FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

BackDoor.Dande.2

Added to the Dr.Web virus database: 2014-04-03

Virus description added:

A multicomponent malicious program designed to steal information stored in applications used by drugstores and pharmaceutical companies to purchase drugs. This version’s main purpose is to steal data from the FM_client.exe application (AIAS INPRO-FarmRynok (“АИАС ИНПРО-ФармРынок”) by Information Technologies (“Информационные Технологии”)). The malware contains several modules.

pexec.dll

A module containing the Trojan’s drivers and the payload. From its body, the module decrypts main components and checks if there is a mutex available (if not, the Trojan creates it).

Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}

After that, he malicious program extracts the encrypted driver from the .cdata section and saves it under the following name:

%SYSTEM32%\drivers\isaPnpPrt.cfg

Then the main module extracts two encrypted files (the backdoor’s driver and module) from the .bdata section, decrypts and unpacks them, and saves the driver under the following name on the disk:

%SYSTEM32%\drivers\isaPnpPrt.sys

The backdoor is saved under the following name:

%SYSTEM32%\isaPnpPrt.inf_x86_neutral_1c30fe3e981e1595

The Trojan saves the parameters necessary for its normal work in the system registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\isaPnpPrt]
"ImagePath"="system32\\drivers\\isaPnpPrt.sys"
"DisplayName"="isaPnpPrt"
"Group"="Boot Bus Extender"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ID"="21d9d915f9671_743bcf967336482db184f3c64db39b12"
"Desc"="C:\\WINDOWS\\system32\\isaPnpPrt.inf"
"DriverPackageIdPkg"="\\??\\C:\\WINDOWS\\system32\\isaPnpPrt.inf_x86_neutral_1c30fe3e981e1595"
"RulesData"=hex:02,00,00,00,a6,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\ 00,48,00,61,00,72,00,64,00,64,00,69,00,73,00,6b,00,56,00,6f,00,6c,00,75,00,\ 6d,00,65,00,31,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,\ 00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,73,00,61,00,50,00,\ 6e,00,70,00,50,00,72,00,74,00,2e,00,69,00,6e,00,66,00,5f,00,78,00,38,00,36,\ 00,5f,00,6e,00,65,00,75,00,74,00,72,00,61,00,6c,00,5f,00,31,00,63,00,33,00,\ 30,00,66,00,65,00,33,00,65,00,39,00,38,00,31,00,65,00,31,00,35,00,39,00,35,\ 00,00,00

The driver is run using the NtLoadDriver function.

One of two drivers has the size of about 8 KB and is usually stored in the file with the name rpcssprt.sys or in the file isaPnpPrt.sys. The main purpose of this driver is to load another driver with the same name but with the different extension (.cfg) into the memory of the infected computer. If the driver succeeds in opening the file containing the payload, this file is decrypted, unpacked, and loaded into the memory. Both files have the digital certificate registered in the name of SPВ Group LLC (“SPВ Group OOO”).

screen

The properties of isaPnpPrt.sys claim this file to be an ATAPI driver by Microsoft Corporation.

The main driver creates a new virtual device \\.\{41C4774D-A453-4330-8C6C-FEBEACC85D7E} that can execute the following commands:

  • 0x220008—delete the driver from the disk and the corresponding data from the registry;
  • 0x22000C—get the Trojan’s ID (the ID value is extracted from the registry);
  • 0x220010—get the path to the configuration file;
  • 0x220014—get the path to the Trojan’s main body (“DriverPackageIdPkg”);
  • 0x220018—acquire elevated privileges for the current thread (it is used by the Trojan’s main module before launching the files downloaded from the network);
  • 0x22c004—get and reset the counter of the processes in which the malicious module was incorporated.

In fact, the driver serves only one main purpose—to embed the payload into the explorer.exe and svchost.exe processes.

fmauto.dll, fmauto2.dll

A payload that steals information from online drug ordering systems. This component extracts the file containing purchase information from the online application, generates an archive, creates a password, and forwards the archive to the server. The archive can contain the following data:

info.txt
Аптека-******* г.Ростов-на-Дону.csv
*******-Фарма г.С-Петербург.csv
******-Ростов.csv
***** г.Волгоград.csv
**** г.Краснодар.csv
***** (*****фармация) Ростовский филиал.csv
*** ****** г.Ростов-на-Дону.csv

The info.txt file usually contains the information regarding the infected computer, for example, as follows:

Client Name: ООО "****-Фарм"
Date: 02.04.2014
OS Version: Windows XP
Client Version: 1.5.160.0
Module Version: 4.3
COMPNAME: ***SRV
Date3: 02.04.2014
PC TIME: 02.04.2014 13:11:20

In turn, each CSV file contains the data regarding drug purchases and prices, for example, as follows:

Date: 02.04.2014
Firm: Аптека-******* г.Ростов-на-Дону
Скидки-наценки: Конечные цены!
Код;Цена;Минимальная цена;Остаток;
27484;204,36;9 месяцев Омегамама капс. 0.7г N30;Отечественные лекарства Польша;166,19;9;
29772;1343,3;Авандамет табл. п.п.о. 2мг/500мг N56;GlaxoSmithKline Traiding Испания;1181,91;5;
21385;310,45;Адвантан мазь 0.1% туба 15г;Bayer Consumer Италия;273,1;347;
26518;59,28;Адрианол капли назальн. фл.-кап. 10мл;Actavis Сербия;52,53;93;
15955;26,59;Азитромицин капс. 250мг N6;Вертекс ЗАО Россия;23,8;3530;
33329;112,41;Азитромицин табл. п.п.о 500 мг N3;Березовский фармацевтический з Россия-Македония;99,3;269;

The payload executes the requests that look as follows:

select KPP, FDATE, MAINNAME from ZAKAZ1 where FDATE between ****
select KPP, FIRM, KOL, KOD, CENA from ZAKAZ2 where KPP=***

The requests are used for extracting the information from clients’ databases.

exist.dll

A module designed to troubleshoot any errors in the functioning of the malicious program.

isaPnpPrt.inf_x86_neutral_1c30fe3e981e1595

The backdoor’s main module. Using a special algorithm, it generates a name of the command and control server and then sends this server POST requests containing the data on the module’s current configuration.

a=ZAKAZ_B4DF7611035CBAD4&b=BASE64(RC4(label=rnd&ver=26&t=CFG&d=RC4([common]\r\ndefdll=0F95DA37\r\n)))

Where “a” stands for the generated key, “label” and “ver” stand for the Trojan’s version, “t” stands for the command, and “BASE64” and “RC4” stand for the data encrypted with these algorithms.

If the server successfully receives the data, it sends the status 200 to the Trojan. Then the backdoor considers this server to be a command and control one.

The main module can execute the following commands:

  • mod—install the module;
  • delmod—delete the module;
  • dande—update Win32.Dande, download the file, and, if necessary, decrypt, save, and run it;
  • setopt—set options.

The module can send the following reports to the command and control server:

  • MODSCS—report on the successful module installation. After this report is received, configuration with the installed module at the t=ping command is no longer sent.
  • DANDE_INST_SCS—download and install the module at the dande command.
  • DELMODSCS—delete the module.
  • RESULT—send the work results of the downloaded module.

Module installation

To install the modules, the backdoor requests the configuration from the command and control server.

a=ZAKAZ_B4DF7611035CBAD4&b=BASE64(RC4(label=rnd&ver=26))

In return, it receives the configuration that looks as follows:

BASE64(RC4(t=mod&n=fmauto.dll&f=Routine&p=none&ps=explorer.exe&d=RC4(file)))

where
“file” stands for the module library,
“t=mod” stands for the module installation command,
“n” stands for the module name,
“f” stands for the name of the exported function,
“p” stands for the function parameters,
“d” stands for the encrypted binary data.

Using the received data, the backdoor generates a new configuration file C:\windows\temp\ as follows:

[common]
domnum=1
domsubnum=0
timeHI=30363270
timeLO=-1049525216
[ff.dll]
func=Routine
param=none
path=C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mAAEE.tmp
procs=explorer.exe
[results]
[p1.dll]
func=Routine
param=none
path=C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mD5F3.tmp
procs=explorer.exe
[fm1.dll]
func=Routine
param=none
path=C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mB04B.tmp
procs=explorer.exe
[f1.dll]
func=Routine
param=none
path=C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\m3AC1.tmp
procs=explorer.exe
[executed]
ff.dll=1

The Trojan encrypts the executable file and saves it to the C:\windows\temp\ folder. Then it sends the report on the successful module installation to the command and control server.

a=ZAKAZ_B4DF7611035CBAD4&b=BASE64(RC4(label=rnd&ver=26&t=MODSCS&n=fmauto.dll))

The malware periodically scans the contents of the С:\windows\temp folder and loads the modules into the memory.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies