Threat behavior
Backdoor:Win32/Ixeshe.B is a backdoor trojan that allows remote access and control and has been observed being installed by a PDF exploit detected as
Exploit:Win32/Pdfjsc.DA.
Installation
%TEMP%\updater.exe
When Backdoor:Win32/Ixeshe.B runs, it drops the following files:
%APPDATA%\Adobe\acrotry.exe - copy of Backdoor:Win32/Ixeshe.B
%windir%\tasks\temp.gif - temporary file
The registry is modified to run the dropped copy at each Windows start.
Adds value: "Adobe Assistant"
With data: "%APPDATA%\Adobe\acrotry.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Allows remote access and control
Backdoor:Win32/Ixeshe.B logs onto Google.com e-mail servers hosted at "mail.google.com" using embedded username and password account credentials. The malware may utilize cached credentials to connect as well. Once the trojan has connected successfully, it attempts to connect to a remote address. Note: the trojan may fail in certain phases due to errors in its coding.
Once connected, a remote attacker may perform the following actions using the affected computer:
-
Spawn a remote Windows shell that can perform any of several commands:
-
List all services, processes, and drives
-
Terminate process and service
-
Download and upload files
-
Start a process or service
-
Get username
-
Get machine name and domain name
-
Terminate shell
-
Download and execute updates or other arbitrary files
-
Pause/sleep a specified number of minutes
Analysis by Rodel Finones
Prevention