Feb1 |
7:29 am (UTC-7) | by
Romeo Dela Cruz (Threat Response Engineer) |
Expecting an online booking or package delivery confirmation? Just make sure to avoid these fake email messages serving BKDR_KULUOZ.PFG.
This backdoor was first seen in the wild around April to June of 2012 and a part of a well-known botnet. However, we have recently been noticing several spam variants carrying this malware, like the one below:
Figure 1. Sample FedEx spammed message
BKDR_KULUOZ arrives in the form of attachments (usually archived) in spammed messages. These email messages typically spoof well-known corporations. So far, the spam variants we’ve seen recently included fake email notifications from courier services like FedEx, UPS (postal-themed), and airline companies. Like most malware arriving via email, BKDR_KULUOZ are disguised as your average office files like .PDF (Adobe) or .DOC (Microsoft document) files, to make them appear legitimate.
Once user downloads and executes the file, it drops and opens a .TXT file as a ploy to trick unsuspecting users into thinking that there’s no harm being done on the system.
Figure 2. Screenshot of the dropped.TXT file
It then creates svchost.exe process and injects another .PE file, which is a .DLL File with export named “work.” Typically, a malware injects its code into to normal processes so that it will be harder to terminate on the infected system. In addition, this backdoor also executes its code using the following native APIs to slowdown/hinder debugging:
- “ZwCreateSection”
- “ZwReadVirtualMemory”
- “ZwMapViewOfSection”
- “ZwUnmapViewOfSection”
- “ZwResumeThread”
Accordingly, this technique of coding malware is also seen in threats like DUQU and Andromeda. This downloader malware also communicates to its command-and-control (C&C) server to send and receive information and commands. In turn, the infected system is susceptible to further attacks and is effectively under a remote user’s control.
