Installation
The malware is embedded in a signed DLL file named nssock2.dll, which is part of a legitimate software package.
When the software is installed and loaded, the DLL file also gets loaded, which in turn, launches the backdoor. The DLL file also contains the legitimate functionality required by the software to work.
Hence, removing the DLL might impair the software's functionality.
Payload
Queries randomly generated domain names to run malicious modules
When run, it generates a new domain each month. Then, it sends DNS queries to public DNS servers requesting information about pseudo-randomly generated domains.
The response to such queries might contain configuration information for the backdoor, including some decryption keys that will allow the malware to decrypt and run additional malicious modules.
For example, the domain names generated in 2015, 2016, and 2017 are:
- babkrglwhwf[.]com
- bafyvoruzgjitwr[.]com
- bktmpqpmxst[.]com
- dghqjqzavqn[.]com
- dqzsdadqlmb[.]com
- foryzedensrcd[.]com
- helolupazyjwpmh[.]com
- hepglcvyrinev[.]com
- huxerorebmzir[.]com
- jkvmdmjyfcvkf[.]com
- jujaxshudofyhep[.]com
- jyhmhgvipodapyh[.]com
- lenszqjmdilgdoz[.]com
- lofutenctezchqp[.]com
- lsbctwhebuv[.]com
- nizkfqzyfkr[.]com
- nylalobghyhirgh[.]com
- pcrqbuzmhqhsr[.]com
- psdghsbujex[.]com
- ribotqtonut[.]com
- rmxwpenqvkpyb[.]com
- rstqnaxedqd[.]com
- rwpynsrglgzuf[.]com
- tcvibcfkzalat[.]com
- tczafklirkl[.]com
- tgpupqtylejgb[.]com
- tmnkzqjapwvax[.]com
- tqhejwrujqtudof[.]com
- vgfmvujonglwrgr[.]com
- vwnkxgfuxkbanex[.]com
- vwrcbohspufip[.]com
- xmlwjexobatcfwj[.]com
- xmponmzmxkxkh[.]com
- xwdyhobirwhyjyz[.]com
- zgjevclifqpexor[.]com
- zuvadsxstcx[.]com
The malware might create the following registry keys to store its configuration data and possibly other binary modules:
- HKLM\Software\[DECIMAL DIGITS]
- HKCU\Software\[DECIMAL DIGITS]
- HKLM\Software\Microsoft\[RANDOM CHARACTERS]
- HKCU\Software\Microsoft\[RANDOM CHARACTERS]
