SHA1 hash:
- b463f775a28e134615984d58f774c80575f002af (Акт Сверки.pdf.exe)
Description
A trojan downloader written in C++ and designed to run on Microsoft Windows operating systems. It was used in a targeted attack against a Russian engineering company. In one infection scenario, this malware served as the entry point for deploying the Trojan.Updatar.3 backdoor on target systems. The trojan’s code is obfuscated.
Operating routine
When executed, Trojan.Updatar.1 collects general system information and sends it to the C2 server, awaiting further commands. Once the threat actors process the received data, the next component in the infection chain — Trojan.Updatar.2 — is delivered from the server. This component is saved in the directory C:\Users\<user_name>\Pictures\. After that, an attempt is made to launch this trojan.
Collecting system information
Before it collects system information, Trojan.Updatar.1 checks the Internet connection by sending a request to hxxp[:]//www.msftncsi[.]com/ncsi.txt.
Next, it collects the required data:
| Parameter | The contents |
|---|---|
| Username | Username |
| PC_name | PC name |
| OS | Windows version |
| Screen | The screen size |
| Ram | The amount of RAM, megabyte |
| External ip | An external IP |
| Manufacturer | Motherboard manufacturer |
| Model | Product name |
| Processor Name | Processor’s name and its clock frequency |
| Avname | Installed anti-virus |
| BIOS Version | BIOS software version |
| UUID | The unique BIOS id |
| BUILD | Simple101 — a hardcoded constant |
The trojan obtains general information through WMI requests.
It sends a request to hxxp[:]//api.ipify[.]org/ to obtain the external IP.
Communicating with the C2 server
Trojan.Updatar.1 sends two requests to the C2 server, using the following routes:
- /authorization/
- /stats
The request with the route /authorization/
This request sends collected data to authenticate the bot. It includes system information and a screenshot from the infected computer. The request has the following parameters:
| C2 server address: | updatingservices[.]net or adobe-updater[.]net |
| Route: | /authorization/ |
| Port: | 80 |
| Type: | POST |
| User-Agent: | MyScreenshotApp |
System information is presented in the format
<key>=<value>&<key>=<value>&...
where:
<key> — is a parameter;
<value> — its contents.
The request with the route /stats
It has the following parameters:
| C2 server address: | updatingservices[.]net or adobe-updater[.]net |
| Route: | /stats |
| Port: | 80 |
| Type: | GET |
| User-Agent: | ChromeX\r\n |
In response to this request, the trojan receives one of the commands or the payload, i.e., Trojan.Updatar.2.
Commands sent from the C2 server:
- dc — to shut down the trojan;
- wait — to wait for a specified time and resend the request /stats.
If the server response does not contain these commands, then its contents are the payload.
Code obfuscation
This is how code obfuscation is implemented in Trojan.Updatar.1: the trojan’s body constantly initializes lines from the RockYou.txt dictionary. Various operations are performed on them that do not affect the main malware functionality. At the same time, the lines directly related to the app’s work are encoded using the XOR operation and a small offset. The key for the offset and XOR operation is random for each trojan sample.
Trojan versions
There are various versions of the trojan, with the following differences:
- different names for the executable files;
- different keys for decoding strings in the code;
- new versions have the field BUILD (a constant that is hardcoded into the body of malicious programs), which is sent in the request to the C2 server;
- new versions have code obfuscation.
More about Trojan.Updatar.2
More about Trojan.Updatar.3
News about the trojan
Indicators of compromise
