Backdoor:BAT/Agent.H is a trojan that allows backdoor access and control of an affected computer. In the wild, we have observed the trojan dropping TrojanProxy:JS/Banker.L, which may redirect the user's browser traffic through an attacker-controlled proxy server.
Installation
When Backdoor:BAT/Agent.H is run, it drops the following files:
- %UserProfile%\local settings\temp\y.db
- %UserProfile%\local settings\temp\t<random number>.vbs
- %UserProfile%\local settings\temp\<computer name>.txt - detected as TrojanProxy:JS/Banker.L
Payload
Allows backdoor access and control
Backdoor:BAT/Agent.H attempts to connect to the following URL:
sivellongrupp.ee/googles.php?a=<user name>&b=<computer name>
An attacker can perform any number of different actions on an affected computer using this backdoor. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
The backdoor modifies settings in Mozilla Firefox with the following configuration file:
prefs.js
This allows the backdoor to intercept communication between an infected computer and certain websites, which may result in the theft of log-on credential details or other sensitive information.
Successful execution of these two threats (Backdoor:BAT/Agent.H and TrojanProxy:JS/Banker.L) may result in the following websites being monitored:
- americanexpress.com
- americanexpress.com.br
- bancobrasil.com.br
- bancodobrasil.com.br
- bancoreal.com.br
- bb.com
- bb.com.br
- bradesco.com
- bradesco.com.br
- bradescoprime.com.br
- cetelem.com.br
- citibank.com.br
- credicard.com.br
- gmail.com
- gmail.com.br
- hotmail.com
- hotmail.com.br
- hsbc.com
- hsbc.com.br
- itau.com.br
- itaupersonnalite.com.br
- itauprivatebank.com.br
- itauuniclass.com
- itauuniclass.com.br
- paypal.com
- paypal.com.br
- real.com.br
- santander.com.br
- santanderbanespa.com.br
- santanderempresarial.com.br
- serasa.com.br
- serasaexperian.com.br
- sicredi.com.br
- tam.com.br
If the user is observed visiting any of the above URLs, the backdoor may contact one of the following proxy servers to facilitate information theft or redirect web traffic:
- me.firepackets.org:80
- mi.firepackets.org:80
Analysis by Hyun Choi
