JS.BackDoor.60

SHA1 hashes:

• 847855b9240afb0b8e1e11de412cc779db51020e — the main backdoor body
• 5f51e7319c582a8ccdd4971d22515977213b8639 — the “task_autorun_lnk” task
• d45d42225db3ce5cd1407dff55d88dc5ffa843e2 — the “task_autorun_reg” task
• 940390c98276ceda423574c7357188728ea83074 — the “task_autorun_scheduler” task
• b3d694a7832cd4f228df9cbeaee10e996b583d18 — the “task_fdwd” task
• db86d55f3394d82f10f9b17b2250d11bb38149c5 — the “task_punto2_diary” task
• 5a17ed042b3209d993cd81b56f420a36bd1f3b3a — the “task_punto_install” task
• 0d2226f7cf71c8685f52d490586ed63bb3393fc1 — the “task_s” task

Description

Written in the JavaScript scripting language, this malicious program is designed to operate on computers running Microsoft Windows operating systems. It is a backdoor that executes attackers’ commands. Its main task is cyber espionage. This malware can be used to steal files from the computers it attacks, hijack keystrokes, create screenshots, etc. In addition, the backdoor can download its own updates and expand its functionality, thanks to its modular structure.

Operating routine

The JS.BackDoor.60 is a multi-component trojan that uses its own JavaScript framework. It consists of an obfuscated body and a number of additional modules, which are received from the C&C server and contain the main backdoor functionality. These modules are both part of the JS.BackDoor.60 and the tasks that the trojan executes though the JavaScript functions they have in common.

The body of JS.BackDoor.60 cyclically receives and executes a payload (the target malicious JavaScript code is the task) from the C&C server. To receive it, it sends a packet to the server containing the message ping. After the payload is received, a packet with the message pong is sent to the server.

The code to be executed is sent to the backdoor in the following format:

<main_sleep>15000</main_sleep><taskn>1</taskn><task1><id>167e315b7fc67</id><monkeycode>...</monkeycode></task1>

The taskn tag represents the number of tasks received from the C&C server.

The taskN tags assign each task, where N is the task number.

The id tag inside every task sets its identifier, which is a random hex string.

The monkeycode tag contains the task's JavaScript code for execution.

Common functions located in the tasks

Tasks received by JS.BackDoor.60 have common functions, which are used in each of them with varying degrees of frequency.

At the time of this backdoor’s analysis, the following functions were discovered:

• lr_run_exe(cmd)
• lr_is_elevated()
• lr_url(msg)
• lr_post(data, msg)
• lr_stats(msg)
• lr_statse(msg)
• lr_cmdr(data)
• lr_screensh()
• lr_check_scr(sec)
• lr_upload(srcPath, url, sec, canSplit, checkScr)

lr_run_exe(cmd)

This function creates a new process. The following argument is used:

• cmd — a command that is launched as a new process

The object is created by accessing the WMI interface. The following entities in the \root\CIMV2 namespace are used:

• Win32_ProcessStartup — process creator;
• Win32_Process — process description.

lr_is_elevated()

This function verifies the rights of the current process. This check is performed when the net session command is executed.

lr_url(msg)

This function forms an URL to send the response to the C&C server. The following argument is used:

• msg — a message that is added into the request parameter.

The link for sending the response is generated from the base link and the request parameters. The latter are divided into two categories: UserToken and metadata.

The base link is hxxps[:]//rembo.solkvize[.]com/__utm.gif?.

The following parameters from the UserToken group are added to it:

• v=<appVersion> — in this case, appVersion is a 501 constant;
• e=<is_elevated> — depending on the current rights of the process, it is set as either 1 (the process is launched as Administrator), or 0 (the process is launched, but not as Administrator);
• p=<pid> — the PID of the current process;
• ch=hw3a5928b7213d9 — a constant.

If an error occurs when one of fields of these parameters is obtained, the u=get-err parameter will be sent instead of the original parameters.

Next, metadata parameters are added to the link:

• t=<Date> — current time;
• s=<url_sequenceCounter> — this variable calculates the number of requests sent from this task;
• tid=1d288ddcb195f — the task identifier;
• m=<msg> — a message encoded with encodeURIComponent.

Moreover, additional request parameters can be added to the link. For example: lr_upload(path, lr_url('upldf') + '&fp=' + encodeURIComponent(path)).

lr_post(data, msg)

The function sends a packet containing data to the C&C server via a POST request. The following arguments are used:

• data — the data that is sent in the body parameter;
• msg — a message for generating a link for sending a response to the C&C server (an argument that is sent in lr_url).

Special headers added to this packet:

• Content-Type = application/x-www-form-urlencoded
• XJ-Ver = 501

lr_stats(msg)

This function sends the packet responsible for logging task execution to the C&C server via a GET request. The following argument is used:

• msg — a message for generating a link for sending a response to the C&C server (an argument that is sent in lr_url).

Below is an example of what a chain of sent packets containing logging information looks like:

• lr_download_start:<pathToSave>
• lr_download_start_u:<url>
• lr_del_file_delf:<pathToSave>:y
• lr_download_end:1:<pathToSave>
• lr_unpack_zip_start:<pathZipFile>
• lr_unpack_zip_end:<pathFile>
• lr_del_file_delf:<zipFilePath>:y
• lr_scr_r:ret:<retValue>:pid:<PID>
• lr_del_file_wait_delf:<pathImgSrc>:y

lr_statse(msg)

The function sends a packet via a GET request to the C&C server responsible for logging errors during task execution. The following argument is used:

• msg — a message for generating a link for sending a response to the C&C server (the argument that is sent in lr_url).

If an error occurs during the current task execution, this function calls the lr_stats(msg) function and adds the err value to the string from the msg argument.

lr_cmdr(data)

This function sends packets via a POST request to the C&C server; these packets contain the data resulting from the execution of the task’s target JavaScript. It calls the lr_post function with the following arguments:

• msg — a constant with the cmdr value;
• data — contains data about the task execution status.

An example of a sent data parameter:

task_punto2_diary=1, where:

• task_punto2_diary — task name;
• 1 — task execution result.

lr_screensh()

The function responsible for creating and sending screenshots to the C&C server. It verifies whether the nircmd.exe program has been previously downloaded to the target computer and whether its forced reinstallation is required.

If the program exists, the function executes a %TEMP%/nircmd/nircmd.exe savescreenshotfull "<file name>" command. This command creates a screenshot of all the monitors that are available and saves them to a temporary file. Next, the resulting image is sent to the C&C server.

This function is also a task. Its functionality is described in the corresponding “Executed tasks” section.

lr_check_scr(sec)

The timer function that verifies the time for taking a screenshot. The following argument is used:

• sec — the time elapsed between taking screenshots.

The timer operates as follows. Upon calling the function for sending screenshot, the timer checks how much time has elapsed since the last image was sent. If the interval is less than what was specified (the 30-second value is set by default), the screenshot will not be sent.

lr_upload(srcPath, url, sec, canSplit, checkScr)

The function for sending a file to the C&C server. The following arguments are used:

• srcPath — the path to the file that is to be sent;
• url — a link generated by the lr_url function. An additional fp=encodeURIComponent(path) request parameter is always added to the argument;
• sec — the pause time between the transmitted blocks (a 3-second interval is set by default);
• canSplit — a flag that indicates whether a file must be split into blocks (the true value is set by default);
• checkScr — a flag that indicates whether screenshots must be taken and sent to the C&C server while the file is being sent (the true value is set by default).

The function creates a screenshot timer, and then the file to be sent is read. If the canSplit flag is set, the file is sent block by block. The length of one block is 1,048,576 bytes.

A packet for one sent block has the following characteristics.

The request is made using the POST method. The request parameters are:

• &bl — the block number (starting with the first one);
• &bs — the block size;
• &bc — the total number of blocks;
• &fs — the size of the sent file.

After such a packet is sent, a screenshot is transferred to the C&C server (if the canSplit flag was previously set and the timer specified has expired).

In response to the transferred packet, the C&C server sends a packet, which can contain one or more fields with the commands listed below:

• <stopmonkey></stopmonkey> — to stop transferring the file and to terminate the sending function with an error;
• <main_sleep></main_sleep> — to pause the sending process;
• <fexists>([0-9]+)</fexists> — to resend the block;
• <fexistsskip></fexistsskip> — to stop transferring the file and to terminate the sending function without an error.

Features of the functions that send request packets to the C&C server

The mechanism for sending packets to the C&C server is implemented in the lr_post(data, msg), lr_stats(msg), lr_statse(msg), lr_screensh(), lr_upload, and lr_cmdr functions according to a general scheme.

To send a packet containing a request, one of the following objects is used:

• MSXML2.XMLHttp.6.0
• MSXML2.XMLHttp.5.0
• MSXML2.XMLHttp.4.0
• MSXML2.XMLHttp.3.0
• MSXML2.XMLHttp
• Microsoft.XMLHttp
• WinHttp.WinHttpRequest.5.1

The following headers are set for the request:

• Timeouts = 15000, 30000, 30000, 30000
• Option = 2, 13056

If the task was unable to create any of the objects listed above, the XMLHttpRequest object is used, with timeout set to have the 15000 value.

Executed tasks

During the backdoor’s analysis, the following tasks received for execution were identified:

• task_autorun_lnk
• task_autorun_reg
• task_autorun_scheduler
• task_fdwd
• task_punto2_diary
• task_punto_install
• task_s
• task_systeminfo

The “task_autorun_lnk” task

The JS.BackDoor.60 crawls the following directories:

• Desktop
• %appdata%\Microsoft\Internet Explorer\Quick Launch
• %appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Moreover, it recursively crawls the Desktop directory with a nesting depth of 6.

When the contents of the target directories is read, all detected shortcuts, except for Explorer.lnk or Проводник.lnk, are modified. The changes are made so that the application to be launched becomes %windir%\system32\wscript.exe, with the following arguments: /nologo /E:jscript "<lnk_name>:lnk" "<app_name>" <args>, where:

• <lnk_name> — the name of the modified shortcut;
• <lnk_name>:lnk — the Alternate Data Stream (ADS), in which the trojan body is written;
• <app_name> — the path to the original program that was launched by the shortcut prior to its modification;
• <args> — the original application’s launching arguments that were specified in the shortcut prior to its modification.

This transformation of shortcuts leads to the fact that the trojan will be the first target to be launched through them, and only then will the originally assigned apps be launched.

One of the trojan’s starting scripts—(2023-10-06_135209.js, 2023-10-06_135225.js or 2023-10-06_135235.js), which are located in the starters directory—is copied into the ADS of the modified shortcuts.

Upon executing the task, the backdoor calls two functions: the lr_cmdr with the done=1 argument and the lr_stats with the task_autorun_lnk:end argument.

The “task_autorun_reg” task

It creates missing directories and files at specified local paths:

• C:\ProgramData\MicrosoftSecurityChecker\SecurityCheck.js
• C:\Program Files\MicrosoftSecurityChecker\SecurityCheck.js

It downloads the 2023-09-06_121321.js file from the C&C server and replaces the following files with it:

• C:\ProgramData\updater.js (or С:\Users\Public\updater.js)
• C:\ProgramData\MicrosoftSecurityChecker\SecurityCheck.js (or C:\Program Files\MicrosoftSecurityChecker\SecurityCheck.js)

It creates the Flash Player Update registry key in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ branch with the wscript.exe <path_updater.js> value, where path_updater.js is a local path that indicates the location of the updater.js trojan file downloaded from the C&C server.

After that, the lr_stats function is called, and it logs the results of the task’s execution.

It then creates the Microsoft Security Check registry key in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ branch with the wscript.exe <path_SecurityCheck.js> value, where path_SecurityCheck.js is a local path that indicates the location of the SecurityCheck.js trojan file downloaded from the C&C server.

Next, the lr_stats function is called, and it logs the results of creating the registry key.

Upon executing the task, the backdoor calls two functions: lr_cmdr with the done=1 argument and lr_stats with the task_autorun_reg:end argument.

The “task_autorun_scheduler” task

It creates missing directories and files at specified local paths:

• C:\ProgramData\MicrosoftSecurityChecker\SecurityCheck.js
• C:\Program Files\MicrosoftSecurityChecker\SecurityCheck.js

It downloads the 2023-09-06_121358.js file from the C&C server and replaces the following files with it:

• C:\ProgramData\updater.js (or С:\Users\Public\updater.js)
• C:\ProgramData\MicrosoftSecurityChecker\SecurityCheck.js (or C:\Program Files\MicrosoftSecurityChecker\SecurityCheck.js)

Next, it verifies the infected computer’s operating system version. This information is obtained by accessing the WMI interface. In the \root\CIMV2 namefield, the following structure is used:

• Win32_OperatingSystem — a structure that contains the main system information.

If the system version is outdated (OperatingSystem.Version < 6), an object of the system task scheduler (Win32_ScheduledJob) is created to run the updater.js file. Otherwise, an attempt is made to create a scheduler task via the schtasks.exe /create /tn 'Microsoft Security Check' /sc ONLOGON /tr "<cmd1>" /rl HIGHEST /f command, where:

• cmd1 — the parameter with the wscript.exe C:\ProgramData\updater.js value;
• /tn — the name of the service;
• /sc ONLOGON — the parameter indicating that the task is executed every time any user logs into the system;
• /tr — the parameter indicating the path to the program;
• /rl HIGHEST — the parameter indicating the level of execution. In this case, the created tasks will be executed with the highest level of privileges;
• /f — a parameter that makes it possible to create a task containing a disabled alert about a previously created task with the same name.

If an error occurs, an attempt is made to execute the same command but without the /rl HIGHEST flag.

Next, an attempt is made to create a scheduler task with the schtasks.exe /create /tn 'Flash Player Update' /sc HOURLY /tr "<cmd2>" /f command, where:

• cmd2 — the parameter containing the wscript.exe C:\ProgramData\MicrosoftSecurityChecker\SecurityCheck.js value;
• sc HOURLY — the parameter that indicates the number of hours before the task is executed.

Next, tasks that were created in the scheduler are verified using the schtasks.exe /query /v /fo csv /tn <task_name> command. The results of this check are saved to a temporary file, which is sent to the C&C server. While it is in transit, a screenshot is taken, which is also uploaded to the server. When these files are sent, a special parameter is added to the request. The &status=check1 parameter is added to the results produced by checking the created Microsoft Security Check task. The &status=check2 parameter is added to the results produced by checking the Flash Player Update task.

The privileges of the created tasks are verified by running net session.

Upon executing the task, the backdoor calls two functions: the lr_cmdr with the done=1 argument and the lr_stats with the task_autorun_scheduler:end argument.

The “task_fdwd” task

It runs the wmic logicaldisk get deviceid,volumename,caption,description,size command.

The result of its execution is saved to a temporary file that is uploaded to the C&C server and then deleted from the computer.

The “task_punto2_diary” task

It crawls the ProgramData directory and finds files that look like debug<data>.log, where data represents any sequence of characters. Next, it uploads every file located to the C&C server. If one or another file is currently being used by another application and cannot be sent, it is added to an archive via the 7z.exe a -t7z -r0 -mmt2 -ms=off -y "<tmpPath>" -mx1 "<srcPath>" -scsWIN –ssw command, where:

• tmpPath — the temporary archive file to which the located files are added;
• srcPath — the path to the file to be added to the archive;
• a — the parameter for adding files to the archive. If the archive file does not exist, it will be created;
• -t7z — the archive type;
• -r0 — recursive archiving for directories. This parameter is specified by a number: from 0 (to include all directories in the archive) up to the number of directory levels that need to be included in the archive;
• -mmt2 — the number of CPU threads that can be used to run the archiver program;
• -ms = off — the parameter for using the solid compression mode (on — enables this mode; off — disables this mode);
• -y — to answer affirmatively to all the questions that the system may ask;
• -mx1 — the parameter for using the fastest compression (the minimum compression level);
• -scsWIN — sets the default encoding in Windows;
• -ssw — to add a file to the archive even if it is currently in use.

When a created archive is sent to the C&C server, an additional fp parameter is added to the request. The parameter contains an urlencoded object containing the local path to the transferred file.

The “task_punto_install” task

It verifies whether the %appdata%\Yandex\Punto Switcher\User Data\preferences.xml.back file is present. This is the file that checks whether the Punto Switcher program is installed on the target computer. If this file exists, the task is terminated.

If this file is not found, the task performs the following actions:

• Downloads the hxxps[:]//rembo.solkvize[.]com/tools/punto.zip and hxxps[:]//rembo.solkvize[.]com/tools/7z.zip files. The first one contains the Punto Switcher app, and the second one contains the 7-Zip archiver program.
• Unpacks the Punto Switcher app into C:\Users\Public\PuntoSwitcher.
• Copies the C:\Users\Public\PuntoSwitcher\preferences.xml file into the %appdata%\Yandex\Punto Switcher\User Data\preferences.xml.
• Copies the C:\Users\Public\PuntoSwitcher\preferences.xml file into %appdata%\Yandex\Punto Switcher\User Data\preferences.xml.back.
• Launches the Punto Switcher app.

The preferences.xml file stores the Punto Switcher program settings. It contains the EnableDiary and RunAtStartup fields, which have flags with the Yes value. For most other fields, the flags are set to the No value.

      
        <?xml version="1.0" encoding="UTF-8" ?>
        <PuntoSwitcherSettings version="7">
            <PuntoHotkeys>0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0</PuntoHotkeys>
            <LayoutSwitchKey>0</LayoutSwitchKey>
            <SeparateLangCombination>0</SeparateLangCombination>
            <TransparentFormsFiller>0</TransparentFormsFiller>
            <CheckForUpdate>No</CheckForUpdate>
            <RunAtStartup>Yes</RunAtStartup>
            <DontConvertCapitals>Yes</DontConvertCapitals>
            <DontShowTrayIcon>Yes</DontShowTrayIcon>
            <ChangeIconClrOnMisprint>No</ChangeIconClrOnMisprint>
            <ShowCurLayoutInWndIcon>No</ShowCurLayoutInWndIcon>
            <ShowPopupOnException>No</ShowPopupOnException>
            <ExceptionCount>2</ExceptionCount>
            <FixTwoUpperLetters>No</FixTwoUpperLetters>
            <FixInvertedCase>No</FixInvertedCase>
            <ShowLayoutFlags>No</ShowLayoutFlags>
            <OneKeySwitchLayoutEnabled>No</OneKeySwitchLayoutEnabled>
            <BinarySwitchLayout>No</BinarySwitchLayout>
            <DisablePreHandle>Yes</DisablePreHandle>
            <AllSoundsEnabled>No</AllSoundsEnabled>
            <FirstLaunch>No</FirstLaunch>
            <SeparateLangKeysEnabled>No</SeparateLangKeysEnabled>
            <ShowQuickWordsListInLeftBtnMenu>No</ShowQuickWordsListInLeftBtnMenu>
            <DontReactOnOtherLangs>No</DontReactOnOtherLangs>
            <SingleLayout>No</SingleLayout>
            <ShowTooltips>No</ShowTooltips>
            <EnableDiary>Yes</EnableDiary>
            <DiarySkipSepWords>No</DiarySkipSepWords>
            <ScrollAsCaps>No</ScrollAsCaps>
            <HidePopIndicAfterLayoutChange>No</HidePopIndicAfterLayoutChange>
            <PSWorks>No</PSWorks>
            <DisableHotKeysWhenTurnedOff>No</DisableHotKeysWhenTurnedOff>
            <FixPopupIndicator>No</FixPopupIndicator>
            <ShowUsefulTips>No</ShowUsefulTips>
            <EnableIntelliMenus>No</EnableIntelliMenus>
            <AutoReplaceAlways>No</AutoReplaceAlways>
            <TurnOffDiaryInProgExceptions>No</TurnOffDiaryInProgExceptions>
            <ShowFormsFiller>No</ShowFormsFiller>
            <ReplaceOnEnterAndTab>No</ReplaceOnEnterAndTab>
            <ReplaceOnSpace>No</ReplaceOnSpace>
            <DontShowTranslitWin>Yes</DontShowTranslitWin>
            <FullUnhookWhenDisabled>No</FullUnhookWhenDisabled>
            <EnableClipboardHistory>Yes</EnableClipboardHistory>
            <PersistentClipboardHistory>Yes</PersistentClipboardHistory>
            <AutoSaveClipboardToDiary>Yes</AutoSaveClipboardToDiary>
            <EnableMouseEmulation>No</EnableMouseEmulation>
            <DisableCapsLock>No</DisableCapsLock>
            <PopupIndicatorPos>CPoint(10300, 10300)</PopupIndicatorPos>
            <FormsFillerRect>CRect(100, 100, 350, 500)</FormsFillerRect>
            <RestrictKeysEnabled>Yes,Yes,Yes,Yes,Yes,Yes,Yes</RestrictKeysEnabled>
            <MinDiaryRecordWords>1</MinDiaryRecordWords>
            <CurrentAdviceNum>0</CurrentAdviceNum>
            <DontSwitchOnOtherLangs>No</DontSwitchOnOtherLangs>
            <Sounds>C:\Users\Public\PuntoSwitcher\Sounds\typerus.wav,C:\Users\Public\PuntoSwitcher\Sounds\typeeng.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\misprint.wav,C:\Users\Public\PuntoSwitcher\Sounds\ru.wav,C:\Users\Public\PuntoSwitcher\Sounds\en.wav,C:\Users\Public\PuntoSwitcher\Sounds\reverse.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\switch.wav,C:\Users\Public\PuntoSwitcher\Sounds\replace.wav</Sounds>
            <SoundsStates>98304003,131072003,163840003,45875203,65536003,131072003,131072003,131072003,131072003,131072003,131072003,98304003,111411203,124518403,32768003,26214403</SoundsStates>
            <AskF12Support>No</AskF12Support>
            <ShowLayoutFlagsAlwaysInColor>No</ShowLayoutFlagsAlwaysInColor>
            <DoubleBackSpaceAction>0</DoubleBackSpaceAction>
            <ShareHotKeyForUndoConvertAndSelectionConvert>No</ShareHotKeyForUndoConvertAndSelectionConvert>
            <DiarySaveDays>0</DiarySaveDays>
            <FolderExceptions></FolderExceptions>
            <ProgramsExceptions></ProgramsExceptions>
            <TitlesExceptions></TitlesExceptions>
        </PuntoSwitcherSettings>
      
    

Such a configuration makes it possible to use Punto Switcher as a keylogger because the application stops manifesting itself in any way on the infected computer and records user actions (it tracks keystrokes and the contents of the clipboard when data is copied to it).

The “task_s” task

It verifies whether the nircmd.exe program has been previously downloaded to the target computer and whether its forced reinstallation is required.

If the program is not found, it downloads it from the following address:

hxxps[:]//rembo.solkvize[.]com/tools/nircmd.zip

Next, it saves the nircmd.exe app to the %TEMP%/nircmd directory.

If the program exists on the target computer, the %TEMP%/nircmd/nircmd.exe savescreenshotfull "<file name>" command is launched. It creates individual screenshots of all the available monitors and saves them to the temporary file. The image is then sent to the C&C server.

Next, the lr_url function is called to generate a link for sending the response to the C&C server.

One of the following objects is used to send the packet:

• MSXML2.XMLHttp.6.0
• MSXML2.XMLHttp.5.0
• MSXML2.XMLHttp.4.0
• MSXML2.XMLHttp.3.0
• MSXML2.XMLHttp
• Microsoft.XMLHttp
• WinHttp.WinHttpRequest.5.1

The following headers are set in the request:

• Timeouts = 15000, 30000, 30000, 30000
• Option = 2, 13056

If the task could not create any of the objects listed above, the XMLHttpRequest object is used, with timeout set to have the 15000 value.

The packets sent are divided into two categories: the status packet and the closing packet.

The status packet uses the GET method and is transmitted to log the actions performed by the task and to send messages about errors that have occurred.

The current action or the error is sent as the msg parameter. For example:

lr_download_start:<pathToSave>

The closing packet uses the POST method and sends the screenshot directly to the C&C server. The u string is sent as a msg parameter. An additional request parameter is also added to the packet:

• sz=<size> — the size of the transferred screenshot.

The “task_systeminfo” task

It runs the cmd.exe with the /u /c systeminfo /fo csv parameters. The result is saved to a temporary file, which is then sent to the C&C server. A packet containing information about the available system permissions is also sent to the server.

Indicators of compromise

News about the trojan