live casino online

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded from remote sites by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from remote site(s) by the following malware:

• BKDR_BLYPT.A

Installation

This backdoor injects codes into the following process(es):

• explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
CryptoUpdate = ""%SystemRoot%\system32\rundll32.exe "{malware file name and path}",Crypt"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Updates the dll binary file
• Receives and executes arbitrary code
• Updates C&C configuration the following registry key:
  HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\5A82739996ED9EBA18F1BBCDCCA62D2C1D670C

Information Theft

This backdoor retrieves the following information from the affected system:

• Native System Information

NOTES:

Its component will initially provide initial list of the C&C.

It sends installation status reports with the following format to its C&C server:

GET /index.aspx?info={defined status keyword}