Analysis by: Pearl Charlaine Espejo
ALIASES:

BackDoor-FCAF!Vawtrak (McAfee)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It modifies the Internet Explorer Zone Settings.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 200,704 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 02 Jun 2016
Payload: Connects to URLs/IPs, Steals information

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %All Users Profile%\Application Data\{random filename}.dat – detected as BKDR_VAWTRAK.YZH

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat "

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
DefaultLevel = "262144"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
TransparentEnabled = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
PolicyScope = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Log keystrokes
  • Capture Screenshots
  • Open a process
  • Install Updates
  • List Process
  • Inject code to process
  • Download and execute files
  • Download configuration
  • Perform remote shell

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}.{BLOCKED}.233.38/{path}?{data}
  • http://{BLOCKED}.{BLOCKED}.233.80/{path}?{data}
  • http://{BLOCKED}.{BLOCKED}.192.106/{path}?{data}
  • http://{BLOCKED}.{BLOCKED}.192.110/{path}?{data}
  • http://{BLOCKED}.{BLOCKED}.51.216/{path}?{data}
  • http://{BLOCKED}.{BLOCKED}.184.239/{path}?{data}
  • http://{BLOCKED}ag.com/{path}?{data}
  • http://{BLOCKED}ka.com/{path}?{data}
  • http://{BLOCKED}ng.com/{path}?{data}
  • http://{BLOCKED}lon.com/{path}?{data}
  • http://{BLOCKED}rda.com/{path}?{data}
  • http://{BLOCKED}z.com/{path}?{data}
  • http://{BLOCKED}on.com/{path}?{data}
  • http://{BLOCKED}lpane.com/{path}?{data}
  • http://{BLOCKED}ka.com/{path}?{data}

As of this writing, the said sites are inaccessible.

Web Browser Home Page and Search Page Modification

This backdoor modifies the Internet Explorer Zone Settings.

Information Theft

This backdoor attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

  • 32BitFtp
  • 3D-FTP
  • AceBIT
  • Adobe
  • BitKinex
  • BulletProof FTP
  • CoffeeCup Software
  • Cryer Website Publisher
  • Cyberduck
  • DeluxeFTP
  • EasyFTP
  • Estsoft ALFTP
  • ExpanDrive
  • FTP Commander
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP++
  • FTPGetter
  • FTPNow
  • FTPRush
  • FTPShell
  • FTPWare COREFTP
  • Far Manager
  • FileZilla
  • FireFTP
  • FlashFXP 3
  • FlashFXP 4
  • FlashPeak BlazeFtp
  • Fling FTP
  • FreshFTP
  • Frigate3
  • GPSoftware Directory Opus
  • Ghisler Total Commander
  • Ghisler Windows Commander
  • Global Downloader
  • GlobalSCAPE CuteFTP
  • GlobalSCAPE CuteFTP 6 Home
  • GlobalSCAPE CuteFTP 6 Professional
  • GlobalSCAPE CuteFTP 7 Home
  • GlobalSCAPE CuteFTP 7 Professional
  • GlobalSCAPE CuteFTP 8 Home
  • GlobalSCAPE CuteFTP 8 Professional
  • GlobalSCAPE CuteFTP Lite
  • GlobalSCAPE CuteFTP Pro
  • GoFTP
  • INSoftware NovaFTP
  • Ipswitch WS_FTP
  • LeapFTP
  • LeechFTP
  • LinasFTP
  • MAS-Soft FTPInfo
  • MS IE FTP
  • Martin Prikryl
  • My FTP
  • NCH Software ClassicFTP
  • NetDrive
  • NetSarang
  • NexusFile
  • Nico Mak Computing WinZip FTP
  • NppFTP
  • RhinoSoft FTPVoyager
  • Robo-FTP
  • SimonTatham PuTTY
  • SmartFTP
  • SoftX.org FTPClient
  • Sota FFFTP
  • South River Technologies WebDrive
  • Staff-FTP
  • TurboFTP
  • UltraFXP
  • VanDyke SecureFX
  • Visicom Media
  • WinFTP
  • WiseFTP

It attempts to steal stored email credentials from the following:

  • IncrediMail
  • MS Outlook
  • Poco Systems Pocomail
  • RIT The Bat!
  • RimArts Internet Mail
  • Thunderbird
  • Windows Live Mail
  • Windows Mail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

  • Epic
  • FastStone Browser
  • Flock
  • Internet Explorer
  • K-Meleon
  • Mozilla Firefox
  • Mozilla SeaMonkey

Other Details

This backdoor deletes itself after execution.

NOTES:

The variable {path} can be any of the following:

  • viewforum.php
  • posting.php

It is capable of setting up a VNC (virtual network computing) server to take control of the compromised computer.

It injects its code in all running processes except the following:

  • csrss.exe
  • lsass.exe
  • lsm.exe
  • services.exe
  • smss.exe
  • svchost.exe
  • taskhost.exe
  • wininit.exe
  • winlogon.exe

It only performs its intended routine once it is injected in the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

It checks for the presence of the following security-related folders:

  • %System Root%\Documents and Settings\NetworkService\Local Settings\Application Data\F-SecureF-Secure Internet Security
  • {file path}\AVAST Software
  • {file path}\AVG
  • {file path}\Agnitum
  • {file path}\Alwil Software
  • {file path}\AnVir Task Manager
  • {file path}\ArcaBit
  • {file path}\Avira
  • {file path}\Avira GmbH
  • {file path}\BitDefender
  • {file path}\BlockPost
  • {file path}\Common Files\Doctor Web
  • {file path}\Common Files\G DATA
  • {file path}\Common Files\P Tools
  • {file path}\Common Files\Symantec Shared
  • {file path}\DefenseWall
  • {file path}\DefenseWall HIPS
  • {file path}\Doctor Web
  • {file path}\DrWeb
  • {file path}\ESET
  • {file path}\FRISK Software
  • {file path}\G DATA
  • {file path}\K7 omputing
  • {file path}\Kaspersky Lab
  • {file path}\Kaspersky Lab Setup Files
  • {file path}\Lavasoft
  • {file path}\Malwarebytes
  • {file path}\Malwarebytes' Anti-Malware
  • {file path}\McAfee
  • {file path}\McAfee.com
  • {file path}\Microsoft Security Essentials
  • {file path}\Microsoft\Microsoft Antimalware
  • {file path}\Norton AntiVirus
  • {file path}\Microsoft Security Client
  • {file path}\Online Solutions
  • {file path}\P Tools
  • {file path}\P Tools Internet Security
  • {file path}\Panda Security
  • {file path}\Positive Technologies
  • {file path}\Sandboxie
  • {file path}\Security Task Manager
  • {file path}\Spyware Terminator
  • {file path}\Sunbelt Software
  • {file path}\Symantec
  • {file path}\Trend Micro
  • {file path}\UAenter
  • {file path}\Vba32
  • {file path}\Xore
  • {file path}\Zillya Antivirus
  • {file path}\a-squared Anti-Malware
  • {file path}\a-squared HiJackFree
  • {file path}\avg8
  • {file path}\f-secure

The variable {file path} can be any of the following:

  • %Program Files%
  • %Program Files% (x86)
  • %All Users Profile%\Application Data

Once it finds any of the above folders, it creates the a registry entry to force these applications to run under restricted privileges:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
ItemData = "{blacklisted software path}"
SaferFlags = "0"

It accesses the following registries to get a list of installed programs and their uninstall paths:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallString

It steal passwords from Internet Explorer, Windows Protected Storage and all Autocomplete entries stored by Internet Explorer within the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 9.8
FIRST VSAPI PATTERN FILE: 12.538.05
FIRST VSAPI PATTERN DATE: 20 May 2016
VSAPI OPR PATTERN File: 12.539.00
VSAPI OPR PATTERN Date: 21 May 2016

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\paths\{random generated GUID}
    • ItemData = "{blacklisted software path}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\paths\{random generated GUID}
    • SaferFlags = 0

Step 5

Restore this deleted registry key/value from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    • DefaultLevel = "262144"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    • TransparentEnabled = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    • PolicyScope = "0"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • NoProtectedModeBanner = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • TabProcGrowth = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
    • ItemData = {blacklisted software path}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
    • SaferFlags = 0

Step 6

Remove malware/grayware files dropped/downloaded by BKDR_VAWTRAK.YUYJT. (Note: Please skip this step if the threats listed below have already been removed.)

    • BKDR_VAWTRAK.YZH

Step 7

Reset Internet security settings

[ Learn More ]

Step 8

Reset Internet privacy settings

[ Learn More ]

Step 9

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_VAWTRAK.YUYJT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 10

Scan your computer with your Trend Micro product to delete files detected as BKDR_VAWTRAK.YUYJT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.