FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.Updatar.3

Added to the Dr.Web virus database: 2025-04-10

Virus description added:

sha1:

  • 08e2edeea11515c5c83a9d14d723d29939549978 (Microsoft Update Service) — a module for accessing the command line
  • e324c7490dc287168c2de66021f02e7d999d8538 (HVNC_Controller.exe) — a module for remotely controlling a computer
  • 856225319df6fbb1ff3ea2b9e418a83fbec300d9 (FileManager.exe) — a module for downloading files
  • 65ffe173a0f48711531c1cc8155d32c55569facb (Stream.exe) — a screencasting module

Description

A modular backdoor capable of executing attacker-issued commands. Written in C++, it is designed to run on Microsoft Windows operating systems. This malware was used in a targeted attack against a Russian engineering company to collect confidential data from infected systems. The backdoor’s code is obfuscated.

Operating routine

The following backdoor modules were identified:

  • Command-line access module
  • Remote control module (VNC)
  • File download and installation module
  • Screencasting module

All modules communicate with the same C2 server: updating-services[.]com.

Command-line Access Module

This primary module is delivered and installed by the Trojan.Updatar.2 downloader. Upon execution, it collects system information from the infected machine:

Parameter Description
Username Username
PC_name PC name
OS Windows version
Screen Screen size
Ram The amount of RAM, megabyte
External ip An external IP
Manufacturer Motherboard manufacturer
Model Product name
Processor Name Processor’s name and its clock frequency
Hard Disk Hard disk capacity
Avname Installed anti-virus
BIOS Version BIOS software information
Internet Adapter The unique identifier of the network device

The trojan obtains general system details via WMI queries.

It then sends the following requests to the C2 server:

  • tmr
  • src
  • pinger
  • commander
  • commander response

pinger

The first packet sent, it contains system information.

Route: /dashboard/pinger
Method: POST
User-Agent: Vendetta Browser v12.0.1
Request parameter: System information

One possible parameter, Internet Adapter, is essential for victim identification and included in tracking requests.

tmr

Sends a keepalive packet at regular intervals.

Route: /dashboard/tmr
Method: POST
User-Agent: Vendetta Browser v12.0.1
Request parameter: Internet Adapter

src

Sends a screenshot.

Route: /dashboard/src
Method: POST
User-Agent: MyScreenshotApp

commander

Receives a command from the C2 server operator that is to be executed in the Windows cmd shell. Commands are sent interactively, not automatically.

Route: /dashboard/commander
Method: POST
User-Agent: Vendetta Browser v12.0.1
Request parameter: Internet Adapter

commander response

Sends the result of the executed command back to the C2 server.

Route: /dashboard/commander/response
Method: POST
User-Agent: Vendetta Browser v12.0.1
Request parameter: Internet Adapter

Remote Control Module

Implements remote desktop control via VNC (Virtual Network Computing).

The trojan starts two threads:

  • Screen capture thread
  • Keyboard emulation thread

It connects to the C2 server using a WebSocket on the route /ws/.

File Download Module

When this module is launched, the trojan receives three arguments:

  • C2 server name
  • Victim ID
  • Wait time (timeout)

C2 server request endpoints:

  • /dashboard/api/file_manager/upload_file/<id>/
  • /dashboard/api/file_manager/response/<id>/
  • /dashboard/api/file_manager/command/<id>/

The request /dashboard/api/file_manager/command/<id>/

Causes the trojan to receive a command for execution. The response is a JSON object containing the target command.

Possible commands:

Command Target
list_dir Get the directory listing
download Download a file from the infected system
delete Delete a file
create_folder Create a directory
download_from_server Download a file to the infected system
stop_file_manager_client Stop the module’s operation

Command examples: 

{
    "command": {
        "action": "list_dir",
        "path": "C:\\"
    }
}

{
    "command": {
        "action": "stop_file_manager_client",
        "path": "internal"
    }
}

The request /dashboard/api/file_manager/upload_file/<id>/

Executes the download command, which results in a file being uploaded from the victim to the C2 server.

The request /dashboard/api/file_manager/response/<id>/

Sends the result of the executed command or an error message if the command fails.

Screencasting Module

Records the victim’s screen using API Direct3D 11 and the library jpeg62.

To screencast, the trojan connects to the C2 server with the route /ws/ via WebSocket on port 80 and initializes the recording device. The WebSocket is implemented via boost::beast::websocket::stream.

More about Trojan.Updatar.2
News about the trojan
Indicators of compromise

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play