Last year, the security industry was plagued by a series of APT reports, which included the “Nitro Attack”. The backdoor used here is known as PoisonIvy or BKDR_POISON. Its builder is available online. Security vendors have then taken measures to counter this threat to help customers battle against similar infections in the future. However, a recent discovery of the downloader’s stealth mechanism proved that the fight is not yet over.
We thought that there was nothing much to see when we looked at the downloader’s sample at first glance. It’s a VB-compiled executable file which does nothing but perform an HTTP GET request to an HTML page.
When accessed using via a browser it looks like a harmless web page until you decode it.
As pointed out by Microsoft, this downloader turns out to be different from others. Instead of downloading another binary to execute, it merely executes the downloaded code in the harmless-looking file’s context. To do this, the malware converts it to functional code, then executes it via DllFunctionCall.
The executed shellcode is actually a variant of the BKDR_POISON malware family which was used in a number of targeted attacks last year.
A Brief Background on BKDR_POISON
Also known as PoisonIvy, the BKDR_POISON family has been rampant for years. This could be attributed to the fact that its builder is easy to use and is freely available for download from their website. Its auto-start mechanism, as well as the mutex and file names of the malware copy is configurable via the builder, so each generated sample does not necessarily have exactly the same behaviors.
Its backdoor functionalities include keylogging, monitoring audio/video, capturing screenshots, managing processes and services, accessing or uploading files, and many more. In other words, it basically gives the person on the client side full access of the infected system.