A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided.
Avzhan bots install themselves onto the Windows system directory using the file name {six random lower-case letters}.exe.
After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.
This malware tries to connect to the following domains to receive instructions from botnet herders:
- avzhan1.{BLOCKED}2.org
- ei0813.{BLOCKED}2.org
- wanmei8013.{BLOCKED}2.org
- xhsb.{BLOCKED}2.org
These domain names are registered on a well-known China-based dynamic DNS service. The IP addresses also lead to ISPs in China.
As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems.
In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:
- Computer name
- CPU speed
- Language used
- Memory size
- Windows version
On their own, the behaviors of Azvhan bots do not differ too much from other older, more established malware families. However, its emergence highlights the continuing evolution of malware, as new threats continually present themselves over time.
Though this malware is already proactively being detected by Trend Micro as Mal_Scar-1, some new variants are still being encountered though the number of new infections has significantly decreased.
Hat tip to Arbor Networks for first writing about the discovery of this new bot here.
