Win32/Hikiti

Installation

Win32/Hikiti can be installed by other malware, including Win32/Mdmbot, Win32/Moudoor, Win32/Plugx, Win32/Sensode, and Win32/Derusbi. We have also seen these threats downloaded by the vulnerability described in CVE-2013-3893.

Variants can be downloaded as an .exe file that looks like a image or .jpg file. For example, we have seen it downloaded as img20130829.jpg.

They drop a DLL component in the %APPDATA% folder with a random file name, for example fb968754.dll.

They set the attributes of the file as hidden and read only.

We have also seen Win32/Hikiti install a rootkit component that can be used to hide network traffic in <system folder>\drivers\W7fw.sys.

Variants can modify the following registry entries so that they run each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<file name without extension>", for example "FB968754"
With data: "rundll32.exe"<location and file name of threat>",launch", for example ""rundll32.exe"c:\documents and settings\all users\application data\fb968754.dll",launch""

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<file name without extension>", for example "FB968754"
With data: "rundll32.exe"<location and file name of threat>",launch", for example ""rundll32.exe"c:\documents and settings\all users\application data\fb968754.dll",launch""

Payload

Connects to a remote server

Win32/Hikiti tries to connect to a remote IP and waits for instructions from a remote hacker. We have seen it try to connect to the following IP addresses on TCP port 443:

• 103.17.<removed>.90
• 110.45.<removed>.5
• 180.150.<removed>.102

A malicious hacker can tell the threat to:      

• Run as proxy server.  
• Run files.
• Send system configuration information to the malicious hacker. 
• Upload or download files, including other malware.     

Some variants connect back to the host specified in its configuration file using a random port:

• 10.86.86.51
• 133.95.109.159
• 203.69.42.75
• 210.240.115.63
• 210.240.115.63
• 210.240.115.63
• 211.174.163.103
• 211.174.163.13
• 37.220.128.133
• 59.120.128.85
• 64.71.130.175
• computermx4.suroot.com
• downloads.serveblog.net
• Matrix.bcvziy.com

Analysis by Francis Tan Seng