Home / malwarePDF  

Backdoor:Win32/Buhtrap.A!dha


First posted on 05 November 2016.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Buhtrap.A!dha.

Explanation :

Arrival and Installation


This backdoor employs a number of social engineering lures, including pretending to be installers or updates to popular applications:

  • chrome_update.exe
  • chrome_plugin_netinstall.exe
  • fp_setup.exe
  • shockwave_setup_winax.exe
  • zerno.eze (fake Adobe Flash Player)


We've observed this backdoor being downloaded from the following domains:
  • onona.ru
  • raw.githubusercontent.com


When executed, this backdoor drops the following file:
  • %APPDATA%\ssl_bapi.exe


Payload


Connects to Command-and-control (C&C) server

This backdoor connects to the following C&C to download a file:

hxxp: // rozhlas . site / news / business / release.bin

The said C&C is inaccessible as of this writing.

Gathers information about infected PC

This backdoor gathers information from your PC and attempts to send them to the same C&C:

hxxp: // rozhlas . site / news / business / release.bin

It checks running processes against a hardcoded list of banking-related process names:

_ClientBank.exe CliBank.exe GPBClient.exe productprototype.exe _ftcgpk.exe CliBankOnlineEn.exe GpbClientSftcws.exe quickpay.exe ADirect.exe CliBankOnlineRu.exe ibconsole.exe rclaunch.exe ant.exe CliBankOnlineUa.exe IbcRemote31.exe rclient.exe arm.exe client.exe icb_c.exe retail.exe arm_mt.exe client2.exe ICLTransportSystem.exe retail32.exe ARMSH95.EXE Client2008.exe IMBLink32.exe RkcLoader.exe asbank_lite.exe Client32.exe intpro.exe rmclient.exe bank.exe client6.exe ip-client.exe Run.exe bank32.exe clientbk.exe iscc.exe saclient.exe BankCl.exe CLMAIN.exe ISClient.exe scardsvr.exe Bankline.EXE clntstr.exe kabinet.exe SGBClient.ex bbclient.exe clntw32.exe kb_cli.exe SGBClient.exe bbms.exe cncclient.exe KLBS.exe srcbclient.exe bc.exe contactng.exe KlientBnk.exe SRCLBClient.exe BC_Loader.exe Core.exe lfcpaymentais.exe SrCLBStart.exe BClient.exe cshell.exe loadmain.exe sx_Doc_ni.exe bk.exe cws.exe lpbos.exe translink.exe BK_KW32.EXE cyberterm.exe mebiusbankxp.exe twawebclient.exe bnk.exe dsstart.exe mmbank.exe unistream.exe CB.exe dtpaydesk.exe MWClient32.exe UpMaster.exe cb193w.exe eelclnt.exe ONCBCLI.exe Upp_4.exe cbank.exe el_cli.exe pcbank.exe uralprom.exe cbmain.ex elbank.exe pinpayr.exe vegaClient.exe CbShell.exe etprops.exe Pionner.exe w32mkde.exe cbsmain.dll eTSrv.exe pkimonitor.exe wclnt.exe CBSMAIN.exe EximClient.exe pmodule.exe wfinist.exe CL_1070002.exe fcclient.exe pn.exe winpost.exe clb.exe FColseOW.exe postmove.exe wupostagent.exe CLBANK.EXE GeminiClientStation.exe prclient.exe Zvit1DF.exe CLBank3.exe

It checks if the following folder patterns exist in %PROFILE%, %APPDATA%, %PROGRAMFILES%, and %SYSTEMDRIVE%:
  • *gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\bc.exe,*\*\intpro.exe,*cft,agava,*R-Style,*AKB Perm
  • *ELBA,*ELBRUS
  • *SFT,*Agava,*Clnt,*CLUNION.0QT,*5NT,*BS,*ELBA,*Bank,ICB_C,*sped,*gpb0


It also checks your browsing history in Firefox, Chrome, and Opera for the following string patterns:
  • *ICPortalSSL*
  • *isfront.priovtb.com*
  • *ISAPIgate.dll*
  • *bsi.dll*
  • *PortalSSL*
  • *IIS-Gate.dll*
  • *beta.mcb.ru*
  • *ibank*
  • *ibrs*
  • *iclient*
  • *e-plat.mdmbank.com*
  • *sberweb.zubsb.ru*
  • *ibc*
  • *elbrus*
  • *i-elba*
  • *clbank.minbank.ru*
  • *chelindbank.ru/online/*
  • *uwagb*
  • *wwwbank*
  • *dbo*
  • *ib.*


With these information gathered, it then attempts to send this information to the C&C.

As the C&C is inaccesible, we were not able to observe succeeding behavior. However, based on this backdoor's code, when it receives a reply from the C&C, it performs the following:
  • Saves the C&C reply (the payload) as a file and decrypts it
  • Runs the command prompt to wait and then deletes itself
  • Runs the downloaded malware

Last update 05 November 2016

 

TOP