{
	"id": "60e55ab6-1527-431e-ba69-2a3e5e899f7c",
	"created_at": "2026-04-06T00:17:34.148403Z",
	"updated_at": "2026-04-10T13:11:30.322933Z",
	"deleted_at": null,
	"sha1_hash": "608a54a25982f889e864f3556779bfe1ae9171ff",
	"title": "Lethic Botnet Returns, Uses \"Realtek\" Identifier | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 415931,
	"plain_text": "Lethic Botnet Returns, Uses \"Realtek\" Identifier | Zscaler\r\nBy ThreatLabz\r\nPublished: 2010-11-10 · Archived: 2026-04-05 22:40:22 UTC\r\nRemember Stuxnet? Chances are you do- a few months back there was a worm that spread over USB using the 0-\r\nday .LNK vulnerability (CVE-2010-2568) and targeted Siemens SCADA systems. Additionally the rootkit\r\npackage that it installed was digitally signed using real certificates from real hardware manufacturers: Realtek\r\nSemiconductor Corp. (realtek.com.tw) was one of the companies (JMicron was the other - both are Taiwanese\r\ncompanies).\r\nIn recent days, I have seen malware with Realtek Semiconductor Corp. signature information. Specifically, it has\r\nbeen of the Trojan Lethic / Ddox malware family. About a year ago, Jose Nazario detailed his analysis on the\r\nLethic bot being used to spew pharma, replica, etc. spam. About a month after he posted his analysis, M86\r\nreported on the Lethic botnet takedown. Well it appears that there is a new variant / botnet of this malware family:\r\nHere are two recent samples:\r\nMD5: 0460d89f0091d951184a8d77c6641340\r\nFirst seen: 2010-10-31 17:42:29\r\nVirusTotal Report\r\nMD5: ddb7aee9b335f479e0e2ac7aaf223856\r\nFirst seen: 2010-11-07 09:58:39\r\nVirusTotal Report\r\nBoth have Realtek information reported from Microsoft's Sigcheck tool:\r\nHowever, the tool shows no signer / certificate authority\r\nverified the signature. Here is a snapshot of the Stuxnet signcheck output for comparison:\r\nStuxnet and Lethic are completely different, and I am in\r\nhttps://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier\r\nPage 1 of 3\n\nno way presuming that one or more authors behind either malware campaign intersect - I did think it was\r\ninteresting that this one company is being \"picked\" in malware campaigns though.\r\nThere may be some correlation with the exact Realtek information in the Lethic binary. The information within the\r\nLethic binary does appear to mimic valid Realtek information for their AC97 Audio product. Doing some\r\nsearches, I've found other malware families have used this exact Realtek information within their malware\r\nbinaries. Here is a VirusTotal report from an SDBot sample first seen in January 2010, that has the exact same\r\nRealtek information used by Lethic. Separate malware authors could have simply selected a legitimate software\r\npackage and included the exact information - however this does seem pretty coincidental. Or perhaps it could be\r\nthe \"signature\" of a common author or group behind these artifacts - perhaps they seek to tarnish the reputation of\r\nthis Taiwanese company for personal or political motivation - who knows?\r\nThere are about 91 Lethic samples with the \"Realtek\" signature information that Google shows from VirusTotal.\r\nThese date from early September to present.\r\nIn the past few days, locations that I've seen the Lethic bot spread from include:\r\n77.79.9.174 over port 17678\r\n85.17.58.165 over port 36182\r\n91.121.175.219 over port 16512\r\nThe port location changes over time, and rotates through funky sounding executable names that appear to be auto-generated from various letter permutations. For example:\r\nbknx.exe\r\nfewfdewwe.exe\r\nfefewwew.exe\r\nrfvmimikwe.exe\r\nvgewfwqwq.exe\r\nvgrwvew.exe\r\nFollowing infection, connection attempts have been seen to:\r\nizuhjsn.com (173.236.56.218) on port 8706\r\nxkihjhx.com (67.159.45.104) on port 2904\r\nThe domains were both registered August 1, 2010 through the Registrars:\r\nBEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN,\r\nXIN NET TECHNOLOGY CORPORATION\r\nDomainTools shows 12 other registered domains with the \"voip53\" Yahoo email address and 62 other registered\r\ndomains with the \"dfghddf\" Hotmail email address within the whois information - presumably other malicious /\r\nC\u0026C domains.\r\nIn mid-October, an Anubis report shows a \"Realtek\" Lethic sample looping through a number of SMTP\r\nproxies/open-relays and sending spam similar to the pharma, replicas, etc. that Jose had reported in the previous\r\nhttps://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier\r\nPage 2 of 3\n\n2009 iteration of the botnet. Here is a pcap snapshot of a replica spam message sent from the recent, Fall 2010\r\niteration of the Lethic bot:\r\nEl Reg recently reported on how prolific the Lethic botnet was and the success of the takedown... could it be\r\nramping up to make a come back? Also, can this \"Realtek\" signature info be used to tie the author/group to the\r\nmalware they have released?\r\nUpdate:\r\nThe Sigcheck tool apparently parses the PE File Version Info data structure and includes this in the output. The\r\nabove \"Realtek\" information is actually extracted from the PE File Version Info data structure (e.g., here). While\r\nthis is not a digital signature- it is still identifying info that may be able to tie certain malware samples to the same\r\nauthor / group / or binary builder.\r\nSource: https://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier\r\nhttps://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier"
	],
	"report_names": [
		"lethic-botnet-returns-uses-realtek-identifier"
	],
	"threat_actors": [],
	"ts_created_at": 1775434654,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/608a54a25982f889e864f3556779bfe1ae9171ff.pdf",
		"text": "https://archive.orkl.eu/608a54a25982f889e864f3556779bfe1ae9171ff.txt",
		"img": "https://archive.orkl.eu/608a54a25982f889e864f3556779bfe1ae9171ff.jpg"
	}
}