • \.\pipe\VBoxMiniRdDN
    • \.\pipe\VBoxTrayIPC
  • It checks for the following result of a WMI query to the Win32_NTEventLogFile entry to determine if it is being run in a virtual machine or sandbox:
    • vboxvideo
    • VBoxVideoW8
    • VBoxWddm
  • It checks for the following result of a WMI query to the Win32_Bus entry to determine if it is being run in a virtual machine or sandbox:
    • ACPIBus_BUS_0
    • PCI_BUS_0
    • PNP_BUS_0
  • It checks for the following result of a WMI query to the Win32_PnPEntity entry to determine if it is being run in a virtual machine or sandbox:
    • PCI\VEN_80EE&DEV_CAFE
    • 82801FB
    • 82441FX
    • 82371SB
    • OpenHCD
  • It checks for the following result of a WMI query to the Win32_BaseBoard entry to determine if it is being run in a virtual machine or sandbox:
    • VirtualBox
    • Oracle Corporation
  • It checks for the following result of a WMI query to the Win32_PnPDevice entry to determine if it is being run in a virtual machine or sandbox:
    • VBOX
    • VEN_VBOX
  • It checks for the following result of a WMI query to the Win32_ComputerSystem entry to determine if it is being run in a virtual machine or sandbox:
    • VirtualBox
    • HVM domU
    • VMWare
  • It checks for the following result of a WMI query to the Win32_NetworkAdapterConfiguration entry to determine if it is being run in a virtual machine or sandbox:
    • 08:00:27
  • Based on analysis of the codes, this malware has the following capabilities:
    • Interprets the following messages as its backdoor commands:
      • shi/dij - inject malicious code into one the following target processes:
        • %Program Files%\Windows Photo Viewer\ImagingDevices.exe
        • %Program Files%\Windows Mail\wab.exe
        • %Program Files%\Windows Mail\wabmig.exe
      • dex - write data into a file named wab.exe and executes it afterwards
      • sdl - delete itself from the infected system via the following command:
        • powershell Remove-Item -Path {File Path} -Force
      • ins - enables persistence by dropping a copy of itself and creating a VBS script that executes the malware copy
      • gdt - recursively delete itself from the infected system via the following command:
        • powershell Remove-Item -Path {File Path} -Force -Recurse

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It terminates itself if any of the following user name(s) are found in the affected system:

  • CurrentUser
  • Sandbox
  • Emily
  • HAPUBWS
  • Hong Lee
  • IT-ADMIN
  • Johnson
  • Miller
  • milozs
  • Peter Wilson
  • timmy
  • sand box
  • malware
  • maltest
  • test user
  • virus
  • John Doe

It checks if the following virtual machine- or sandbox-related registry keys are present in the affected system:

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
DSDT\VBOX__

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
FADT\VBOX__

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
RSDT\VBOX__

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\
VirtualBox Guest Additions

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxGuest

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxMouse

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxSF

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxVideo

HKEY_LOCAL_MACHINE\SOFTWARE\Wine

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vioscsi

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\viostor

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VirtIO-FS Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VirtioSerial

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\BALLOON

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\BalloonService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\netkvm

It checks if the following virtual machine- or sandbox-related registry entries are present in the affected system:

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 0\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = VBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosVersion = VBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
VideoBiosVersion = VIRTUALBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosDate = 06/23/99

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 0\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = QEMU

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosVersion = QEMU

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

18.532.00

FIRST VSAPI PATTERN DATE:

26 Jun 2023

VSAPI OPR PATTERN File:

18.533.00

VSAPI OPR PATTERN Date:

27 Jun 2023

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as Backdoor.PS1.BUMBLELOADER.ARC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.