Home / malware Backdoor:Win32/Aybo.B
First posted on 23 September 2017.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Aybo.B.
Explanation :
Installation
We have seen this threat dropped by lsass.exe, which is a legitimate Windows process. This may indicate that the threat is being propogated by vulnerabilities, such as the SMB vulnerability - although we are unable to confirm this.
The threat adds a copy of itself in any of the following locations:
- %SystemRoot% \registration\regdrv.exe
- %APPDATA% \regdrv.exe
The copy sets the hidden
file attribute to itself.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Registry Driver"
With data: "", for example "%SystemRoot%\registration\regdrv.exe"
It also creates a scheduled task named "RegUpdate"that causes the threat to be run at every system start up, as in the following example:
- SCHTASKS /Create /TN RegUpdate /SC onstart /TR "C:\WINDOWS\registration\regdrv.exe" /f /RU "SYSTEM"
Initally, it connects to the following site to report a running session:
- hxxp://88.214.207.83/classes/s.php?query=
An example of the encoded string is WXpKV2VtTXliSFppYm5kM1prUm5lRTFVWXowPQ== which, when decoded, is "session|0|8117".
We have also seen the threat send an encoded query to another URL, as in the following example:
- hxxp://reklamamarketing.ru/content/blocks/classes/s.php?query=
The encoded string contains the string "register|AyaBot|" appended with various system information, including:
This may be an attempt to register the infection with a command and control server.
- Hostname
- Processor
- Operating System installed
Payload
Connects to remote server
After reporting a running session, the threat connects to the following URLs:
- hxxp://etobylovjanvare.ru/0942c3aad278ce5ea571a61712b4506a.php
- hxxp://pervogoaprela.ru/0942c3aad278ce5ea571a61712b4506a.php
- hxxp://glorymolly.com/0942c3aad278ce5ea571a61712b4506a.php
- hxxp://nogiledeneli.ru/0942c3aad278ce5ea571a61712b4506a.php
- hxxp://la2deluxe.net/0942c3aad278ce5ea571a61712b4506a.php
These URLs return a string that is base64-encoded thrice.
When the string is decoded, it provides another URL:
- hxxp://93.174.91.3/classes/s.php
It then sends an encoded query to that site, which can contain a number of commands, including "ping" or "session" again.
After this, it sends the "gettask" command (again, as an encoded query) to obtain possible backdoor commands that the threat can use, along with information about the version of the threat that is installed on the machine (for example, gettask|0|AyaBot|2.13|bbd165072cf). It then waits for a reply. The following is an example of this encoded query:
- hxxp://93.174.91.3/classes/s.php?query=V2pKV01HUkhSbnBoTTNkM1prVkdOVmxWU25aa1NIZDVUR3BGZW1aSFNtbGFSRVV5VGxSQk0wMXRUbTA9
Note: It uses the User-Agent: DMFR
At the time of analysis, we saw a reply of "config|id|446247" (base64-encoded three times). The first element, "config", is one of the the backdoor's commands. The rest of the strings are additional data for that command.
The following is the list of the command strings:
- config
- http
- icmp
- opensite
- openurl
- respond
- runexe
- syn
- tcp
- udp
- update
- wait
Downloads other malware
In some samples, we have seen the threat attempt to download other malware, including Trojan:Win32/Eqtonex.C!dha - although we have not seen this behavior in all samples.
Changes the firewall
The threat adds a firewall rule named "Security Fix" to block SMB connections.
The following is the list of issued commands:
- netsh advfirewall set allprofiles state on
- netsh advfirewall firewall add rule name="Security Fix" protocol=TCP dir=in localport=445 action=block
It also disables SMB protocols by issuing the following commands
- sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
- sc.exe config mrxsmb10 start= disabled
It also deletes the following user profiles:
- net1 user Adminstrator /del
- net1 user systems /del
- net1 user IISUSER_ACCOUNTXX /del
Additional information
- SHA1: 4b7ec4ee411719d8c4b1681c603042d89bd8e4e0
- SHA1: 3fef790a16d59a55011ef4850458ca02a181370f
Analysis by James DeeLast update 23 September 2017
