Backdoor.MSIL.BLADABINDI.POWRHV

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
(Default) = {Backdoor directory}

It drops the following files:

• %User Startup%\Windows.exe → renamed backdoor file.
• %Application Data%\Microsoft\Windows\Templates\Windows.lnk → shortcut directing to the backdoor file.
• %Application Data%\Microsoft\Windows\Templates\Windows.exe → renamed backdoor file.
• %User Startup%\Windows.lnk → shortcut redirecting to the backdoor file.

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Download a file
• Execute a file
• Update files
• Take a screenshot of user's screen
• Install and execute plugin
• Uninstall - remove files and registries associated with the malware
• Terminate malware process
• Monitor user through system camera

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• https://2525.{BLOCKED}020.com.ly/

However, as of this writing, the said sites are inaccessible.

Information Theft

This Backdoor gathers the following data:

• Information from active windows (text information)
• Driver information from the system
• System Volume information
• Volume Serial Number
• Machine Name
• User Name
• Date of Infection
• Operating System
• Operating System Service Pack
• System Type (32-bit/64-bit)
• Values of HKEY_CURRENT_USER\Environment

Other Details

This Backdoor adds the following registry keys:

HKEY_CURRENT_USER
di = !

HKEY_CURRENT_USER\Environment
SEE_MASK_NOZONECHECKS = 1

It does the following:

• It uploads system information including system name, host, and port to a supplied Discord link/channel.

It executes the following PowerShell commands:

• attrib +h +r +s \%User Startup%\Windows.exe\ → sets the attribute of the hidden dropped copy to hidden, read-only, and system.

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)