Win32/Dipsind

Installation

We have seen threats in this malware family used in targeted attacks.

They can be installed on your PC when you open a malicious Microsoft Word file (.docx) attached to a spam email. We have seen the spam email attachment use the following file name:

• resume.docx

When the attachment is opened it attempts to exploit vulnerability CVE-2015-2545.

If successful, the malware is then installed to a random folder using a random file name. For example we have seen it installed to the following locations:

• %APPDATA%\microsoft\netmeeting\2378-1013-4567\winver32.exe
• %ProgramFiles%\common files\speechengines\microsoft\msofs.exe
• %ProgramFiles%\netmeeting\spool32\jdm32.exe

It also installs a configuration file in the same location, using a variable file name. For example:

• %APPDATA%\cache.ini
• %ProgramFiles%\spoolsv2.dll
• %ProgramFiles%\p2ptuncfg.dll

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "msofsnd"
With data: "%APPDATA%\roaming\microsoft\netmeeting\2378-1013-4567\p2ptun.exe -s"

The malware installs itself as a service using the following registry modification:

In subkey: HKLM\System\CurrentControlSet\Services\p2ptunsvc
Sets value: "windows p2p tunneling service"
With data: "%ProgramFiles%\common files\speechengines\microsoft\msofs.exe -n"

Payload

Connects to a remote host

Once installed successfully the malware contacts its command and control (C&C) server for further instructions. All data is encrypted with AES256 in ECB mode and Base64.

We have seen it connect to the following hosts:

• resonant9<removed>.angelfire.com
• 192.192.<removed>.1

A malicious hacker can then instruct the malware to perform a number of actions, including:

• Uploading and downloading files
• Running files
• Stealing domain credentials
• Spawning a remote command shell
• Running shell commands
• Giving a malicious hacker access to change the malware configuration file remotely