Custom Backdoor Used in Targeted Attacks with Command and Control Servers Disguised as Antivirus Company Sites
Researchers at Symantec have discovered a new backdoor Trojan being used in attacks against companies mainly located in Taiwan, but also against organizations in Brazil and the United States.
Dubbed Backdoor.Dripion by Symantec, the malware is custom-built and has been created mainly to steal information in a series of targeted attacks, researchers say. Moreover, Symantec discovered that the Trojan’s operators focused on disguising their activities by using domain names masqueraded as websites of antivirus companies for their command and control (C&C) servers.
Dripion is believed to be tied to an organization involved in cyberespionage campaigns, and Symantec researchers associated it with Budminer, an advanced threat group previously known to have used the Taidoor Trojan, Symantec’s Jon DiMaggio explains.
So far, the malware has been used by a single attacker against a small target group, and researchers discovered that it was being deployed using the Blugger Trojan downloader. This malicious application, which has been in use at least since 2011, uses encryption to make its communication with the C&C server more difficult to detect.
However, researchers managed to discover that the downloader requested URLs of publicly available blogs to retrieve Dripion for installation. Most of the blogs were related to news events, yet Symantec is unsure whether they were created by the attackers themselves or if they were compromised to serve malware.
After installation, Dripion provides the attacker with access to the victim’s computer, as it includes the functionally typically found in a backdoor Trojan. After a successful compromise, its operators can upload, download, and steal pre-determined information from the victim (computer’s name and IP address are automatically sent to the C&C server), and can also execute remote commands.
The Trojan supports commands such as sleep for 10 minutes, attempt to delete itself and kill all operations, disconnect from the computer, write data on the victim’s computer or on a remote open file, create a new process, and execute command and redirect result through pipe to .tmp file and Download file.
According to Symantec, the developer of Dripion malware used XOR encoding for both the binary configuration file and network requests with the C&C server. The researchers also discovered multiple variations of the Trojan, as well as version numbers hardcoded within the malware and suggest that attackers can update their code to include new capabilities and make detection more difficult.
Researchers linked the Trojan to the Budminer group because they used the Blugger downloader to distribute the Taidoor Trojan before, and because the downloader was previously used exclusively to distribute that piece of malware. Moreover, they found that one of the Blugger samples associated with Dripion connected to a domain also used in Taidoor-related activity.
In addition to using the same unique downloader as Taidoor, Dripion uses the same blogs for distribution, has a similar target window, and shares the C&C infrastructure at the root domain level with Taidoor. Moreover, their downloader encrypts data using the victim's MAC address as the RC4 key, which further connects the new threat to the Budminer cyberespionage group, although the two malware families do not share code.
Dripion was first used in a campaign in September 2015, but the timestamp on the earliest known sample suggests that the Trojan might have been created in 2013, Symantec says. In fact, Symantec researchers were able to validate known Dripion activity in November 2014, but suggest that previous campaigns possibly happened before that, but went undetected because of the very small target group.
Symantec also says that the group managed to deceive potential targets by creating multiple domains with names similar to that of legitimate companies and websites in the antivirus industry, which are actually C&C domains used in attacks.
The group also relied on typo-squat domains to carry out attacks, a tactic frequently used to trick victims.
The Taidoor malware hasn’t been used in any new campaigns since 2014, mainly because the group decided to change tactics to avoid detection, the security researchers assume.
In 2014, Taidoor-related zero-day exploit attacks were spotted targeting the CVE-2014-1761 vulnerability in Microsoft Word. In November 2015, a remote access Trojan (RAT) called GlassRAT, which managed to stay under the radar for several years, was said to contain code similar to Taidoor.