EXPLOYT

EXPLOYT variants may arrive on a system bundled with malware or grayware packages, or hosted on a website and runs when a user accesses said website.

EXPLOYT malware takes advantage of certain vulnerabilities to download malicious files onto the affected system. It does this by using an exploit kit that allows anattacker to take advantage of most known vulnerabilities.

Successful exploitation of the vulnerabilities executes a shell code which will trigger the download and execution of malware. Most of the downloaded files can give criminals remote control over the infected machine, and thus steal user-critical information such as online banking login credentials, email passwords and the like. Systems infected with EXPLOYT malware may be considered security-compromised.

This Trojan arrives as a component bundled with malware/grayware packages.

It takes advantage of certain vulnerabilities.

Arrival Details

This Trojan arrives as a component bundled with malware/grayware packages.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{Random}.changeip.name/temp/newyear/{Random Number}/?whole=98

It saves the files it downloads using the following names:

• %User Temp%\hfgTy\{Random Numbers}.tmp.exe
• %User Profile%\awt43abr.exe
• %User Profile%\berstrestvers.exe
• %User Profile%\bawt34tv.exe
• %User Profile%\tab4vrtve.exe
• %User Profile%\wgsdgsdgdsgsd.exe
• %User Profile%\ab43yctewatv.exe
• %User Profile%\a43vtzgbdgv.exe
• %User Profile%\atv4tvq34.exe
• %User Profile%\bg34dfbewgba4.exe
• %User Profile%\av4a43by4ayb.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components:

• val
• prime

Other Details

This Trojan takes advantage of the following vulnerabilities:

• CVE-2011-3544
• CVE-2012-5076
• CVE-2012-4681
• CVE-2012-1723
• CVE-2013-0422
• CVE-2012-0507

It executes the downloaded file using the following commands:

• regsvr32 -s %User Profile%\{file name}.exe
• %User Profile%\{file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)