February 18, 2016

Virus makers keep contriving numerous malicious programs whose purpose is to download other malware on the infected machine and execute cybercriminals’ commands. Thus, yet another backdoor Trojan was detected by Doctor Web security researchers in February. Due to some key features it possesses, this Trojan stands out from its counterparts.

This malicious program named BackDoor.Andromeda.1407 is spread by Trojan.Sathurbot.1, a downloader Trojan, which is also known as “Hydra”. BackDoor.Andromeda.1407 is mainly designed to execute cybercriminals’ instructions, including downloading and installation of malware applications.

Once launched, it checks a command line for the presence of the “/test” key. If the key is detected, it prints to the console a message containing the following text: “\n Test - OK”. In 3 seconds, it terminates itself. Probably, this function was intended to test program packers. Shortly after that, the Trojan scans the system for running virtual machines, applications that monitor processes or references to the system registry, and some other debuggers. At finding any program that poses a threat to the Trojan, the backdoor goes to an infinite sleep mode.

After that, BackDoor.Andromeda.1407 gets the system volume ID, which is used while generating values of different named objects—in particular, in environment variables and messages sent to the server. It then attempts to inject its code into another process and terminate the original one. If successful, it gathers information about the infected computer including the operating system capacity, its version, and current user privileges and keyboard layouts. Once the backdoor detects that Windows uses Russian, Ukrainian, Belorussian or Kazakh keyboards, it then terminates its operation and deletes itself from the system.

Then BackDoor.Andromeda.1407 tries to get the exact time value by referring to such servers as europe.pool.ntp.org, north-america.pool.ntp.org, south-america.pool.ntp.org, asia.pool.ntp.org, oceania.pool.ntp.org, africa.pool.ntp.org, and pool.ntp.org. If these servers do not respond with necessary information, the backdoor sends a request for system time. Time value is actively used by plug-ins of the Trojan. Demonstration of the Windows system notifications is then disabled, along with some system services depending on the operating system version.

If the compromised machine runs Microsoft Windows 8 or later, the Trojan continues operating with current user privileges. In Windows 7, BackDoor.Andromeda.1407 tries to elevate its own privileges by using one of well-known methods and disables User Accounts Control (UAC).

However, the installation procedure is not complete after that. The Trojan disables demonstration of hidden files in Windows Explorer. Then it starts referring to several system and user profile directories in order to find one open for write. Once a folder is found, the backdoor copies the dropper into it under an arbitrary name and assigns this file with the “hidden” and “system” attributes concealing it from the user. Time of its creation is also changed. Finally, BackDoor.Andromeda.1407 modifies the system registry branches, so the Trojan’s main module can be launched automatically.

The backdoor establishes connection to the C&C server with the help of a special encrypted key that is then modified into a text message. The servers’ IPs are also encrypted and hard coded in the Trojan’s body. To get the IP address of the compromised computer, BackDoor.Andromeda.1407 refers to such servers as microsoft.com, update.microsoft.com, bing.com, google.com, and yahoo.com. The information is encrypted and transmitted using JSON (JavaScript Object Notation). Thus, the backdoor receives instructions from cybercriminals that can include downloading of additional plug-ins, downloading and running of executed files, updating, removing of all plug-ins, or deleting of the Trojan from the infected system.

Doctor Web security researches discovered that BackDoor.Andromeda.1407 can download and install the Trojan.Encoder.3905 ransomware Trojan, the Trojan.PWS.Panda.2401 banking Trojan, Trojan.Click3.15886, BackDoor.Siggen.60436, Trojan.DownLoader19.26835, and many others. Dr.Web successfully detects and removes BackDoor.Andromeda.1407.

More about this Trojan