Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Backdoor:Win32/Hupigon.FN is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server in your computer.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Backdoor:Win32/Hupigon.FN is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server in your computer.
Installation
Backdoor:Win32/Hupigon.FN drops a DLL file as "%SystemRoot%\system32\sdna.flasher.dll". This DLL file is also detected as Backdoor:Win32/Hupigon.FN.
It creates the following registry entries so that the DLL file automatically runs every time Windows starts:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters Sets value: "ServiceDll" With data: "%SystemRoot%\system32\sdna.flasher.dll" Sets value: "ImagePath" With data: "%SystemRoot%\System32\svchost.exe -k netsvcs"
Payload
Allows backdoor access and control
Backdoor:Win32/Hupigon.FN connects to a remote server to receive instructions from an attacker. It connects to the server located in "8.8.ki" via port 53.
The commands it receives include, but are not limited to:
Controlling Windows services: creating, deleting, starting, and stopping services, and modifying service settings
Configuring Windows Terminal Services: enabling or disabling desktop sharing, modifying the listening port
Opening a Windows console, with the attacker controlling input and output of the console
Logging off, restarting, or shutting down the system
The following system changes may indicate the presence of this malware:
The presence of the following file: %SystemRoot%\system32\sdna.flasher.dll
The presence of the following registry modifications: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters Sets value: "ServiceDll" With data: "%SystemRoot%\system32\sdna.flasher.dll" Sets value: "ImagePath" With data: "%SystemRoot%\System32\svchost.exe -k netsvcs"
