BKDR_REDLEAVES.LCLE

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

• svchost.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Hc5973HT

It injects codes into the following process(es):

• created svchost.exe

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Get System Information
  • Operating System Version
  • System Type (32-bit or 64-bit)
  • Memory
  • Language
  • Computer Name
  • IP Address
• Upload/Download files
• Update itself
• List drives, files and folders
• Delete files
• Create/Read/Write to a *.tmp file
• Execute commands using command prompt
• Execute files
• Terminate processes

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• securityonline.{BLOCKED}u.net

As of this writing, the said sites are inaccessible.

Other Details

This Backdoor requires the existence of the following files to properly run:

• %ProgramData%\Setup32\AMSP\update\iau_sdk\iau_x32_x64.ini - encrypted component
• TiPreAU.exe - nonmalicious, loads this malware and decrypts and executes the file iau_x32_x64.ini in memory.

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)