BKDR_TELEBOT.B

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor adds the following folders:

• %User Temp%\_MEI{random numbers}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %User Temp%\_MEI{random numbers}\_ctypes.pyd
• %User Temp%\_MEI{random numbers}\_hashlib.pyd
• %User Temp%\_MEI{random numbers}\_socket.pyd
• %User Temp%\_MEI{random numbers}\_ssl.pyd
• %User Temp%\_MEI{random numbers}\bz2.pyd
• %User Temp%\_MEI{random numbers}\Crypto.Cipher._AES.pyd
• %User Temp%\_MEI{random numbers}\Crypto.Hash._SHA256.pyd
• %User Temp%\_MEI{random numbers}\Crypto.Random.OSRNG.winrandom.pyd
• %User Temp%\_MEI{random numbers}\Crypto.Util._counter.pyd
• %User Temp%\_MEI{random numbers}\Microsoft.VC90.CRT.manifest
• %User Temp%\_MEI{random numbers}\msvcm90.dll
• %User Temp%\_MEI{random numbers}\msvcp90.dll
• %User Temp%\_MEI{random numbers}\msvcr90.dll
• %User Temp%\_MEI{random numbers}\{random filename}.exe.manifest
• %User Temp%\_MEI{random numbers}\pyexpat.pyd
• %User Temp%\_MEI{random numbers}\python27.dll
• %User Temp%\_MEI{random numbers}\pywintypes27.dll
• %User Temp%\_MEI{random numbers}\requests\cacert.pem
• %User Temp%\_MEI{random numbers}\select.pyd
• %User Temp%\_MEI{random numbers}\unicodedata.pyd
• %User Temp%\_MEI{random numbers}\win32api.pyd
• %User Temp%\_MEI{random numbers}\win32pipe.pyd
• %User Temp%\_MEI{random numbers}\win32wnet.pyd

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• upload - Get file from remote user to affected system
• cmd - Perform remote shell command
• forcecheckin - Get OS information
• download - Send specified file from affected system to remote user

Download Routine

This backdoor saves the files it downloads using the following names:

• {malware path}\+~JF{random}.exe

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This backdoor gathers the following data:

• OS Platform Version
• Process Architecture
• Admintrator Privileges
• User UID

Other Details

This backdoor drops the following file(s)/component(s):

• {malware path}\log_{random} ← log file;

NOTES:

This backdoor uses the following Simple Mail Transfer Protocol (SMTP) servers to send information to remote malicious user:

• smtp-mail.outlook.com

It uses the following Internet Message Access Protocol (IMAP) servers to receive command from remote malicious user:

• imap-mail.outlook.com

It sends and receives information using the following email address:

• {BLOCKED}akeieva@outlook.com