Recently, 360 security guard intercepted the remote control Trojan horse spread by potplayer player in the software download station. The Trojan horse cleverly used normal files and encrypted scripts to load malicious code through memory decryption for remote control. By detecting multiple security processes, changing its own operation process, fighting against killing soft killing. The main function is to record the keyboard input, steal the user's account information and download other Trojans remotely, which is highly hidden and widely spread through download stations.
Trojan horse propagation
Trojan files spread through download stations and forums, often attracting users to download with the titles of "streamlining", "optimizing" and "cracking".
Detailed explanation of Trojan behavior
The Trojan uses white plus black technology to avoid killing, and uses multiple script files and multiple encryption. The specific process is as follows:
Trojan script:
- The desktop shortcut released by the Trojan installation package points to a normal program named potplayerminis.exe.
- The program will automatically read the config.ini configuration file under the gamepatch folder in the same directory by default.
- Potplayerminis.exe reads the config.ini configuration file in gamepatch. Run the program suchost.exe (actually NirCmd. Exe) specified by instfile configuration item with the parameter specified by instparam configuration item, so as to copy potplayermis.exe to the path where the configuration file is located, rename it to svhost.exe, and start the program specified by mainexe configuration item.
- Svhost.exe reads the \ gamepatch \ config.ini under the same path in the same way, and executes the program specified in the configuration file in turn.
- Svhost.exe runs the script specified by C: \ potplayer \ gamepatch \ gamepatch \ config.ini through cmd.exe, C: \ potplayer \ gamepatch \ gamepatch \ upgrade.bat.
- C: The file \ potplayer \ gamepatch \ gamepatch \ updete.bat is simply obfuscated. The main function of the script is to prepare related files for the subsequent running of Trojan programs and start the main script qiaoi.bat.
Specific functions include:
Rename potplayer \ gamepatch \ gamepatch \ config.xml to config.ini, and copy the file to the path of potplayer \ gamepatch \. Prepare for the normal player function of potplayer later.
Determine whether there is bug0.txt under% temp% \. If not, create bug0.txt and save the current path of the script to bug0.txt.
Create C: \ htemp0 folder, create% temp% \ qr.tmp to save the string rar file header, and reorganize it into a complete rar compressed package with the file \ gamepatch \ gamepatch \ update.tmp. Copy it to C: \ htemp0 \ path, and rename it to uqdate.dat
Copy gconfig.ini to% appdata%, and rename it to payerss.ini. Copy cfwd.dat to% temp%. Copy updatej.tmp to C: \ htemp0 \. (updatej.tmp is actually the command-line program of winrar.exe)
Call updatej.tmp to decompress qiaoi.bat in C: \ htemp0 \ uqdate.dat to the path of C: \ htemp0 \. (the decompression password is p (lower case))
Finally, run the C: \ htemp0 \ qiao.bat script.
The file bat is also a simple and confusing script. The script functions are complex, including decompressing the configuration file, reorganizing the PE file, judging the running kill soft process, changing the running process according to different kill soft process, etc.
Important features include:
Extract forcelibrary.tmp from DAT, recover MZ flag of the file, and form a complete PE file. The PE file name is random and is temporarily called xx.dll.
At the same time, judge whether the user infects other Trojans and change the running process of subsequent programs.
The script qiaoi.bat will check whether 360tray.exe, qqpctray.exe, ns.exe and kxetray.exe exist in turn. If none of them exist, the script will directly start rundll32 to load C: \ htemp0 \ xx.dll (script random DLL name), and call the export function trapenetry. Trapenentry decompresses bhdll.dat in C: \ htemp0 \ uqdate.dat to% temp%, and then decrypts the file in memory. This file is the parasite of the puppet 1 process.
Executable part
Main functions:
Run xx.dll with random name to start the follow-up running process of remote control Trojan horse. Xx.dll mainly obtains the saving path of remote control Trojan horse resources and decrypts the puppet process data through the configuration file% appdata% \ payerss.ini.
The created puppet process will also connect to the network to download other Trojan resources, and enumerate processes to determine whether there is a sensitive process name in the current process chain, such as aliimsafe.exe, 360netman.exe, hrsword.exe and computer housekeeper. If there is a sensitive process, it will change the loading and running process of the remote control Trojan horse to fight against software killing.
Obtain the configuration information of payerss.ini, mainly the path to save other Trojan resources
Read% appdata% \ winst \ bhdll.dat file, decrypt bhdll.dat, get PE, and create puppet process svchost.exe No.1. The puppet 1 process also decrypts the data and creates the puppet 2 process.
Read bhdll.dat
Use aticdxxfwd.dat and qq333666666 to generate the decryption key.
Use the generated secret key to decrypt the bhdat data, and finally generate the PE file of the puppet process 1:
After copying and checking the PE file format many times, create the puppet process svchost.exe
After the creation, the puppet process 1 will enumerate processes to determine whether there are sensitive processes in the current process chain. Here, I use WinHex process as aliimsafe.exe process to test.
If the aliimsafe.exe process is found in the puppet process 1, it will end the process, delete the aliimsafe.exe file, and then create a folder with the same name in the directory where aliimsafe.exe is located to prevent the process of aliimsafe.exe from re creating.
Folder with the same name created under the path of aliimsafe.exe
The puppet process will also create a puppet process 2. The decrypted file is% appdata% \ winst \ cfwd.txt. This puppet process 2 is the main body of the remote control Trojan.
Puppet process 1 will also access the network information im361.top/4441.txt, and obtain other Trojan resources through bkw888.bokee.com.
Remote control Trojan:
The remote control Trojan belongs to the same type as the remote control Trojan mentioned in the analysis report "deep tracking of camouflage thunder cracking version of online bank account stealing Trojan" (https://www.anquanke.com/post/id/87775), only the name of the exported function is different, but the main function and code of the Trojan are highly similar.
Keyboard recording function code logic:
Process control function code logic:
Antivirus tips
The Trojan horse uses a variety of ways to spread, steal the user's account information, and remotely control the user's computer, which brings serious harm. 360 has killed the Trojan files for the first time. It is suggested that netizens choose a safe website to download files, scan and kill the installation package in time, and avoid using suspicious software from unknown sources.