Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.Bolik.1

Added to the Dr.Web virus database: 2016-06-03

Virus description added:

SHA1:

crypt21226cb1361f46d6262cddb756b24b47d86dfb96
botf11da165d898f35809c69fba00d21b1d1c916f00
mimikaz3ce415ce0efe8436750a328d8fc698d6a9ead08c
JUPITER.32b36abe9a5336ac9baa468e3bae30950ceec5eb05
JUPITER.64695f9f570ca56e3211bf37527ab9f34b2bd3c388

A multicomponent polymorphic file virus that can infect file objects on 32-bit and 64-bit versions of Microsoft Windows. It is designed to perform web injections, intercept traffic, take screenshots, to execute keylogging functions, and to steal login credentials for online banking applications. It can also establish reverse RDP connections (back connect) and launch a local SOCKS5 proxy server and HTTP server in order to perform CMD commands. The virus is known to inherit several characteristic features from Trojan.Carberp and Trojan.PWS.Panda (Zeus).

As Carberp’s successor, Trojan.Bolik.1 has borrowed the presence of a virtual file system, which the Trojan saves to one of system directories or to the user folder. Like Zeus, the Trojan has the JUPITER web injection mechanism; yet, it was considerably modified. In particular, Trojan.Bolik.1 uses JSON for data sharing and numeric codes are replaced with line parameters in the configuration block.

Trojan.Bolik.1 intercepts traffic in such browsers as Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox by intercepting function calls. The Trojan steals private information by using the analog of mimikatz designed to steal passwords in the Windows open sessions. The malware program also uses the monguse library to create an HTTP server.

The Trojan communicates with the C&C server over HTTP protocol by sending POST requests encrypted with AES CBC 128. An encryption key is generated using the curve25519 elliptic curve. Integrity check is performed by means of hmac-sha1 and sha1. All transmitted information is encrypted with a special algorithm and is then compressed using the zlib library.

Judging from the corresponding lines in the configuration file received from the server, only Russian bank clients suffer from web injections performed by the Trojan:

}, {
            "Mask" : "*Бухгалтерия*",
            "Count" : 1
        }, {
            "Mask" : "*iBank2*",
            "Count" : 1
        }, {
            "Mask" : "*ts.letok2.ru*",
            "Count" : 1
        }, {
            "Mask" : "*Кассир*",
            "Count" : 1
        }, {
            "Mask" : "*KASSA*",
            "Count" : 1
        }, {
            "Mask" : "*Internet-Банкинг*",
            "Count" : 1
        }, {
            "Mask" : "*Банкинг*",
            "Count" : 1
        }, {
            "Mask" : "*jp2launcher.exe*",
            "Count" : 1
        }
    ],

The Trojan also uses the following masks:

"Mask" : "*bitcoin*",
            "Count" : 1
        }, {
            "Mask" : "*BSS*",
            "Count" : 1
        }, {
            "Mask" : "*Банк*",
            "Count" : 1
        }, {
            "Mask" : "*ЗАО*",
            "Count" : 1
        }, {
            "Mask" : "*Клиент*",
            "Count" : 1
        }, {
            "Mask" : "*eToken*",
            "Count" : 1
        }, {
            "Mask" : "*Remote Desktop*",

The self-spreading ability of the Trojan is activated once the following command is received from the server:

{"WormConfig":{"USBEnabled":true,"NetworkEnabled":true}}

Then Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Trojan.Bolik.1 can compromise either 32-bit or 64-bit applications. Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1.

The virus has an incorporated polymorphic decryptor that is inserted into the input point of the infected file. The decryptor decrypts data located in the resource section that also contains the Trojan itself in encrypted form. It calculates the key in several iterations and decrypts the shell code by this calculated key. Besides, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques that consist of different loops and repeating instructions.

News about the Trojan