Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

BackDoor.Skeye.1

Added to the Dr.Web virus database: 2020-09-24

Virus description added:

  • Packer: absent
  • Compilation date: 01.04.2019 15:00:46
  • SHA1 hash: a259db436aa8883cc99af1d59f05f4b1d97c178b

Description

A backdoor written in C and designed to operate in the 64-bit versions of Microsoft Windows operating systems. It is used for targeted attacks on information systems, collecting information about the infected devices and remotely controlling them by launching cmd.exe and redirecting the I/O to the attacker's C&C server. The malicious module’s original name is sk.exe. The backdoor’s code has similarities with the code of Mikroceen and Logtu malware.

Operating routine

It has one exported function DllEntry of the following structure:

#drweb

When running the sample as an EXE file, only the malmain function is run.

#drweb

The backdoor writes the event log to the %TEMP%\\wcrypt32.dll file containing the date and time of the message; but instead of the readable message, the program logs its code. The table below shows the message codes decryption.

code arg msg
40Backdoor launch
5Error codeError upon process launch
10botidA new botid is received from the server
160Proxy settings for the current user are received
170Proxy settings for the current user are not received
180Proxy settings for the active user are received
190Proxy settings for the active user are not received
20Error codeError while receiving SID of the active user
32Attempt numberAttempting to check the availability of the server
65status codeA code other than 200 is received while the command is requested.
66Attempt numberFailed to request a command
67status codeAttempting to check the availability of the server
680The proxy flag is not set in the system settings
70Error codeFailed to connect to the C&C server
71Error codeRequest creation error
72Error codeRequest transmission error
100 + cmdid0Execution command received
153Error codeFailed to obtain the status code for the sent request
256Attempt numberAttempting to request an execution command

The backdoor initializes the list of commands it can execute upon operation.

#drweb

This is followed by the initial check for any debugging processes—the backdoor checks the BeingDebugged flag in the PEB (Process Environment Block). If there is a debugging process, the backdoor closes.

Next, it creates a test0 or test0_cu mutex in case it is not run from NT AUTHORITY/SYSTEM. If the specified mutex already exists, the backdoor terminates.

It then reads the bot ID from the file %TEMP%\\test0.dat. An 8-byte encryption key is initialized based on the bot ID.

#drweb

Next, BackDoor.Skeye.1 begins operation with the C&C server. Before sending requests, it again checks whether the sample debugging process is present. This time, using the NtQueryInformationProcess function it checks ProcessDebugPort, ProcessDebugObjectHandle and ProcessDebugFlags. If the backdoor spots the debugging process, it closes.

The requests use the User-Agent string:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)

When connection to the C&C server, the backdoor first sends a GET request to check the availability of the server; the sample contains two sets (server-port) of the C&C addresses. hxxps://atob.kommesantor.com/?t=%d&&s=%d&&p=%s&&k=%d, where t parameter is the bot ID, s is session number, p is dut6@bV0 string, and k is the result of the GetTickCount() function.

If the response is code 200, it means the server connection has been successfully established, and the backdoor requests an execution command. If the response is code 403, the program tries to repeat the request, while it enters www.mail[.]ru in the Host HTTP header instead of entering the C&C address. If the code 200 still cannot be obtained, the backdoor then checks the second C&C server. In case of repeated failure, it waits for a few seconds and then makes another attempt.

A GET request with the address hxxps://atob.kommesantor.com/?e=%d&&t=%d&&k=%d is used to request the command, where e is null, t is the bot ID, and k is the result of the GetTickCount() function.

If the response is the code 200, the cookie of that response contains the ID of the command to be executed, and the response data is encrypted with an XOR operation with an 8-byte key based on the bot ID.

A POST request with the address hxxps://atob.kommesantor.com/?e=%d&&t=%d&&k=%d is used to send back the results, where e is the command ID, t is the bot ID, and k is the result of the GetTickCount() function; the result of the request is transmitted as data encrypted by an XOR operation with an 8-byte key based on the bot ID.

Commands list

Command id Resulting action
1To set a new botid
16To idle
17To send information about the infected system
18To launch a process
19To launch a process and send its output
20To run the command shell with I/O redirecting to pipes
21To close the command shell
22To send the command shell output
23To launch its file with the stop parameter
24To terminate the backdoor operation
48To run the file manager
64To send the information about disks
65To send the directory listing
66To delete a file
67To move a file
80To send a process list
81To terminate a process
85To send a service list
86To launch a process

During the investigation of the related targeted attack, the following servers were found:

atob[.]kommesantor[.]com
term[.]internnetionfax[.]com
    
rps[.]news-click[.]net

All three domains are resolved to 103.97.124[.]193.

Other modifications of the Skeye backdoor

Another uncovered backdoor sample (0b33a10c0b286c6ffa1d45b261d8a338) has been added to Dr.Web database as BackDoor.Skeye.2.

The key differences of this modification are:

  • Exported functions are absent.
  • The sample runs as a service, installing or deleting itself, depending on the arguments it is running with (install, uninstall, without arguments).

#drweb

The malmain function is also run from ServiceMain;

  • The bot ID is read from the file %TEMP%\Date, but the encryption key is generated in the same manner.
  • The configuration (mutex name, server address, port, proxy) is encrypted with the XOR operation with the key 0xB7. www2.morgoclass[.]com is the C&C address, the port is 443;

    #drweb

  • The protocol of communication with the C&C server is binary. The connection is made via a TCP socket. After connecting to the server, the backdoor sends an 8-byte packet: the first 4 bytes are the bot ID, the second 4 bytes are zeros. Receiving a response from the server is performed in 2 stages: first, a packet with the length of the data (header) is received, then the data itself is received and decrypted. The header structure is the followng:
    struct packet_header
          {
              BYTE marker;
              DWORD cmd_id;
              DWORD size;
          }
          

With that, the marker field must be equal to 0xFF. The data is sent to the server by a single call to send with the same header.

  • This sample does not include all the commands described in the first sample (a259db436aa8883cc99af1d59f05f4b1d97c178b). Commands 80, 81, 85, and 86 are absent
  • There are differences in the event log message codes. Codes 10, 65-68, and 70-72 are absent.

The event log message codes are shown in the table.

The message code Code Description
0argcWritten at the beginning of main
20The backdoor is launched with the install command (installing the service)
30The backdoor is launched with the uninstall command (deleting the service)
90An unhandled exception occurred, the program will restart

#drweb

210Successful connection to the proxy server
220Failed to connect via proxy (no addresses from the registry or SID of the active user were received)
23Error codeError at the proxy server connection
24Error codeFailed to connect to the C&C server without proxy
25Error codeFailed to send a packet to the C&C server
26Error codeNo answer from the C&C server
48command IDA received command. It is written to the log 2 times

#drweb

2570Failed to connect to the C&C server
2580Failed to send an initial packet (bot ID)
cmd_id+100000Command ID + 10000. It is recorded immediately after receiving and decrypting the command

It is worth noting that the two samples use different sets of codes to log the connection to the C&C server. In the first case, these are the codes 70-72, while the connection to the server is made via HTTP. In the second case, these are the codes 24-26, and the connection is made via a socket.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies