BKDR_KULUOZ.SMAL

This malware is the attached payload of a socially-engineered malicious spam themed after the South Korea Ferry tragedy. Discovered on April 2014, it is detected to receive and execute commands from a remote malicious user. Users with systems affected with this threat may find the security of their systems compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Application Data%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• svchost.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 2GVWNQJz1

It injects codes into the following process(es):

• created svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random}.exe"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\{random}
{random} = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\{random}

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Set system to idle/sleep
• Download and run/execute other files
• Remove/Uninstall itself
• Update copy of the injected code to svchost.exe
• Update copy of itself
• Check malware version and terminate execution of older version

It connects to the following websites to send and receive information:

• http://{BLOCKED}3.27:443/{generated value}
• http://{BLOCKED}5.89:8080/{generated value}
• http://{BLOCKED}.58/{generated value}

NOTES:

This backdoor checks if there's a running window with the following name:

• 99929D61-1338-48B1-9433-D42A1D94F0D2
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x32
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x64
• APISpy32Class
• Dumper
• Dumper64
• Iris - Version 5.59
• PROCEXPL
• PROCMON_WINDOW_CLASS
• ProcessHacker
• ProcessLasso_Notification_Class
• SharedIntApp.exe
• TSystemExplorerTrayForm.UnicodeClass
• Tfrmrpcap
• VBoxService.exe
• VBoxTray.exe
• VMwareDragDetWndClass
• VMwareSwitchUserControlClass
• WdcWindow
• iptools.exe
• prl_cc.exe
• prl_tools.exe
• vmsrvc.exe
• vmtoolsd.exe
• vmusrvc.exe
• wireshark.exe

The {generated value} is based on user name, local IP, running debugger, and malware build date and version.

It checks Service Disk or BIOS for the following registry information if under virtualization:

• VMware
• PTLTD
• Virtual
• VBOX
• AMIBI