- 785f12821bd3a0adb94b277271fa81d1cadd0d8b—RTF (exploit)
- 7b5be45e9ca77fb091a5bed34860e66ba706e085—application package (lmpack1.exe)
- 115d4b6b80096b71d50a4f2c64fbe13bef8d04f9—application package (pn_pack1.exe)
A pack of applications designed to provide cybercriminals with unauthorized access to compromised computers. It is distributed with the help of Exploit.CVE2012-0158.121 and in the guise of an RTF document. Once the document is opened, a malicious file is decrypted and saved to the victim's computer. The file has a valid digital signature (like almost any other file from BackDoor.RatPack).
If fact, this downloader is an installer in NSIS (Nullsoft Scriptable Install System) format.
Once launched, the installer scans the system for virtual machines, monitoring programs, and debuggers. Then it initiates a search for online banking applications of several Russian financial organizations:
*ICPortalSSL *sib.taatta.net *isfront.priovtb.com *ISAPIgate.dll *bsi.dll *PortalSSL *IIS-Gate.dll *beta.mcb.ru *ibank *ibrs *iclient *e-plat.mdmbank.com *sberweb.zubsb.ru *ibc *elbrus *i-elba *clbank.minbank.ru *chelindbank.ru/online/ *uwagb *wwwbank *dbo *ib.
If all the checks are successful, the installer connects to a remote server and downloads and runs another installer (install.cab) in NSIS format that contains the following files:
- setup.bin—7z archive
- setup1.bi—7z archive
This second installer extracts executable files from password-protected archives and runs them.
The lmpack.exe file is an installer in NSI format that contains an installation script and the following files:
7za.exe FileTouch.exe _?? a32.bin a64.bin files0.bin files1.bin files2.bin files4.bin files5.bin h1.bin n32.bin n64.bin p1.bin setup1.bin
The pn_pack1.exe file is an installer that contains an installation script and the following files:
FileTouch.exe 7za.exe files3.bin hh.bin files0.bin files4.bin setup.bin
The installer payload bears a modification of a shareware program called Remote Office Manager—Doctor Web security researchers have detected at least three versions of this program that differ in configuration settings. By intercepting a number of system functions, the malicious program is able to conceal the tool's shortcuts in the Windows taskbar and notification area preventing the user from detecting the program.