BKDR64_WINNTI.A

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• BKDR_WINNTI.A

Installation

This backdoor s DLL component is injected to the following process(es):

• explorer.exe
• winlogon.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {2B03B1EF-D379-40C7-9B06-EE1EEA2F151E}

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Enumerate processes and process modules
• Get system information
  • processor
  • RAM
  • product ID
  • organization
  • host name
  • current user
  • uptime
  • system directory
  • number of processors
  • current display resolution and refresh rate
  • drive information
• Copy file time from one file to another
• List users
• Add user
• Delete user
• Change user password
• Start a process
• Start a process with a standard input/output redirected to the C&C server
• Connect to another C&C server
• Start WinVNC server
• Enumerate stored user credentials in the LSASS process

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}t.{BLOCKED}iang.info:53
• {BLOCKED}t.{BLOCKED}i.info:53
• {BLOCKED}t.{BLOCKED}g.info:53
• {BLOCKED}t.{BLOCKED}lk.me:53
• {BLOCKED}x.{BLOCKED}8.com:53

NOTES:

It injects itself to explorer.exe and winlogon.exe if it is running in rundll32.exe.