Threat Research

The Story Behind Backdoor.LV

From May of this year, we have seen a sudden uptick in the number of samples of an interesting malware we call Backdoor.LV. We have seen this malware primarily using websites hosting .exes to propagate. The HTTP header below shows one such example from which the malware was downloaded. A quick look up on the location of the IP in the HTTP header "94.129.29.233" shows that the IP is located in Kuwait.

Location from where binary was downloaded:

GET /Server.exe HTTP/1.1

Host: 94.129.29.233:1000  

Connection:Keep-Alive   

VT analysis of the binary that was analyzed:

https://www.virustotal.com/file/3c3bd38fb908c4b6b33b3d83595d4bcef974379937f53b7a51e695ba71c1bd50/analysis/

WHOIS of the IP:

inetnum:  94.129.0.0 - 94.129.127.255

netname:  GPRS_NETWORK

descr:  3G allocation, VAS allocation, 2G allocation

country:  KW 

admin-c:  VIVA55-ripe

tech-c:  VIVA55-ripe

status:  ASSIGNED PA

mnt-by:  MNT-AS2306

source:  RIPE # Filtered

Also interesting were the names of some of the domains used. Many of the domains used names referring to the Middle East. To figure out where the destination C2s were being hosted, we took a subset of the domains that we noticed in the FireEye Malware Protection Cloud (MPC) and mapped them to the countries in which they were hosted. This is what we came up with.

Blog-graphic
Particularly interesting was the C2 communication. The malware was seen talking back to its CnC using a custom protocol over port 80. The communication between the infected machine and its

command and control server looks like this:

Bkdr_lv.JPG

As you can see in the figure above, the malware gathers the following information from the compromised machine and sends it to the CnC.

  1. Netbios name
  2. User
  3. Date
  4. Locale
  5. Windows OS name

The "[endof]" keyword signals the end of the message. 

The malware also informs the CnC of its version (0.3.6) in the communication above. We have also seen malware with versions 0.3.5 and 0.3.8.

Now all we are left with are the three unexplained fields, two of which are base64 encoded and one of which is a string called "No."

Decoding the first base64 encoded parameter results in an Arabic string "تلغيم شخصي" which translates to "Mining the personal." We have seen different samples send different instructions as the first base64 encoded parameter. The second base64 encoded parameter, which is blurred out in the figure above, is obtained by getting a handle on the current foreground window and getting the title of the window’s title bar. It then encodes it and sends it to its CnC server. For instance, if someone had IE open, with www.google.com in the title bar, then the malware would encode www.google.com.

Almost all the samples we observed in the FireEye MPC were written in .Net. To understand what the "No" string was we had to look at the code a little more. Reversing the code we found a function called inf(), which was responsible for building the message that was being sent to the CnC server. The code snippet below tells us when "No" is appended to the message. The malware interestingly enough checks if there is a camera attached to the compromised machine; if it does. then it sends a "Yes." otherwise it sends a "No."

if (this.Cam())

    {

        str2 = str2

+ "Yes" + this.Y;

    }

    else

    {

        str2 = str2

+ "No" + this.Y;

    }

Although the Backdoor.LV collects some crucial information pertaining to the user and the compromised machine, what was surprising was that upon its execution it opens up a dialog box asking the user to run an executable named "Trojan.exe." Looking at this obvious name of the malicious executable, one can only speculate whether this malware was intended for non-native English speakers.