remote control trojans perform the trick of stealing the sky in vain: uncover the secret of stealing and brushing the undercurrent behind fake cracking tools

Posted by lipsius at 2020-03-19

Nowadays, in order to save money, many people will try all kinds of free ways to get the membership rights of the online disk or video player. There are also many "online disk speed limit artifact" or "player VIP cracking tool" on the Internet. However, these "artifact" are neither reliable nor safe, because they have been targeted by Trojans.

Recently, 360 security center has detected the spread of a group of remote-controlled Trojans disguised as "Xunlei 9.1 noble cracked version" and "Baidu online disk does not speed limit" tools. In order to hide people's eyes, Trojans not only add the shortcut icon of desktop, the registry information of software installation, but also make full use of three layers of Baili to complete the installation. Most subtly, in the white use of one layer, the Trojan horse uses the installation program of BlueSoleil (a Bluetooth software) to directly modify the configuration file (setup. INI) and realize the hijacking of the dialogue program, which makes the installation program of the regular software turn into the hotbed of Trojan horse installation.  

After the remote control Trojan horse invades, it will take advantage of the recruiter's inattention to install the team viewer and other remote tools, and further wait for the opportunity to steal the online bank and game account of the recruiter, so as to realize the operation of transfer, swiping and stealing game equipment. According to 360 monitoring data of the whole network, the Trojan horse has been haunted since the centralized outbreak on July 11, and there have been many small-scale rebounds. In the future, it is not ruled out that the illegal elements with lust for profit will continue to commit crimes.

The following is a brief analysis of "Xunlei 9.1 noble cracked version":

Figure 1

The file dependencies are shown in the following figure:

Figure 2

Installation process:

Greening. Exe: change the name of xlgraphicplu.dll under the program directory to xlgraphicplu.exe and execute:

By comparing the official documents of Xunlei, it is found that there is no such document in the official website bag.


Xlgraphicplu.exe creates the thunderbolt shortcut icon on the desktop and adds the registry information related to thunderbolt installation to hide your eyes. At the same time, it also executes the assistant tools.cmd under the SDK directory.


What's interesting is that assistant tools.cmd is actually the installation program of Bluetooth software BlueSoleil. It will install the software through the configuration of setup.ini. This program is used by Trojans and becomes the installer of Trojans.

Content in setup.ini:


In setup.ini, the lobaby.pif executed is actually NirCmd, which is a full-featured command-line tool used by attackers to execute Trojan horse installation, and the executed instructions are stored in 2345picture.log.

2345picture.log is a batch process:



Head + talk is the complete Trojan PE


Qmdl.exe is a normal program used by Trojans. It will take the initiative to load the qmcommon.dll file in the same directory. The DLL file is actually a Trojan program with malicious code.

Figure 10



Qmcommon.dll uses zc.inf file to write startup items:

A section of inf similar to installation driver (mainly used to add qmdl.exe to startup item) will be written to C: windowstempzc.inf, rundll32.exe will be renamed zc.exe, and zc.lnk will be created to point to:


Create zc.inf:


The contents written to zc.inf file are as follows:


Qmcommon.dll: decryption gif.txt memory execution will also be loaded


So far, the Trojan has been installed.


After loading and decrypting gif.txt memory, a remote control program is executed. Its CC server is:

During the test, it is connected to an ADSL IP of Shunde District, Foshan, Guangdong:




We will look back at the installation of the so-called Xunlei noble cracking version, which does not achieve any functional cracking, and it still needs to be recharged to use the membership function.


By the way, I also saw the download list before being packed with thunderbolt, full of shell adding tools!


Back to this remote control, hackers can install remote tools such as Teamviewer remotely when the user leaves the machine. They can log in to Taobao and Alipay for the purchase of gift cards or transfer accounts when they are completely unaware of the password.


According to 360's observation, the Trojan started to break out intensively on July 11 and reached 3500 times of propagation on July 14. Later, in early August, there was a small rebound, and then the propagation gradually declined.

The corresponding domain name access trend is similar:


*Author: 360 security guard, reprinted from