The 'Scan_CK17.js' is obfuscated.
Once a victim starts JS, it downloads the Chthonic backdoor as text.
Then, the script saves the backdoor as:
%TEMP%\<4 random characters>.exeand executes the backdoor through cmd:
The backdoor is packed using polymorphic encryptor UPolyX and, therefore, has a low detection rate on Virustotal (8/62):
The trojan drops and executes the following file:
%Application Data%\Identities\AgentIdentities.exe (MD5: b9e73cfcef3b10eff211d97c790512bf)Then, the backdoors's code is injected into the 'Explorer.exe' process.
The spyware sends an encrypted check-in request to the C&C server. According to WhoIs, the C&С domain was registered on June 1, 2017.
http://nicoraguanetingfromsallercigar.com/ (126.96.36.199)The resolved IP belongs to Amazon EC2 (WhoIs), which means the attacker runs C&C server in the Amazon Cloud.
Because of using Amazon EC2 to run the virtual C&C instance, it is hard to attribute the attack to some party. However, the domain registered in RU TLD, which the script resolves to download the backdoor, points to the Russia as well as the email written in Russian.
The Chthonic backdoor may have the following capabilities implemented as the separate modules:
- Collecting of system information
- Passwords stealing
- Web injecting and grabbing of web forms
- Remote access (VNC)
- Proxy server
- Video recording from a web camera
- Sniffing network traffic
- Intercepting Windows messages (keylogger)
- Grabbing screenshots
- Getting clipboard data
- Stealing imported certificates (private keys)
Nioguard Analysis Report
You can find the detailed analysis report of the used Chthonic backdoor in Nioguard Analysis System by MD5: 25301c72a08aad8cfcc3490e227842c8.
Existing Zeus/Chthonic Yara and ET rules can be used to detect the running attack.
- ET TROJAN Chthonic CnC Beacon 6
- ET TROJAN Chthonic Check-in
- Yara: TrojanPSWZbot
http://nicoraguanetingfromsallercigar.com/ - C&C
Analyzing the targeted attack with Maltego, Virustotal, and Nioguard Analysis System