Home / malware
First posted on 14 August 2018.
There are no other names known for Backdoor:MSIL/Sorcas.A.
We have observed this backdoor being downloaded from hxxp://iqhost[.]us:99/a[.]zip.
It's installed as %Windows%\IME\svchost.exe.
This backdoor is installed as a service named "gpmsvc" using Installutil.exe, an installer tool from .NET Framework Tools.
When run, it connects to the server hxxps://iqhost.us:3389/. It then waits for and executes commands, including but not limited to:
- Download and run files
- Run cmd.exe to execute shell commands
- Stop process
Analysis by: Jonathan San Jose
Last update 14 August 2018