sha1:
- 08e2edeea11515c5c83a9d14d723d29939549978 (Microsoft Update Service) — a module for accessing the command line
- e324c7490dc287168c2de66021f02e7d999d8538 (HVNC_Controller.exe) — a module for remotely controlling a computer
- 856225319df6fbb1ff3ea2b9e418a83fbec300d9 (FileManager.exe) — a module for downloading files
- 65ffe173a0f48711531c1cc8155d32c55569facb (Stream.exe) — a screencasting module
Description
A modular backdoor capable of executing attacker-issued commands. Written in C++, it is designed to run on Microsoft Windows operating systems. This malware was used in a targeted attack against a Russian engineering company to collect confidential data from infected systems. The backdoor’s code is obfuscated.
Operating routine
The following backdoor modules were identified:
- Command-line access module
- Remote control module (VNC)
- File download and installation module
- Screencasting module
All modules communicate with the same C2 server: updating-services[.]com.
Command-line Access Module
This primary module is delivered and installed by the Trojan.Updatar.2 downloader. Upon execution, it collects system information from the infected machine:
| Parameter | Description |
|---|---|
| Username | Username |
| PC_name | PC name |
| OS | Windows version |
| Screen | Screen size |
| Ram | The amount of RAM, megabyte |
| External ip | An external IP |
| Manufacturer | Motherboard manufacturer |
| Model | Product name |
| Processor Name | Processor’s name and its clock frequency |
| Hard Disk | Hard disk capacity |
| Avname | Installed anti-virus |
| BIOS Version | BIOS software information |
| Internet Adapter | The unique identifier of the network device |
The trojan obtains general system details via WMI queries.
It then sends the following requests to the C2 server:
- tmr
- src
- pinger
- commander
- commander response
pinger
The first packet sent, it contains system information.
| Route: | /dashboard/pinger |
| Method: | POST |
| User-Agent: | Vendetta Browser v12.0.1 |
| Request parameter: | System information |
One possible parameter,
tmr
Sends a keepalive packet at regular intervals.
| Route: | /dashboard/tmr |
| Method: | POST |
| User-Agent: | Vendetta Browser v12.0.1 |
| Request parameter: | Internet Adapter |
src
Sends a screenshot.
| Route: | /dashboard/src |
| Method: | POST |
| User-Agent: | MyScreenshotApp |
commander
Receives a command from the C2 server operator that is to be executed in the Windows cmd shell. Commands are sent interactively, not automatically.
| Route: | /dashboard/commander |
| Method: | POST |
| User-Agent: | Vendetta Browser v12.0.1 |
| Request parameter: | Internet Adapter |
commander response
Sends the result of the executed command back to the C2 server.
| Route: | /dashboard/commander/response |
| Method: | POST |
| User-Agent: | Vendetta Browser v12.0.1 |
| Request parameter: | Internet Adapter |
Remote Control Module
Implements remote desktop control via VNC (Virtual Network Computing).
The trojan starts two threads:
- Screen capture thread
- Keyboard emulation thread
It connects to the C2 server using a WebSocket on the route /ws/.
File Download Module
When this module is launched, the trojan receives three arguments:
- C2 server name
- Victim ID
- Wait time (timeout)
C2 server request endpoints:
- /dashboard/api/file_manager/upload_file/<id>/
- /dashboard/api/file_manager/response/<id>/
- /dashboard/api/file_manager/command/<id>/
The request /dashboard/api/file_manager/command/<id>/
Causes the trojan to receive a command for execution. The response is a JSON object containing the target command.
Possible commands:
| Command | Target |
|---|---|
| list_dir | Get the directory listing |
| download | Download a file from the infected system |
| delete | Delete a file |
| create_folder | Create a directory |
| download_from_server | Download a file to the infected system |
| stop_file_manager_client | Stop the module’s operation |
Command examples:
{
"command": {
"action": "list_dir",
"path": "C:\\"
}
}
{
"command": {
"action": "stop_file_manager_client",
"path": "internal"
}
}
The request /dashboard/api/file_manager/upload_file/<id>/
Executes the download command, which results in a file being uploaded from the victim to the C2 server.
The request /dashboard/api/file_manager/response/<id>/
Sends the result of the executed command or an error message if the command fails.
Screencasting Module
Records the victim’s screen using API Direct3D 11 and the library jpeg62.
To screencast, the trojan connects to the C2 server with the route /ws/ via WebSocket on port 80 and initializes the recording device. The WebSocket is implemented via boost::beast::websocket::stream.
More about Trojan.Updatar.2
News about the trojan
Indicators of compromise
