Recently, however, we received a new LICAT sample (passed along to us via trusted collaborative channels) that communicates with its command-and-control (C&C) server using a pseudo-random domain that was not among those generated by the original algorithm. This discovery prodded us to take a closer look into the acquired sample.
Our analysis revealed that the new sample still had all of the original routines we found in the original LICAT sample. For example, it generated the same number of domains on a given day and used the same top level domains. There is a key difference in the code of the two variants, however: a different XOR key is being used. This new variant uses 0xDEADC2DE as its key, where the original used 0xD6D7A4BE:
Not only does this new variant use different XOR keys, it also uses more keys as well. The original LICAT variant’s domain generation algorithm (DGA) used the same XOR key twice: once for where its configuration file was located, and another were new/updated variants could be downloaded automatically. In this new variant, however, different keys are used; neither do they share the same value from the original variant. This doubles the number of domains that have to be monitored and blocked by researchers.
We expect that more LICAT variants with different XOR keys are probably going to be spotted in recent weeks. This newly discovered variant is detected as PE_LICAT.B-O, with the patched files are detected as PE_LICAT.B. As we noted earlier, their behavior (except for domain generation) is identical to that exhibited by PE_LICAT.A.
Trend Micro customers are protected by the Trend Micro™ Smart Protection Network™, which detects and blocks the said file infector from running. We will be continuously monitoring for new LICAT variants and domains that these contact, and blocking them as necessary.
Special thanks to advanced threat researcher Feike Hacquebord for initially bringing this threat to light.