1/3/2024 0 Comments Anydesk softwareUsing tools like Anydesk or other administrative agencies, the malware authors can easily take administrative privileges of the victim’s computer and perform the malicious activity in the system. However, we believe that this type of infection is affecting a wide range of Anydesk users. This use case is not limited to a specific threat actor. Malware appends the string “choung dong looks like a hot dog!!” at the end of the encrypted content of all the encrypted files.Īfter a successful attack, if the victim does not pay the ransom as demanded, the malware author either publishes the encrypted data or sells it on underground forums. It also empties the Recycle Bin by calling the function SHEmptyRecycleBinA(), and it enumerates system folders and drives and creates ransom notes in each folder. Malware closes all the processes that are listed, which prevents file encryption. Malware is compiled in C/C++.Īfter execution, it launches the vssadmin.exe process to delete all Shadow Copy using the command “vssadmin.exe delete shadows /all /quiet.” It also creates “mutex” with the name “DoYouWantToHaveSexWithChuongDong” in the system. It is UPX packed file, and the size is small, around 25 KB. Hide notification of windows defender in the systray iconĭownloaded Update.exe file is a Babuk ransomware payload.It contains the following setting, which is executed through PowerShell, which help in evasion of the malware:.Malware creates these files and names according to the user name and then executes both the files silently using PowerShell.Į.g., if the username is ABC, the file name is ABC.exe and ABC.bat in the folder mentioned above. “C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folder. The malware disables Task manager, and it undermines all the modules of Windows Defender.įurther digging into the file revealed that malware sent an HTTP request to download the bat file and. If the user clicks on the Next button, the control panel opens for uninstalling the software, and in the background, the malware checks whether it is uninstalled. If any antivirus processes are running on the system, the below prompt appears, asking the user to intervene and uninstall the product. It has a list of AVs, as shown below, and it checks if any of the antivirus product is installed in the system. The malware also excludes the below drives. It adds the below paths in exclusion for the Windows Defender modules through the PowerShell cmdlet Set-MpPreference to hide all the malware components from Windows Defender.Ĭmd.exe /c PowerShell -Command Add-MpPreference -ExclusionPath “C:\Users\XXX\Contacts”Ĭmd.exe /c PowerShell -Command Add-MpPreference -ExclusionPath “C:\Users\XXX\Links” etcĪbove are excluded by executing cmd.exe. It launches the Allakore Rat ùsing PowerShell cmdlet Set-preference, making TCP requests as shown above image. It is immense (~ 12MB) as it has most of the code to impair the defences. The ‘mdnsFULLHD.exe’ file is PE32 executable for MS Windows, and it is Delphi compiled. Malware also disables real-time protection by setting values by 1.ĪllaKore Rat is an open-source simple Remote Access Tool written in Delphi and has a very high resemblance with code found on GitHub.īabuk Downloader launches the Allakore Rat, and it makes TCP requests, as shown below. It also disables windows defender by setting the value of DisableAntiSpyware by 1. reg file disables user account control by setting the value of EnableLUA by 0. All the dropped files in the startup folder are executed through PowerShell and their activity in the background.Īnydesk. Clean Anydesk application is dropped at the desktop, and it gets installed. Reg is fallen in the Startup folder without user interaction. The above image shows an Allakore Rat client named bthudtaskt.exe, a Babuk downloader called mdnsFULLHD.exe, and one registry file named Anydesk. When a user clicks on the downloaded archive, which pretends to be an Anydesk software application, other files in the bundle get dropped silently.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |