Backdoor.Win64.OWLPROXY.B

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Executes Arbitrary Commands using cmd.exe
  • The following prefixes are needed to specify the mode of execution of the command:
  • w → the command is executed on the system and the output is sent back to the attacker in the response body.
  • rk; → the command is executed without sending back the command's output.
  • If no prefix, the command is executed on the system and the output is sent back to the attacker in the response body.
• "self uninstall" → removes itself from the system.

Other Details

This Backdoor does the following:

• It creates an HTTP service that will handle inbound HTTP requests to URLs based on the following UrlPrefix formats:
  • https://{BLOCKED}3/topics/ → remote CMD address
  • https://{BLOCKED}3/topics/pp/ → proxy address
• It checks incoming HTTP request that match these URLs for the following page parameters:
  • s?pa= → command execution
  • s?pp → proxy installation
• The received GET request could have the following commands:
  • connect → connection to the specified IP
  • recv → receives data from the IP
  • disconnect → close the connection
• It is packed using VMProtect which is a tool used to protect executable files from reverse engineering and tampering.