# Rampant Kitten – An Iranian Espionage Campaign
**[research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/](https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/)**
September 18, 2020
September 18, 2020
## Introduction
Check Point Research unraveled an ongoing surveillance operation by Iranian entities that
has been targeting Iranian expats and dissidents for years. While some individual sightings
of this attack were previously reported by other researchers and journalists, our investigation
allowed us to connect the different campaigns and attribute them to the same attackers.
**Among the different attack vectors we found were:**
Four variants of Windows infostealers intended to steal the victim’s personal
documents as well as access to their Telegram Desktop and KeePass account
information
Android backdoor that extracts two-factor authentication codes from SMS messages,
records the phone’s voice surroundings and more
Telegram phishing pages, distributed using fake Telegram service accounts
**The above tools and methods appear to be mainly used against Iranian minorities,**
**anti-regime organizations and resistance movements such as:**
-----
Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
Balochistan people
## Table of Contents
Technical Appendix
## Initial Infection
We first encountered a document with the name `ﺷﻮرﺷﯽ_ﺎیﮐﺎﻧﻮ_ﮔﺴﱰش_از_رژﱘ_وﺣﺸﺖ.docx,`
which roughly translates to `The Regime Fears the Spread of the Revolutionary`
```
Cannons.docx . The title of the document was in fact referring to the ongoing struggle
```
between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq
movement.
Mujahedin-e Khalq, or The People’s Mujahedin of Iran, is an anti-regime organization whose
aim is to free Iran from its current leadership. In 1986, Mujahedin-e Khalq (MEK) started
building their new headquarters, which later became known as Camp Ashraf, near the Iraqi
town of Khalis. However, years of political tension in Iraq eventually led to the transfer of the
camp’s residents to a new, remote, and unlikely destination: Albania.
The above document leverages the external template technique, allowing it to load a
document template from a remote server, which in this case was `afalr-`
```
sharepoint[.]com .
```
Figure 1: Remote template
Curious by this website, we set out to discover more about it. At first, we found a handful of
tweets from accounts opposing the Iranian regime mentioning a very similar SharePoint site,
which the website in the document was likely impersonating:
-----
Figure 2: Tweets mentioning similar website
Figure 3: AFALR’s official website
## Infection Chain
After the victim opens the document and the remote template is downloaded, the malicious
macro code in the template executes a batch script which tries to download and execute the
next stage payload from `afalr-sharepoint[.]com :`
-----
Figure 4: Infection chain
The payload then checks if Telegram is installed on the infected machine, and if so it
proceeds to extract three additional executables from its resources:
**BOBC3953C59DA7870 – Loader, executed by** `RunDLL, injects the main payload into`
```
explorer.exe
```
**CO9D5A739B85C37C1 – Infostealer payload**
**Updater.exe – Modified Telegram updater**
## Payload Analysis
The main features of the malware include:
**Information Stealer**
Uploads relevant Telegram files from victim’s computer. These files allow the
attackers to make full usage of the victim’s Telegram account
Steals information from KeePass application
Uploads any file it could find which ends with pre-defined extensions
Logs clipboard data and takes desktop screenshots
**Module Downloader**
Downloads and installs several additional modules.
**Unique Persistence**
Implements a persistence mechanism based on Telegram’s internal update
procedure
-----
### Telegram structure basics
First, let us review how Telegram Desktop organizes its files. The following is an ordinary
Telegram file structure which can normally be found at %APPDATA%\Roaming\Telegram
```
Desktop .
```
Figure 5: Telegram Desktop directory structure
As explained above, several files are dropped to the Telegram working directory during the
infection chain. The dropped files are in a directory named `03A4B68E98C17164s, which`
looks like a file at first glance because of a custom `Desktop.ini file, but it is actually a`
directory.
Figure 6: Infected Telegram Desktop directory
### Configuration
One of payload’s resources contains encoded configuration data.
The encoding scheme uses the regular Base64 algorithm but with a custom index table:
```
eBaEFGHOQRS789TUYZdCfPbDIJ+/KLMNwxyzquv0op123VWXghijmnkl45rst6Ac .
```
Decoding that resource gives us the following configuration:
-----
**Key** **Value**
**AES**
**encryption**
**key**
[[email protected]@5!!](https://research.checkpoint.com/cdn-cgi/l/email-protection)
**File suffixes** .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx;
**SOAP**
**username**
**SOAP**
**password**
9BEF4B32-0D40-4A92-9E35-6094B8AA8B58
D5F69342-A3CC-438F-B3B6-5E7BF6B6E327
**Main C&C** hxxps://www.afalr-sharepoint[.]com/B6D9E741-DFE3-4470-9174C95FB2B958AD/TelBService.asmx
**Backup C&C** hxxps://www.afalr-onedrive[.]com/B6D9E741-DFE3-4470-9174C95FB2B958AD/TelBService.asmx
### C&C Communication
The malware uses SOAP for its communication purposes. SOAP is a simple XML-based
data structure for web-service communication. The API in SOAP web-services is public and
can be observed by accessing the website from a browser:
-----
Figure 7: SOAP API in C&C website
The messages (commands) can be divided into the following categories:
**Authentication:**
```
HelloWorld – Authentication message
```
**Module Downloader:**
```
DownloadFileSize – Checks whether a module should be downloaded
DownloadFile – Downloads a module from the remote server
```
**Data Exfiltration:**
```
UploadFileExist – Checks whether a specific victim file has been uploaded
UploadFile – Uploads a specific victim file
```
**Authentication**
The first message for a valid communication tunnel should be `HelloWorld, which`
implements a simple Username/Password authentication. The credentials are hard-coded in
the sample, and the SOAP response for that message contains a session ID which must be
used for the remainder of the session.
**Module Downloader**
The program tries fetching updates for its current modules and also download several
additional modules.
Some of the additional missing modules that could not be fetched:
```
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
```
**Data Exfiltration**
The core functionality of the malware is to steal as much information as it can from the target
device. The payload targets two main applications: Telegram Desktop and KeePass, the
famous password manager.
Once the relevant Telegram Desktop and KeePass files have been uploaded, the malware
enumerates any relevant file it can find on the victim’s computer which has one of the
following extensions: `.txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx; . For each such file,`
the malware then uploads it after encoding the file to base64.
### Persistence
The malware uses a unique persistence method which is tied to the Telegram update
**procedure.**
-----
Periodically, it copies the Telegram main executable into `Telegram Desktop\tupdates,`
which triggers an update procedure for the Telegram application once it starts. The hidden
trick of the malware’s persistence method is changing the default Telegram updater file –
```
Telegram Desktop\Updater.exe, with one of its dropped payloads (more specifically –
CO79B3A985C5C7D30 ). The most notable changed feature of that updater is running the
```
payload again:
Figure 8: Telegram updater runs the main payload
## Infrastructure and Connections
After analyzing the payload we were able to find multiple variants that date back to 2014,
indicating that this attack has been in the making for years.
Malware variants developed by the same attackers often have minor differences between
them, especially if they are used around the same time frame. In this case however, we
noticed that while some of the variants were used simultaneously, they were written in
different programming languages, utilized multiple communication protocols and were not
always stealing the same kind of information.
In the table below, we list the variants we identified and highlight their unique characteristics.
Please refer to the Technical Appendix below, for a deep dive information regarding each
variant.
**Name** **Artifacts** **Dates** **Malicious**
**Activity**
**TelB**
**Variant**
KeePassOnlineCreator.exe
BOBC3953C59DA7870
CO9D5A739B85C37C1
CO79B3A985C5C7D30
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
June
2020 –
July 2020
Telegramfocused
infostealer
**Properties**
SOAP.
Delphi 64bit
payload.
Persistence
through
Telegram
updater.
-----
**TelAndExt**
**Variant**
**Python**
**Info**
**Stealer**
**HookInjEx**
**Variant**
TelegramUpdater.exe
TelegramUpdater2.exe
TelegramUpdater3.exe
TelegramUpdater.dll Updater.exe
keyboard-EN.exe
speaker-audio.exe
audio-driver.exe
DrvUpdt.exe / ehtmlh.exe
DrvUpdtd.dll / dhtmlh.dll
CapDev.exe / rregg.exe
uflScan.exe
May 2019
–
February
2020
February
2018 –
January
2020
December
2014 –
May 2020
Telegramfocused
infostealer
Focused on
– Telegram,
Chrome,
Firefox,
Edge,
Paltalk NG
Data
Exfiltration
via FTP
Infostealer
(Browsers,
audio,
keylogging
and
clipboard)
FTP .
Delphi 32bit
payload.
Persistence
through
Telegram
updater.
FTP.
Python
(Pyinstaller)
FTP. C++
The related samples also revealed more C&C servers, and looking up their passive DNS
information and additional metadata led us to similar domains that were operated by the
same attackers. As it turns out, some of the domains appeared in malicious Android
applications and phishing pages, exposing more layers of this operation:
Figure 9: Maltego graph of the malicious infrastructure
-----
## Android Backdoor
During our investigation we also uncovered a malicious Android application tied to the same
threat actors. The application masquerades as a service to help Persian speakers in Sweden
get their driver’s license.
We have located two different variants of the same application, one which appears to be
compiled for testing purposes, and the other is the release version, to be deployed on a
target’s device.
Figure 10: Android application’s main interface
This Android backdoor contains the following features:
Steal existing SMS messages
Forward two-factor authentication SMS messages to a phone number provided by the
attacker-controlled C&C server
Retrieve personal information like contacts and accounts details
Initiate a voice recording of the phone’s surroundings
-----
Perform Google account phishing
Retrieve device information such as installed applications and running processes
For a deep dive information regarding this application, please refer to the Technical Appendix
below.
## Telegram Phishing
The backdoors were not the only way in which the attackers tried to steal information about
Telegram accounts. Some of the websites that were related to this malicious activity also
hosted phishing pages impersonating Telegram:
Figure 11: Telegram phishing page
-----
What was surprising is that several Iranian Telegram channels have actually sent out
warnings against those phishing websites, and claimed that the Iranian regime is behind
them.
Figure 12: Translated message warning against phishing attempts
According to the channels, the phishing messages were sent by a Telegram bot. The
messages warned their recipient that they were making an improper use of Telegram’s
services, and that their account will be blocked if they do not enter the phishing link.
Figure 13: Phishing message content
-----
Another Telegram channel provided screenshots of the phishing attempt showing that the
attackers set up an account impersonating the official Telegram one. At first, the attackers
sent a message about the features in a new Telegram update to appear legitimate. The
phishing message was sent only five days later, and pointed to
```
https://telegramreport[.]me/active (same domain as in figure 11 above).
```
Figure 14: Phishing message sent from fake Telegram account
## Payload Delivery
Although in some cases we were unable to determine how the malicious files reached the
victims, we gathered some potential clues about the ways the attackers distributed their
malware. For example, accessing `mailgoogle[.]info shows that it impersonates`
```
ozvdarozv[.]com and promotes a software to increase the number of members in
```
Telegram channels.
-----
Figure 15: `mailgoogle[.]info download page`
But after clicking on “Download”, a password-protected archive called `Ozvdarozv-`
```
Windows.rar is downloaded, containing one of the malware variants.
### Possible Additional Delivery Vectors
```
A removed blog entry from 2018 accused a cyber-security expert of plagiarism when he was
interviewed by AlArabiya news channel to discuss Iranian cyber-attacks.
We believe this page was created as part of a targeted attack against this person or his
associates.
The blog included a link to download a password-protected archive containing evidence of
the plagiarism from `endupload[.]com .`
```
endupload[.]com is connected to both the PC and the Android operations mentioned
```
above via several passive DNS hops, including a direct connection via historic DNS server
information to the domain `mailgoogle[.]info we described above. Not only did we not`
find any instance of it being used in a legitimate context, we also found evidence of the
domain being registered by a Persian speaking hacker. (See “attribution” section below)
-----
Figure 16: Removed blog post with link to `endupload[.]com`
A different blog entry from 2012 discusses a human rights violations report by HRANA, a
news agency affiliated with the Iranian Association of Human Rights Activists. Once again,
this blog refers to a document that can be downloaded from `endupload[.]com :`
-----
Figure 17: Blog post with link to endupload[.]com
Unfortunately, we were unable to get our hands on the files both blog entries were referring
to, and could not confirm that they were indeed malicious. However, it appears that
```
endupload[.]com has been controlled by the attackers for years, as some of the malicious
```
samples related to this attack and dating back to 2014 communicated with this website.
## Attribution
Although we found many files and websites that were used over the years in this attack, they
were not attributed to a specific threat group or entity. Nevertheless, some of the fingerprints
that the threat actors left in the malicious artifacts allowed us to gain a better understanding
of where the attack might be coming from.
### Attack Origin
To begin with, the WHOIS information of some of the malicious websites revealed that they
were supposedly registered by Iranian individuals:
-----
Figure 18: WHOIS information of `endupload[.]com and` `picfile[.]net`
The WHOIS records for `endupload[.]com also mentioned an e-mail address,`
```
[email protected][.]com . Apparently, the website’s registrant was very active online,
```
because looking up the username “nobody.gu3st” led us to many posts in Iranian hacking
forums:
Figure 19: Translated post by nobody.gu3st
### Political Targeting
The list of targets we observed reflects some of the internal struggles in Iran and the motives
behind this attack. The handpicked targets included supporters of Mujahedin-e Khalq and the
Azerbaijan National Resistance Organization, two prominent resistance movements that
advocate the liberation of Iranian people and minorities within Iran.
-----
Figure 20: Mujahedin-e Khalq and Azerbaijan National Resistance Organization logos
The conflict of ideologies between those movements and the Iranian authorities makes them
a natural target for such an attack, as they align with the political targeting of the regime.
In addition, the backdoor’s functionality and the emphasis on stealing sensitive documents
and accessing KeePass and Telegram accounts shows that the attackers were interested in
collecting intelligence about those victims, and learning more about their activities.
## Conclusion
Following the tracks of this attack revealed a large-scale operation that has largely managed
to remain under the radar for at least six years. According to the evidence we gathered, the
threat actors, who appear to be operating from Iran, take advantage of multiple attack
vectors to spy on their victims, attacking victims’ personal computers and mobile devices.
[Since most of the targets we identified are Iranians, it appears that similarly to other attacks](https://research.checkpoint.com/2018/domestic-kitten-an-iranian-surveillance-operation/)
attributed to the Islamic Republic, this might be yet another case in which Iranian threat
actors are collecting intelligence on potential opponents to the regiment.
[SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats,](https://www.checkpoint.com/products/mobile-security/)
protecting from malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.
Check Point’s [anti-phishing solutions include products that address all of the attack vectors](https://www.checkpoint.com/solutions/anti-phishing/)
from which phishing attacks come – email, mobile, endpoint and network.
## Technical Appendix
### PC Backdoor Variants Analysis
-----
**TelB Variant**
“TelB” is the latest variant we encountered, and its analysis shown above. We named it as
such because of the next debug string:
```
D:\Aslan\Delphi\TelB\BMainWork\SynCryptoEN.pas .
```
**TelAndExt Variant**
This variant is probably the older version of “TelB”, and has been active mostly during 2019
and 2020. It shares the following properties and techniques with the newer versions:
Developed in Delphi
Shares a great amount of code with the “TelB” variant
Focuses on the Telegram Desktop application
Similar persistence and update methods
Uses FTP instead of SOAP for data exfiltration
We named this variant “TelAndExt” because of the next debug string:
```
D:\Aslan\Delphi\TelAndExt\TelegramUpdater\SynCryptoEN.pas
```
**Python Info-stealer Variant Analysis**
We discovered several samples which use the following methods:
Two-layer SFX (self-extracted archive) which extract several .bat/.vbs/.nfs/.conf files.
Persistence method by copying the executable (ends with `.nfs ) to`
```
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\audio driver.exe
```
Executable name is `speaker-audio.exe or` `keyboard-EN.exe, depending on the`
sample.
The executable was created with Pyinstaller.
Downloads a second-stage payload under the name of `net-update.exe`
Before being uploaded, the data is encrypted using library `pyAesCrypt with a hard-`
coded password.
**Info stealing**
According to our analysis, the script communicates with an FTP server using hard-coded
credentials, and steals the following data:
Telegram Desktop application related files.
Paltalk NG application related files.
Chrome, Firefox and Edge related data.
Any file which ends with extensions listed in a given configuration. If no configuration is
given, it searches for files with the following extensions:
```
.txt;.docx;.doc;.exe;.jpg;.html;.zip;.pdf
```
-----
**Operation**
During our investigation, we saw several Python info-stealers that communicate with the
same FTP server, but store the stolen information in different pages under different aliases.
We suspect this is how the malware authors operate:
Choose a target, and create a designated folder in the FTP server for them.
Build a sample customized for the target, with a unique AES key and FTP credentials
for information uploading.
Deliver the weaponized executable via one of the infection chain vectors.
**Second-stage Payload – HookInjEx**
One of its core functionalities is fetching a second-stage payload. If the designated FTP
folder contains a file named `net-update.exe, then it downloads and executes it.`
We analyzed few of those `net-update.exe samples and found a complete overlap with`
the “HookInjEx” variant below, making it a targeted advanced payload.
**HookInjEx Variant**
This variant has been in use since 2014, and has 32-bit and 64-bit versions. Over time, the
variant evolved and added some features while also changed the names of the different
components in its infection chain.
**Infection Chain**
We found two main types of infection chains:
1. SFX (self-extracting archive) which contains all the components. It drops all of them
into a folder and then executes the main loader – `DrvUpdt.exe ( ehtmlh.exe in`
older versions).
2. Fake SCR file that is functioning as an executable. In order to look like a legitimate
SCR file, the loader contains a decoy – a JPEG/PPTX/DOC file as a resource
( Resource_1 ), which is loaded upon running.
The SCR file also drops other payloads as its resources, and runs the main loader with the
command line:
```
cmd.exe /C choice /C Y /N /D Y /T 3 &
"%APPDATA%\\Microsoft\\Windows\\Device\\DrvUpdt.exe" -pSDF32fsj8979_)$
```
-----
Figure 21: Malicious SCR opens decoy JPG resource
**Hooking and Injection**
The main loader uses the hooking and injection method called “HookInjEx”. That method
maps a DLL into `explorer.exe, where it subclasses the` `Start button. In our case, the`
loaded DLL is `DrvUpdtd.dll ( dhtmlh.dll in older versions).`
In newer versions, the malware also hooks the `Start button in other languages as well.`
The existence of different languages probably shows that it has victims from countries all
around the world. The different translations are:
-----
```
Start English
başlat - Turkish
```
開始 - Chinese
```
Sākt - Latvian
اﺑﺪأ - Arabic
Iniciar - Spanish
Käynnistä - Finish
התחל - Hebrew
```
スタート - Japanese
```
Štart - Slovakian
Pradėti - Lithuanian
Pokreni - Bosnian
```
เริ่ม - Thai
```
Έναρξη - Greece
Démarrer - French
Старт - Bulgarian
Запустити - Ukrainian
```
시작 - Korean
**Configuration**
The malware receives its configuration from a file named `Devinf.asd (in older versions it`
was named `file2.asd ). The configuration is decrypted and written into a new file named`
```
Drvcnf.asd (in older version it named file3.asd ). The encryption method is:
```
-----
```
def decode(content):
dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15, 0x16, 0x17, 0x18, 0x19, 0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24,
0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32,
0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40,
0x41, 0x42, 0x43, 0x44]
output_str = ''
known_values = [9, 10, 13, 32]
for j in range(len(content)):
int_cur_content = ord(content[j])
cur_byte = 0
for i in range(62):
if int_cur_content == dec_array[i]:
if i < 26:
cur_byte = i + 0x61
elif 26 <= i < 52:
cur_byte = i + 0x27
elif 52 <= i < 62:
cur_byte = i - 0x4
output_str += (chr(cur_byte))
break
if cur_byte == 0:
if int_cur_content in known_values:
cur_byte = int_cur_content
elif int_cur_content - 0x61 <= 0xe:
cur_byte = int_cur_content - 0x40
elif int_cur_content - 0x70 <= 0x6:
cur_byte = int_cur_content - 0x36
elif int_cur_content - 0x77 <= 0x5:
cur_byte = int_cur_content - 0x1c
elif int_cur_content - 0x53 <= 0x3:
cur_byte = int_cur_content + 0x28
output_str += (chr(cur_byte))
return output_str
```
After the configuration is decrypted, the malware parses the values and puts them in global
variables.
-----
```
Registry key for persistence
- pre value for info files to send
- extensions for info files to send
- log path direcory
- minimum size for file to send
- FTP domain
- FTP User value
- FTP Password value
- version
- Downloads updates URL
- Downloads updates URL
- Directory in ftp connection.
- timer_1
- timer_2
- timer_3
- Downloads updates URL
- value for encryption method to files
- value for encryption method to files
- Fake name
- Value to choose name template for info files to send.
- flag for exeucting again from different place.
- WHOIS first URL
- WHOIS second URL
- WHOIS third URL
- value to download using computer-name and username
- Opera gather data flag
- Firefox gather data flag
- Chrome gather data flag
- WHOIS flag
- tracert flag
- number of tries
- clipboard data flag of CF_HDROP (CLB-f.jpg)
- clipboard data flag of text, unicode, oemtext and locale (clbt.jpg)
- clipboard data flag of bitmap and dib (clb-p.jpg)
```
**Persistence**
The malware sets the registry key which is in the ` value of the configuration file`
(which is almost always the key RunOnce) to the following values – it sets the name to
```
SunJavaHtml or DevNicJava and the value is DrvUpdt.exe 11 . That way the malware
```
knows it was already executed.
In older versions, the malware used to drop a file named either `rreegg.exe or`
```
Capdev.exe, which was added to RunOnce, and in turn executed DrvUpdt.exe 11
```
**Info stealing**
-----
Main feature of the malware is stealing information from the victim s computer and send it to
the C2 using FTP.
The malware steals different types of data:
Opera/Chrome/Firefox login data.
Firefox information: profiles, keys and db files.
The output of `tracert www.google.com`
WHOIS information (based on the ` value).`
Screenshots and title of the foreground window.
Waveform-audio recording for a minute.
Files from removable drivers. The types of files are based on the ` tags in the`
file `Devufl1.tmp ( winufl1.tmp in older versions). In some versions, that logic was`
implemented in a file named `uflscan.exe .`
Interestingly, if driver’s name is one of the following: `A65RT52WE3F,` `09353536557 or`
```
transcend20276, the malware ends the thread. We believe it to be a debug code
```
(Fig. X) that stayed and its purpose is to prevent the malware from gathering files from
the author’s computers.
Files from other drives based on the ` tags in the file` `Devufl2.tmp`
( winufl2.tmp in older versions ).
Keylogging and clipboard data from various formats – drag and drop/ `CF_HDROP,`
```
CF_TEXT, CF_TEXT, CF_UNICODETEXT, virtual key codes, CF_OEMTEXT,
CF_LOCALE, CF_BITMAP and CF_DIB .
```
Capture using webcam ( tcwin.exe in older versions).
Since 2018 – Telegram Desktop data.
Figure 22: Debug code with hardcoded removable drivers
**C2 communication**
-----
This variant uploads files to its C2 domain using the FTP protocol. The FTP domain is placed
in the configuration file inside the ` tag.`
The connection starts with authentication using the password and username from the
configuration file.
The malware then creates a directory according to the ` tag and a subdirectory inside`
it with the user id it generated before. The user id is generated from the network adapter’s
info that was written into the file `Mcdata.dat ( PAdata.dat In older versions).`
After that, the connection continues with `TYPE I and` `PASV commands before storing the`
files with the `STOR command.`
The variant also contacts other domains to update its different components. The domains are
placed in the configuration file inside `,` ` and` ` tags. The files are`
downloaded using `URLDownloadToFileW from the given URLs, the` `user_id is included in`
the URLs.
**String Obfuscation**
In newer versions (since 2018), the strings are encrypted with the following script:
```
buf_1 = 'qweyuip[];lkjhgdszcm,.>