Backdoor.Win64.COBEACON.ZCLG

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Connect and disconnect to a named pipe
• Escalate privileges
• Execute arbitrary commands
• Impersonate tokens
• Inject code into processes
• Manage directories (Create, Remove, Set Directory)
• Manage files (List, Create, Delete, Modify, Rename, Copy)
• Manage processes (List, Create, Terminate)
• List Drive Information
• Use/purge Kerberos tickets

It connects to the following websites to send and receive information:

• http://{BLOCKED}g-f12b.azuer.workers.dev/feedback/js/help/prod/service/lazy.min.js
• http://{BLOCKED}g-f12b.azuer.workers.dev/we/s/h36B915845CCD42D1_App_Scripts/jquery.signalR2.1.1.min.js

However, as of this writing, the said sites are inaccessible.

Information Theft

This Backdoor gathers the following data:

• Username
• Computer name
• Operating System Version
• Executable used to load the sample

Other Details

This Backdoor requires the following additional components to properly run:

• %windows%\assembly\msco.conf → Detected as Backdoor.Win64.COBEACON.ZCLG.enc

It does the following:

• This sample needs to be located in the %windows%\assembly directory and have a file name of 'mscorsvc.dll' to execute properly.
• It is loaded by normal file Mscorsvw.exe which is acomponent of Windows, and is otherwise known as the .NET Framework Optimization Service.
• It requires to be executed as a service.