![]() ![]() The remote access capability includes a domain generation algorithm (DGA) for C&C servers which changes every month. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. Our analysis indicates the embedded code acts as a modular backdoor platform. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value). The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. Only when triggered by the first layer of C&C servers does the backdoor activate its second stage ![]() Kaspersky Advanced Cyber Incident Communications.KasperskyEndpoint Detection and Response.KasperskyPhysical, Virtual & Cloud Workloads Security.KasperskyEndpoint Security for Business Advanced.KasperskyEndpoint Security for Business Select.Kaspersky Internet Security for Android. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |