Backdoor.MSIL.SUNBURST.A

它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。它执行远程恶意用户的命令，有效地攻击受感染的系统。

新病毒详细信息

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

后门例程

它执行远程恶意用户的下列命令：

• Delete Registry Value
• Get Registry Subkey and Value Names
• Read Registry Value
• Set Registry Value
• Delete File
• Check if File Exists
• Get File Hash
• Get File System Entries
• Write File
• Get Process By Description
• Kill Task
• Run Task
• Set Time - Set delay time
• Upload System Description
• Reboot -> Reboots computer
• Idle -> no operation
• Exit -> exits the thread
• Collect System description (Collects Domain Name, Hostname, Username, OS Version, Total Days since execution, System Directory location, Network Adapter Configuration where Network Adapter Configuration contains the following):
  • Description
  • Mac Address
  • DHCPEnabled
  • DHCPServer
  • DNSHostName
  • DNSDomainSuffixSearchOrder
  • IPAddress
  • DNSServerSearchOrder
  • IPSubnet
  • DefaultIPGateway

信息窃取

它收集下列数据:

• Used to generate UserId:
  • Domain Name
  • Network Interfaces
  • MachineGuid
• For checking blocklisted:
  • List of all running processes
  • List of drivers
  • List of services

其他详细信息

该程序执行以下操作：

• Uses the following to regex to parse response body:
  • "\"\{[0-9a-f-]{36}\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\""
• Checks the joined domain of the machine for the following patterns: (will terminate if matched):
  • "(?i)([^a-z]|^)(test)([^a-z]|$)"
  • "(?i)(solarwinds)"
• Checks DGA URLs for the following blocks of IP Addresses, enumerate services found in the malware configuration, changes the start value of those services, and will not proceed to C2 connection if found:
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 224.0.0.0/3
  • fc00:: - fe00::
  • fec0:: - ffc0::
  • ff00:: - ff00::
  • 20.140.0.0/15
  • 96.31.172.0/24
  • 131.228.12.0/22
  • 144.86.226.0/24
• Checks for the following conditions before proceeding to the backdoor routine:
  • Process name hash should be 17291806236368054941 after hashing function (matches processname businesslayerhost.exe)
  • Installation date should be 12 days or more
  • Checks ReportWatcherRetry key in the config and if value is not 3 (Truncate)
  • Checks if machine is joined in a domain
• Creates the following named pipe to ensure one instance is only running:
  • 583da945-62af-10e8-4902-a8f205c72b2e
• Checks the DGA URLs for the following blocks of IP Addresses, and updates the status configuration of the malware:
  • 41.84.159.0/255.255.255.0
  • 71.114.24.0/255.255.248.0
  • 154.118.140.0/255.255.255.0
  • 217.163.7.0/255.255.255.0
• Checks DGA URLs for the following blocks of IP Addresses, and proceeds to backdoor routine if found:
  • 8.18.144.0/255.255.254.0
  • 18.130.0.0/255.255.0.0
  • 71.152.53.0/255.255.255.0
  • 99.79.0.0/255.255.0.0
  • 87.238.80.0/255.255.248.0
  • 199.201.117.0/255.255.255.0
  • 184.72.0.0/255.254.0.0