The attack of a dangerous Trojan on a defense-related project was prevented

Doctor Web security researchers have examined a new malicious program that can execute commands received from cybercriminals and steal information from infected devices. It is worth noting that the Trojan was distributed by cybercriminals through a targeted attack aimed at one of the largest groups of enterprises, mainly related to the defense of the Russian Federation.

Backdoor, which was assigned the name BackDoor.Hser.1, was distributed through mass mailings aimed at private and corporate email addresses of employees of more than ten enterprises, members of the largest Russian group of companies. All these companies are involved in defense-related projects and represent the military industry complex. Presumably this letter was sent from the account of the employee of the headquarters of this group of companies and was entitled «Дополнение к срочному поручению от 30.03.15 № ВТ-103» ("Supplementing the urgent task from 03/30/15 # UT-103"). The message was to contain a list of equipment. The attachment to the message was a Microsoft Excel file named Копия оборудование 2015.xls (Copy equipment 2015.xls):

The file attached to the message contains an exploit that exploits vulnerability CVE2012-0158, which occurs in some versions of Microsoft Excel. When this file is opened on the target computer, the excel.exe process is started, with which the Trojan embedding module is connected.

Then the module unloads the BackDoor.Hser.1 backdoor and writes it to the C: \ Windows \ Tasks \ folder under the npkim.dll name, registers this library in the Windows autostart parameters and runs the cmd.exe command interpreter to delete the process file in which it was originally included.

As soon as it runs on an infected computer, BackDoor.Hser.1 decrypts the address of the control and management server contained in its code and sets up the connection to the server. The Trojan sends information about the infected computer to the criminals (computer's IP address, its name, operating system version, details about the presence of the proxy server in the network) and waits for further offender commands. What's more, based on the commands received, this malicious program can send to a remote server a list of active processes running on the infected PC, download and launch another malicious application and open the management console and make I / O redirections to the server of offenders, giving them control over the infected computer.
Trojan BackDoor.Hser.1 has been added to the Dr.Web virus database, therefore this malicious program does not pose a threat to computers protected by Dr.Web.

In showing this case, however, we want to remind our readers how important it is to install the latest antivirus and maintain its virus bases in the current state.

source: Doctor Web



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.