Answer to question back then

October 14, 2018 at 22:19:04
Specs: Windows 8
This is a really old post, but their is a underlying truth here. Maybe a lying truth to be more exact. As in a hidden backdoor. Malware created by Microsoft or some government entity randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself. Then the corresponding registry keys are created in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure persistence in the system.
After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue. The next stage in its operation is to contact the hardcoded C&C server. This is done with a encryption key. It tries to obtain the default Windows user-agent string. If this is not successful, the sample uses its hardcoded version. It connects to its C&C server in the same way, once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433. It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. The keylogger is active. The content of a keystroke logfile, located in %TEMP% and created. The author left quite a number of suspicious strings in the binary. The following string is surprisingly honest. Original file name, bot-main-win-32-msvc2013-release.exe. It’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, it's signed the binary with a trusted certificate from “COMODO RSA Code Signing CA”. This software was intentionally designed to be platform independent.

See More: Answer to question back then

Reply ↓  Report •

#1
October 15, 2018 at 00:49:42
So what post where you responding to?

Also this part i don't agree with "Malware created by Microsoft or some government entity",
but thats just me

Also tell us the command and control server IP, you said it was hard-coded right?

P.S. does the name "colobot" ring a bell?

i5-6600K[delid]@4.7GHz/4.3GHz@1.376v LLC=6 | 2x4GB Crucial-DDR4-2133CL15@14-14-14-28 1T 2700MHz@1.35v
MSI Armor RX 570 4GB@1260Mhz core@1.000v/2000MHz


Reply ↓  Report •

#2
October 15, 2018 at 21:28:05
There are lots of people out there doing things like this to get personal info and passwords, most are probably selling this info online to the highest bidder. Then there are the other countries like China, Russia, and others where espionage is their main concern.

The moral: Run a good AV program and manually scan with Malwarebytes at least monthly (weekly if susceptible, daily if paranoid). Then run ADWCleaner whenever you think things might be getting through or slowing down (a good sign of a self replicating program).

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#3
October 17, 2018 at 12:12:41
How on earth do you expect us to refer back to an old post without giving even a hint about where and when?

slickerthanthou maybe but it doesn't take a lot to post a link to a post.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •
Related Solutions


Ask Question