While looking into recent reports about the Winnti malware family, we discovered another backdoor which was built using similar techniques and has other similarities as well. It is also possible that it is being used in similar targeted attacks.

We found this particular threat via feedback provided by the Smart Protection Network; we detect it as BKDR_TENGO.A. It passes itself off as a legitimate system DLL file, winmm.dll, like most of the Winnti samples. We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool. Aheadlib accepts any DLL file and is able to construct C code to hook all the functions provided by the original library. This is very useful in analyzing malware, but can also be abused to help create files that pass themselves off as legitimate system libraries.

We suspect that this was used in a targeted attack. Despite this, however, the file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system. (The full list of commands can be seen in its Threat Encyclopedia entry, which we’ve linked to above.)

Two of the commands - Help and MainInfo – will show the name of the backdoor, as well as the C&C servers it is using. The full list of possibly malicious IP addresses and servers we’ve seen it connecting to is:

• 50.93.204.62
• 98.143.145.118
• 100.42.216.249
• 108.62.10.239
• 192.154.102.244
• 199.180.103.42
• 216.70.128.124
• 216.70.255.201
• banana02.myz.info
• songcai89.ddns.info
• thaifruit.myz.info

Two of these IP addresses proved to be of particular interest, namely 50.93.204.62 and 98.143.145.118. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers.

This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.