{
	"id": "f88d27db-049d-42a8-8bde-3ab98ef942ff",
	"created_at": "2026-04-06T00:15:17.47517Z",
	"updated_at": "2026-04-10T13:11:58.989647Z",
	"deleted_at": null,
	"sha1_hash": "b8f14bf993357ee1cb9f652df3e3cfd3f5dbc6be",
	"title": "Virus Bulletin :: VB2014 paper: The pluginer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 985125,
	"plain_text": "Virus Bulletin :: VB2014 paper: The pluginer\r\nBy Micky PunFortinet, CanadaNeo TanFortinet, CanadaEditor: Martijn Grooten\r\nArchived: 2026-04-05 16:12:08 UTC\r\n2015-02-27\r\nAbstract\r\nCaphaw, also known as Shylock, has been a quiet, yet persistent player on the botnet scene since 2011. It stands in great\r\ncontrast to most botnet malware in that it was released with complete functionality rather than being released into the wild\r\nwhile still in the testing phase. The bold nature of the campaign (an easily identifiable entry point code sequence) was\r\nbacked up by Caphaw’s intricately designed code structure which made it hard for analysts to create a complete profile of its\r\nmalicious behaviour with various obfuscation and anti-sandbox techniques. In their VB2014 paper, Micky Pun and Neo Tan\r\ndiscuss the technical aspects of handling the anti-reversing strategies devised by the malware writer and evaluate how\r\nCaphaw could become a permanent fixture in the botnet scene in the future.\r\nCopyright © 2015 Virus Bulletin\r\nAbstract\r\nOften identified by its abilities to spread through Skype and inject bank pages, Caphaw, also known as Shylock, has been a\r\nquiet, yet persistent player on the botnet scene since 2011. Caphaw is a rare kind of botnet in that it was released with\r\ncomplete functionality. It stands in great contrast to most botnet malware that is released into the wild while still in the\r\ntesting phase. The bold nature of the campaign (an easily identifiable entry point code sequence) was backed up by\r\nCaphaw’s intricately designed code structure which made it hard for analysts to create a complete profile of its malicious\r\nbehaviour with various obfuscation and anti-sandbox techniques. In this article, we will discuss the technical aspects of\r\nhandling the anti reversing strategies devised by the malware writer and evaluate how Caphaw could become a permanent\r\nfixture in the botnet scene in the future.\r\nBrief history of Caphaw\r\nOur research team first received a sample of Caphaw in late October 2011. In this version, the Caphaw client was extracted\r\nfrom the .data section of a companion memory injector and written into the memory of explorer.exe. Since every Caphaw\r\nsample includes its build version in order to identify itself to different instances through a named pipe, we have been able to\r\nbuild up a decent picture of major developmental milestones (see Figure 1).\r\nFigure 1. Caphaw version timeline.\r\n(Click here to view a larger version of Figure 1.)\r\nThe 1.0.x versions of Caphaw client consisted only of master mode and slave mode. Some of the modules, namely\r\nbacksocket and dllhook, were bundled together with the Caphaw client in the custom packer. Some other capabilities, such\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 1 of 20\n\nas VNC and archiver, could be downloaded from the Internet later, after the configuration files enabled them. Most of the\r\nstrings were not encrypted, hence they were visible after unpacking.\r\nIn the 1.4.1 version, the memory injector was combined into the Caphaw client, hence the malware also needed to handle the\r\nsituation when the Caphaw DLL client was not invoked by a memory injector. It also added anti-VM and anti-debug\r\nmechanisms so that the malicious payload would not trigger if it detected that it was running in a sandbox or debugging\r\nenvironment. Plug-ins were also introduced in this version to remove the limitations of the original ‘modules’ system. The\r\nintroduction of plug ins provided a more convenient way to introduce new functionalities and standardize communication\r\nwith the master between different modules. In addition, the malware author created a test mode in order for the developer to\r\nbe able to test the module and plug-in after download without being bothered by the newly added anti-VM and anti-debugging features.\r\nCaphaw showed signs of stability when version 1.7.x was introduced in February 2013. No major structural changes were\r\nmade at this point. Even later, in version 1.8.x, there were only slight changes to the traffic data pattern and additional code\r\nobfuscation. One obvious change in this version was the improvement to the custom encryption method of strings to\r\neliminate wasted spaces (four zero bytes) at each encrypted string.\r\nOther than modifications to Caphaw which allow it to run more stably on an infected host, some small changes can be seen\r\nin its configuration parsing through different versions. Some older features (e.g. /hijackcfg/backconnect, /hijackcfg/oskill)\r\nhave become obsolete in later versions, while new features (e.g. /hijackcfg/upload_file, /hijackcfg /grabemails/,\r\n/hijackcfg/upload_file) have been added in newer clients. Detailed information on the available configuration in different\r\nversions is listed in Appendix 2.\r\nBasic features\r\nThe Caphaw client is a DLL which can easily be identified by its entry point code where it checks the fdwReason parameter.\r\nThe earlier version of Caphaw was packed in a memory injector, so it would only continue to execute the malicious DLL if\r\nit recognized itself being loaded into the virtual memory space by the LoadLibrary API. In the later versions, Caphaw used a\r\nmore advanced custom packer and integrated the memory injected into the DLL client. The entry point of the DLL client\r\nreflects the fact that the malware is also capable of being a standalone memory injecting payload based on the fdwReason\r\nvalue.\r\nNewer versions of Caphaw have been improving their condition checking so that malicious behaviour is not launched in\r\nunintended environments. The main idea of the payload starts with setting up named pipes for inter-process communication,\r\npaving the way for a multi-thread system operating the client. The older versions consist only of a master mode and a slave\r\nmode, where the master (shown in Figure 2) is responsible for communication with the C\u0026C server while interacting with\r\nthe slaves to run tasks that are enabled by the configuration file. Later versions also introduced ‘plug-ins’, which have\r\nstandardized communication with the master, making plug-ins compatible with different versions of the master.\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 2 of 20\n\nFigure 2. Caphaw overview.\r\n(Click here to view a larger version of Figure 2.)\r\nPrior to launching the master, Caphaw will determine whether it has been injected into to a specific browser (‘iexplore.exe’\r\nor ‘firefox.exe’). On hooking a recognized browser, it starts individual threads on the master to cover four areas of C\u0026C\r\nserver communication:\r\n1. Pinging the C\u0026C server\r\n2. Sending back computer information\r\n3. Downloading and parsing the configuration file and carrying out tasks\r\n4. Logging (errors or master, slave, plug-in messages).\r\nInformation sent to the C\u0026C server is encrypted with RC4 using a key (known as ID here) generated based on the host’s\r\nenvironment. Then all of the traffic is encapsulated with the SSL protocol. A few default C\u0026C server domains are included\r\nin the code and the malware uses a special generator to create a subnet name assuming that the DNS server will respond\r\nwith an active C\u0026C server IP address. When the right condition is reached on the server side, the C\u0026C server will send back\r\na configuration file encrypted with base64 and RC4 using the unique ID mentioned previously as the key.\r\nInformation collection\r\nTo encrypt the data that is sent, the malware author uses a custom algorithm to create a unique identification number. The\r\nalgorithm can be described as follows:\r\nData = CustomHashingCpuid [8 bytes] + VolumeSerialNumber [4 bytes] + ComputerName [? Bytes] +\r\nSecurityIdentifier [? Bytes]\r\nID = CustomOrderSwapping(MD5sum(Data))\r\nSince executing cpuid with different values stored in EAX yields different results, the malware author devised a wise plan to\r\nhash important information into eight bytes – see Listing 1.\r\nFunc CustomHashingCpuid\r\nFor (i = 0 to 1): ;Get vendor ID and Processor Info and Feature Bits\r\n CPUID( i)\r\n Result[0..3] ^= eax\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 3 of 20\n\nIf i == 1:\r\n Ebx \u0026= 0xFFFFFFh //store with processor’s additional feature info\r\n Result[0..3] ^= ebx\r\n Result[4..8] ^= ecx\r\n Result[4..8] ^= edx\r\nFor (i = 0x80000002h to 0x80000004h): ;Processor Brand String\r\n CPUID(i)\r\n Result[0..3] ^= eax\r\n Result[0..3] ^= ebx\r\n Result[4..8] ^= ecx\r\n Result[4..8] ^= edx\r\n return Result\r\nListing 1: The malware author devised a wise plan to hash important information into eight bytes.\r\nThe malware uses the unique ID to encrypt the other information sent to the C\u0026C server. Table 1 depicts the parameters and\r\ntheir request values (e.g.\r\nkey=a323e7d52d\u0026id=012F789B3884E1400F7F5D954521F85B\u0026inst=master\u0026net=usa\u0026cmd=cfg\u0026time=2013.05.15+08%3a02%3a29\r\nParameter\r\nLength\r\n(bytes)\r\nDescription\r\nkey 5\r\nUsing a custom algorithm to render a five-byte number from a hard-coded number in\r\nthe malware binary\r\nid 32\r\nUnique ID generated based on the infected host’s information\r\nAlso used as RC4 key\r\ninst 5-8\r\nInstallation type which affects how the client parses and executes the downloaded file\r\n1. master\r\n2. slave\r\n3. pluginer\r\nnet N/A Hard-coded botnet name\r\ncmd 3-4\r\nCommand\r\n1. log\r\n2. ping\r\n3. cfg\r\nw N/A Message type\r\n1. fileupload\r\n2. cmpinfo\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 4 of 20\n\nParameter\r\nLength\r\n(bytes)\r\nDescription\r\n3. sols\r\n4. rqt\r\nbt 23 Build time (hard coded)\r\nversion 11 Build version (hard coded)\r\ntime 23 Current time\r\njt N/A\r\nJob time (in seconds)\r\nCurrent time minus initial infection time\r\nTable 1. Information sent back to the C\u0026C server.\r\nThe key is generated using the following algorithm:\r\nByte input[4] = hard-coded_value;\r\ntemp = sprintf( ‘%u%u%u%u’,input[0],input[1], input[2], input[3]);\r\ntemp = lldiv(temp , 0x3) // long unsigned division\r\ntemp = sprint( ‘%I64u’,atoi64(temp))\r\ntemp = md5sum(temp)\r\ntemp = md5sum(temp[0..9] )\r\nresult = temp[0-4]\r\nThe hard-coded value for generating the key is the build time of the malware.\r\nThe malware will also generate a detailed report on the victim’s computer if the client determines that this is the first time\r\nthe malware has run on the machine. The report will be encrypted slightly more simply than the other communications and\r\nsent back to the server with the command ‘cmd=log\u0026w=cmpinfo’. This contains extended details of the infected host. The\r\nlist is surprisingly thorough; we will list just some of the more interesting parts:\r\nOS version, serial and CDKey\r\nCPU, RAM information\r\nFile system structure and available space\r\nComputer name, user name and privileges\r\nCode pages – Windows character encoding\r\nBrowser version\r\nList of anti-malware products (the relationships between the anti-malware value and the process names are shown in\r\nAppendix 1)\r\nWhether it is running in a virtual machine\r\nCertain local executable file information, including: userinit.exe, cftmon.exe, vsdrv.exe, etc.\r\nList of running services\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 5 of 20\n\nList of running processes\r\nList of installed programs\r\nSnapshots of register values (EAX, EBX, ECX, EDX)\r\nFigure 3 shows an example of the report. As you can see, AntiMalware=VMware here, since the bot considers the sandbox\r\ntechnique to be a kind of anti-virus method. Besides looking for a sandbox environment, it also scans through every current\r\nprocess to find matches of other anti-virus products. A complete list is shown in Appendix 1.\r\nFigure 3. A small fraction of the initial report.\r\nThe purpose of this is obviously to draw a detailed description of the victim for more precise or tailored payloads/plug-ins to\r\nattack.\r\nAfter the initial report, it also tries to search for a bitcoin wallet in some known directories and upload it using w=rqt if it\r\nfinds one. This attack can only affect an unprotected wallet file, since it doesn’t check whether the file is encrypted or not.\r\nAnti-debug/analysis tricks\r\nThe following strategy is employed to obstruct reverse engineering of the malware:\r\n1. Caphaw has demonstrated an effective technique of obstructing static analysis by encrypting strings such as library\r\nnames and condition constants using a custom encryption routine and encoding API names using their hashing\r\nvalues. With a low probability of collision on string name hashes, the API call addresses can easily be retrieved by\r\ngenerating the hash of each API name in the import table and retrieving the API call address when a match is found.\r\nThis method can avoid revealing the API name strings. Besides, with all other critical string information encrypted,\r\nthe analyst can only predict the function of the routines by looking at the numeric values and call follows, thus, static\r\nanalysis is nearly impossible (see Figure 4).\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 6 of 20\n\nFigure 4. Code snippet showing how the API is resolved by using its hash value.\r\n(Click here to view a larger version of Figure 4.)\r\n2. Table 2 depicts the tests the malware uses to detect virtual machine (VM) environments. For example, by iterating the\r\nfull module name path returned by the ZwQuerySystemInformation API, it can detect a VM environment by\r\ndetecting the existence of a known hash of a known VM filename (such as vmscsi.sys) with the hashes of all module\r\nnames. If a sandbox environment is detected, the malware will delete itself and exit the process.\r\nTargeted virtual\r\nenvironment\r\nDetection method\r\nVMware  \r\n  Test 1: (system module check)\r\n \r\nUse the ZwQuerySystemInformation API to obtain a list of system modules. Iterate through\r\nthe list and attempt to match the hash of the system module with the hash of any of the\r\nfollowing strings:\r\nvmhgfs.sys\r\nvmx_svga.sys\r\nvmxnet.sys\r\nvmmouse.sys\r\nvmscsi.sys\r\nvmdebug.sys\r\n  Test 2: (running process check)\r\n  Match the hash of a running process with the hash of the following strings:\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 7 of 20\n\nTargeted virtual\r\nenvironment\r\nDetection method\r\nvmwarerray.exe\r\nvmwareuser.exe\r\n  Test 3: (registry value check)\r\n \r\nCheck if any of the following registry entries exist and contain the string ‘VMware’ at\r\n‘SystemProductName’ and ‘SystemManufacturer’:\r\nHARDWARE\\DESCRIPTION\\System\\BIOS\r\nSYSTEM\\ControlSet001\\Control\\SystemInformation\r\nVirtual Box  \r\n  Test 1: (system module check)\r\n \r\nUse the ZwQuerySystemInformation API to obtain a list of system modules. Iterate through\r\nthe list and attempt to match the hash of the system module with the hash of any of the\r\nfollowing strings:\r\nvboxvideo.sys\r\nvbocsf.sys\r\nvboxdisp.dll\r\nvboxmouse.sys\r\nvboxguest.sys\r\n  Test 2: (running process check)\r\n \r\nMatch the hash of a running process with the hash of the following strings:\r\nvboxservice.exe\r\nvboxtray.exe\r\n  Test 3: (registry value check)\r\n \r\nCheck if any of the following registry entries exist and contain the string ‘VirtualBox’ at\r\n‘BIOVersion’ and ‘SystemManufacturer’:\r\nSYSTEM\\ControlSet001\\Control\\SystemInformation\r\nVirtual PC  \r\n  Test 1: (system module check)\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 8 of 20\n\nTargeted virtual\r\nenvironment\r\nDetection method\r\n \r\nMatch the hash of a running process with the hash of the following string:\r\nvmsrvc.exe\r\nvpcmap.exe\r\nTable 2. Sandbox detection methods.\r\n3. Unlike most malware, Caphaw has dedicated a huge amount of code to condition checking to ensure that the payload\r\nis deployed under the exact conditions intended. Buried in a massive amount of obfuscated code, recovering all the\r\ncapabilities of this malware is rather time consuming and could easily be missed.\r\nIn the process of reversing the code, we discovered that the author had left a few backdoors open for testing the malware.\r\nWhen executing the malicious routine with these special arguments, it will execute the client in different modes. The\r\nmalware will first check if the local time is within two hours of the malware build time. If this is the case, it will go further\r\nand check whether the ‘-testing’ and ‘-vm’ arguments are provided in the command. If these conditions are met accordingly,\r\nthe malware will not release any payload, or trigger the anti-VM detection routine.\r\nFigure 5. The malware compares the difference between the current time and the build time to two hours (7,200\r\nseconds).\r\n(Click here to view a larger version of Figure 5.)\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 9 of 20\n\nCommunication with C\u0026C Server\r\nThe initial list of C\u0026C server domains is encrypted in the binary. However, Caphaw uses a special technique to hide the\r\nactive server IPs. The life of the domains is usually very short – it usually ranges from a couple of hours to one or two days\r\n– and on the client side, it generates the full server domains and request URLs by using the hard-coded ones in the following\r\nformat: [random generated prefix].[hard-coded domain]?r=[random number]. All of the communication traffic goes through\r\nC\u0026C server port 443 using the SSL protocol.\r\nThe pseudocode of the sub domain name generation is as follows:\r\nCHAR_TABLE = {abcdefghijklmnopqrstuvwxyz0123456789};\r\nwhile ( char_count != 0)\r\n{\r\n generated_sname += CHAR_TABLE[calcRandom(0x24)];\r\n char_count --;\r\n}\r\nint calcRandom(int char_count_max)//generates random number under char_count_max\r\n{\r\n v1 = randomDGASeed;\r\n if ( !randomDGASeed )\r\n v1 = gettickcount();\r\n randomDGASeed = 214013 * v1 + 2531011;\r\n return ((randomDGASeed \u003e\u003e 16) \u0026 32767) / 32767.0 * char_count_max;\r\n}\r\nThe char_count is also generated randomly using the calcRandom() function with char_count_max obtained from the\r\nfollowing function with a fixed argument: a1 = 0xC and a2=0x32. Therefore, char_count_max is constrained between 0xC\r\nand 0x12.\r\nint generateCharCount (int a1, int a2)\r\n{\r\n return calcRandom(2 * a2 * a1 / 100) + a1 * (100 - a2) / 100;\r\n}\r\nThe thread responsible for communicating keeps generating domain names and querying them until it gets a response (see\r\nFigure 6).\r\nFigure 6. Retrying generated URLs.\r\n(Click here to view a larger version of Figure 6.)\r\nThen it sends the message to the response IP address in SSL protocol. A sample message in plaintext is as follows:\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 10 of 20\n\nkey=a323e7d52d\u0026id=012F789B3884E1400F7F5D954521F85B\u0026inst=master\u0026net=usa\u0026cmd=cfg\u0026time=2013.05.15+08%3a02%3a29.42\nIt is then encrypted using RC4 algorithm with the key being the domain it was querying appended to the fixed string\n‘ca5f2abe’ (e.g. ‘bzdfv2bjw791h.e-protections.suca5f2abe’). However, in the current version, the initial report is encrypted\nusing a different RC4 key generated by a simpler format which appends a hard-coded string to the C\u0026C IP address (e.g.\n‘189.127.48.11bzdfv2bjw791h’). Then it is encoded with base64, and posted to the server with ‘z=’ in front of the encoded\nmessage. If the ‘cmd’ variable is equal to ‘cfg’, the C\u0026C server will send back the base64 result of the configuration\nmessage, subsequently encrypted by RC4 algorithm with a different key. The key is the string of the ‘id’ value generated on\nthe victim’s environment. After decryption, the configuration is in XML format. Listing 2 shows a sample configuration.\nplugins\u003e\nListing 2: A sample configuration.\nAs you can see, the root level tag ‘hijackcfg’ suggests that this configuration is mainly for the hijacking process. With\ndifferent install modes, the bot parses different parts of the configuration.\nTag Inst = Master Inst = Slaver Inst = Pluginer\nBotnet ✔ ✔ ✔\nTimer_cfg ✔ ✔ ✔\nTimer_log ✔ ✔ ✔\nTimer_ping ✔ ✔ ✔\nUrl_server ✔ ✔ ✔\nArchiver ✔\nUrl_update ✔\nVnc ✔ ✔\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\nPage 11 of 20\n\nTag Inst = Master Inst = Slaver Inst = Pluginer\r\nHttpinject ✔ ✔ ✔\r\nGrabemails ✔    \r\nPlugin     ✔\r\nTable 3. Comparison of parsing tags in different modes.\r\nThe XML configuration is then parsed and saved into the named pipe. In this example, the ‘botnet’ tag shows the name of\r\nthe botnet. The ‘timer’ tags are the retry timeout settings. The ‘url_server’ tag stores the latest C\u0026C server URLs. The\r\n‘archiver’ tag contains a download address of a legitimate packer tool named ‘RAR 3.00’, which is used to pack the botnet\r\nclient into a size of around 500KB with the command line options ‘a -r -dh -ep2 -v500k’. The ‘url_update’ tag contains the\r\naddress of the update file of this bot. Therefore, the bot has two ways of updating its C\u0026C server list: one from the\r\nurl_server tag, and one from the update of the bot’s binary. This makes tracking solely the downloading of the cfg file\r\nmeaningless, because someone could just recompile the bot with a new C\u0026C server list to get rid of the tracker.\r\nThen there are the download modules. These modules can be either installed or uninstalled according to whether the ‘value’\r\nis ‘on’ or ‘off’. The ‘vnc’ tag contains the download address of the vnc module. The ‘httpinject’ tag contains the download\r\naddress of the script file which is to be injected into the web pages. And the ‘grabemails’ tag may contain the download\r\naddress of the module which can harvest users’ email address books.\r\nThe MD5 is for pre-download comparison – if a module already exists in the system, it will not be downloaded again. The\r\n‘plugin’ tags contain the download addresses of the DLLs to be loaded into the injected process. To be distinct from the\r\nexecutable modules, the DLLs are always loaded via the exported function in order, ‘Init’ then ‘Start’. And the ‘cmd’ values\r\nare fed as the command line options of the DLL.\r\nNotice that most of the ‘URLs’ in this configuration are missing domain names. The bot generates domains using the same\r\nalgorithm as described previously, appends ‘r=[random]’ to the end of the URL, and sends a Get message to try to download\r\nthe file (e.g. https://bzdfv2bjw791h.netprotections.cc/files/010-update-2ds5b9dp3db5/msg.gsm?r=1312723419). In the most\r\nrecent version of the malware (at the time of writing), the message is changed to POST with an empty z= value.\r\nFor keeping track of the updated C\u0026C servers, the parsed url_server and the httpinject information is also saved into a local\r\nfile in %AppData% with a random name (e.g. 1937592302.dat) and encrypted using the RC4 algorithm with the id (as seen\r\nin Table 1). The following is a sample content of the decrypted .dat file:\r\nbotnet=usa\r\ninjects=/files/010-update-9gdrdhb30/hidden7770777.jpg\r\nserver1=https://ehistats.su/ping.html\r\nserver2=https://sysinfo.cc/ping.html\r\nserver3=https://netprotections.cc/ping.html\r\nserver4=https://sysinfonet.cc/ping.html\r\nserver5=https://iestats.cc/ping.html\r\nserver6=https://ieguards.su/ping.html\r\nInline hooking and anti-hooking\r\nThe malware injects itself into other active processes. If it finds out that the host process is either iexplore.exe or firefox.exe,\r\nit will inline hook the communication APIs used by the browser processes, then contact the C\u0026C server with the ‘cmd’ value\r\nset to ‘cfg’ in order to get the latest configuration. Otherwise, if the host process is not explorer.exe, userinit.exe or\r\nrundll32.exe, it will start to contact the C\u0026C server with the ‘cmd’ value set to ‘ping’ in the message.\r\nThe APIs it is targeting in iexplore.exe are the following:\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 12 of 20\n\nws2_32.dll:\r\nsend\r\nwininet.dll:\r\nHttpOpenRequestA\r\nHttpOpenRequestW\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nHttpSendRequestExA\r\nHttpSendRequestExW\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetReadFileExW\r\nInternetCloseHandle\r\nInternetQueryDataAvailable\r\nInternetSetStatusCallback\r\nThe screenshot in Figure 7 shows that the HttpSendRequestW API in iexplore.exe is inline-hooked.\r\nFigure 7. The beginning of the HttpSendRequestW API is hooked.\r\nThe APIs it targets in firefox.exe are the following:\r\nnspr4.dll:\r\nPR_Read\r\nPR_Write\r\nPR_Close\r\nnss3.dll:\r\nCERT_VerifyCertName\r\nCERT_VerifyCertNow\r\nThe functions hooking these APIs can disable security warnings and manipulate the sending and receiving of the web pages.\r\nThis is the core feature that enables Caphaw’s man-in-the-browser abilities. And because the bot uses some of these APIs for\r\ncommunication with the C\u0026C servers as well, it creates a backdoor table to store the first couple of instructions of the API\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 13 of 20\n\ncall following a push-retn jump back to the original routine. When contacting the C\u0026C server, it calls these addresses\r\ndirectly to bypass the inline hooks, which were made by itself.\r\nFigure 8. Pre-defined location used to store dummy code, now stores the initial instructions (in red) and a jump to the\r\nAPI.\r\nModules and plug-ins\r\nThe following is a list of modules and plug-ins that have been downloaded by Caphaw over the years:\r\n1. Browser cookie stealer (using archiver to archive and upload)\r\n2. Flash cookies (SOLS) stealer\r\n3. VNC server\r\n4. Video capture and uploader (using archiver to archive and upload)\r\n5. Message Spreader (via Skype)\r\n6. Disk Spreader (worm)\r\n7. Backsocks (modifies source code of 3proxy – a 3APA3A simplest proxy server, socks.c precisely).\r\nThe cookie stealer has the ability to steal or delete HTML and Flash cookies to facilitate the HTTP inject. The VNC server\r\ncan enable the attacker to gain remote access to the victim’s computer. The video capture and uploader can be used to\r\nmonitor the victim’s interaction with the computer, therefore drawing an even more complete picture of the target. The last\r\nthree plug-ins are the recently active ones. Message Spreader can send spam messages via Skype to spread itself or other\r\nmalware. Disk Spreader can spread the bot via removable drives. Backsocks can tunnel the attacker’s traffic through the\r\nvictim’s machine into its internal networks, which opens up a new area of resources for the attacker to gain access to – and\r\nbecause it uses the back SOCKS protocol, it can also work in a NAT network.\r\nAll of these plug-ins can easily be installed/uninstalled. We believe the actual list of downloadable plug-ins will be larger\r\nthan this. By knowing the user’s information, the bot master can also tailor the list of plug-ins to be installed on the victim’s\r\nmachine. BoB\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 14 of 20\n\nBotnet operations\r\nCaphaw is known for its ability to steal banking information and is most active in North America and western European\r\ncountries. Figure 9 shows the distribution of active Caphaw C\u0026C server locations during May 2014. In 31 days we\r\ndiscovered in total 28 active servers which were mainly located in North America and western European countries. Note that\r\nNorth America has alone has 12 C\u0026C servers which are evenly distributed between the east and west coast.\r\nFigure 9. Location of active Caphaw C\u0026C servers in May 2014.\r\nConclusion\r\nAfter two years of development, Caphaw has become a dangerous piece of malware. Unlike other botnets, Caphaw is\r\nmeticulous about its targets and extremely cautious in not launching any malicious activities if the environment is not\r\ndeemed ‘safe’. In addition to generating profit through man-in-the-browser attacks and occasional bitcoin mining, Caphaw\r\nhas also shown great interest in infiltrating internal networks with its arsenal of tools (Backsocks, Disk Spreader, video\r\ncapturing and VNC server), which seems far beyond the requirements of simply making money quickly.\r\nHaving two ways of updating its C\u0026C server list and utilizing advanced code obfuscation techniques have benefited\r\nCaphaw in its ability to remain undiscovered in a host for a long time. All of these signs indicate that Caphaw is a competent\r\nAPT candidate which is capable of hosting a reliable botnet. However, taking the time to reverse engineer Caphaw has\r\nproven fruitful as we have uncovered its core module’s code structure, anti-analysis tricks and communication protocol. This\r\ngives us great leverage in terms of tracking and fighting this threat.\r\nAppendix 1: Detected anti-virus vendors and targeted process\r\nAnti-malware value Process name\r\nAgava firewall Fwservice.exe\r\nAtGuard firewall iamapp.exe\r\nAuthentium vseamps.exe\r\nAuthentium vsedsps.exe\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 15 of 20\n\nAnti-malware value Process name\r\nAvast ashServ.exe\r\nAvast AvastSvc.exe\r\nAvast aswUpdSv.exe\r\nAvast ashDisp.exe\r\nAvira avgnt.exe\r\nAvira avguard.exe\r\nAvira sched.exe\r\nAVG avgwdsvc.exe\r\nAVG avgfws.exe\r\nAVG avgemcx.exe\r\nAVG avgrsx.exe\r\nAVG avgchsvx.exe\r\nAVG avgcc.exe\r\nAVG avgemc.exe\r\nAVG avgupsvc.exe\r\nAVG avgw.exe\r\nAVG guard.exe\r\nAVG avgamsvr.exe\r\nBitDefender vsserv.exe\r\nAnti-malware value Process name\r\nBullGuard BullGuard.exe\r\nBullGuard BullGuardBhvScanner.exe\r\nCA caamsvc.exe\r\nCA isafe.exe\r\nCA casc.exe\r\nCA ccEvtMgr.exe\r\nCA ccprovsp.exe\r\nCA ccschedulersvc.exe\r\nComodo firewall cfp.exe\r\nComodo firewall cssurf.exe\r\nComodo firewall cmdagent.exe\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 16 of 20\n\nAnti-malware value Process name\r\nComcast Spyware Scan ComcastAntiSpyService.exe\r\nComcast Spyware Scan ComcastAntispy.exe\r\nDeepFreeze deepfreeze.exe\r\nDoctor Web dwengine.exe\r\nDoctor Web drweb32w.exe\r\nDoctor Web frwl_svc.exe\r\nEmsisoft a2service.exe\r\niS3 SZServer.exe\r\nKaspersky avp.exe\r\nKERIO winroute.exe\r\nMalwarebytes mbamservice.exe\r\nMalwarebytes mbam.exe\r\nMSEssentials msseces.exe\r\nNod32 egui.exe\r\nNod32 ekrn.exe\r\nNod32 nod32krn.exe\r\nNod32 nod32kui.exe\r\nNeT firewall Firewall.msc\r\nNorton360 ccSvcHst.exe\r\nNorton navapw32.exe\r\nNorton navapsvc.exe\r\nMcAfee SSScheduler.exe\r\nMcAfee EngineServer.exe\r\nMcAfee Mcshield.exe\r\nMcAfee mfeann.exe\r\nMcAfee mcagent.exe\r\nMcAfee VsTskMgr.exe\r\nMcAfee myAgtSvc.exe\r\nMcAfee McSACore.exe\r\nMS Firewall Client FwcAgent.exe\r\nMS Firewall Client FwcMgmt.exe\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 17 of 20\n\nAnti-malware value Process name\r\nLavasoft Ad-Aware AAWService.exe\r\nLavasoft Ad-Aware AAWWSC.exe\r\nLavasoft Ad-Aware AAWTray.exe\r\nOnlineArmor firewall oasrv.exe\r\nOutpost firewall op_mon.exe\r\nPanda avengine.exe\r\nPanda PavFnSvr.exe\r\nPanda PavPrSvr.exe\r\nPanda psksvc.exe\r\nPanda firewall pshost.exe\r\nPanda firewall ppfw.exe\r\nRapport rapportservice.exe\r\nRapport rapportmgmtservice.exe\r\nPC Cleaner PCCleaners.exe\r\nPrevx prevx.exe\r\nPC Tools SSDMonitor.exe\r\nSophos ALsvc.exe\r\nSophos almon.exe\r\nSophos ManagementAgentNT.exe\r\nSophos RouterNT.exe\r\nSophos SAVAdminService.exe\r\nSophos SavService.exe\r\nSophos swi_service.exe\r\nSoftPerfect Personal Firewall fw.exe\r\nSpyware Doctor FGuard.exe\r\nSpyware Doctor pctsGui.exe\r\nSpybotSD TeaTimer.exe\r\nSUPERAntiSpyware SUPERAntiSpyware.exe\r\nSymantec ccApp.exe\r\nSymantec ccSvcHst.exe\r\nSymantec Rtvscan.exe\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 18 of 20\n\nAnti-malware value Process name\r\nSymantec DefWatch.exe\r\nSymantec ccEvtMgr.exe\r\nSymantec ccSetMgr.exe\r\nSymantec ccSvcHst.exe\r\nSymantec DoScan.exe\r\nSymantec SPBBCSvc.exe\r\nSymantec SmcGui.exe\r\nTrend Micro coreFrameworkHost.exe\r\nTrend Micro PccNTMon.exe\r\nQuickHeal onlinent.exe\r\nQuickHeal SCANMSG.exe\r\nWebroot WRConsumerService.exe\r\nWindows Defender MSASCui.exe\r\nWindows Defender MsMpEng.exe\r\nVirgin Media Fws.exe\r\nVirgin Media RpsSecurityAwareR.exe\r\nVirgin Media ServicepointService.exe\r\nVirgin Media ServiceManager.exe\r\nVirgin Media AVGIDSAgent.exe\r\nZoneAlarm vsmon.exe\r\nZoneAlarm IswSvc.exe\r\nAppendix 2: Recognized XML tag for configuration file\r\n  1.2 1.4 1.6 1.9\r\n/hijackcfg/vnc ✔ ✔ ✔  \r\n/hijackcfg/urls_server/url_server ✔ ✔ ✔ ✔\r\n/hijackcfg/url_update ✔ ✔ ✔ ✔\r\n/hijackcfg/upload_file   ✔ ✔ ✔\r\n/hijackcfg/uninstall ✔ ✔ ✔ ✔\r\n/hijackcfg/timer_ping ✔ ✔ ✔ ✔\r\n/hijackcfg/timer_inj_log ✔      \r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 19 of 20\n\n1.2 1.4 1.6 1.9\r\n/hijackcfg/timer_err_log ✔      \r\n/hijackcfg/timer_log   ✔ ✔ ✔\r\n/hijackcfg/timer_dll_cfg ✔      \r\n/hijackcfg/timer_cfg   ✔ ✔ ✔\r\n/hijackcfg/solfiles value=%s ✔ ✔    \r\n/hijackcfg/solfiles ✔ ✔ ✔ ✔\r\n/hijackcfg/oskill ✔      \r\n/hijackcfg/plugins/plugin   ✔ ✔ ✔\r\n/hijackcfg/modules   ✔ ✔ ✔\r\n/hijackcfg/httpinject ✔ ✔ ✔ ✔\r\n/hijackcfg/grabemails       ✔\r\n/hijackcfg/execute ✔ ✔ ✔ ✔\r\n/hijackcfg/dll_load/dll ✔ ✔ ✔ ✔\r\n/hijackcfg/cookies value=%s ✔ ✔    \r\n/hijackcfg/cookies ✔ ✔ ✔ ✔\r\n/hijackcfg/certfiles ✔ ✔ ✔  \r\n/hijackcfg/botnet ✔ ✔ ✔ ✔\r\n/hijackcfg/backconnect ✔ ✔    \r\n/hijackcfg/archiver ✔ ✔ ✔ ✔\r\n/unit ✔ ✔ ✔ ✔\r\n/inject ✔ ✔ ✔ ✔\r\n/end ✔ ✔ ✔ ✔\r\n/data ✔ ✔ ✔ ✔\r\n/begin ✔ ✔ ✔ ✔\r\nSource: https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nhttps://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw\r\nPage 20 of 20\n\nZoneAlarm Appendix 2: Recognized XML tag for configuration IswSvc.exe file  \n 1.2 1.4 1.6 1.9\n/hijackcfg/vnc ✔ ✔ ✔ \n/hijackcfg/urls_server/url_server ✔ ✔ ✔ ✔\n/hijackcfg/url_update ✔ ✔ ✔ ✔\n/hijackcfg/upload_file  ✔ ✔ ✔\n/hijackcfg/uninstall ✔ ✔ ✔ ✔\n/hijackcfg/timer_ping ✔ ✔ ✔ ✔\n/hijackcfg/timer_inj_log ✔  \n Page 19 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw"
	],
	"report_names": [
		"paper-pluginer-caphaw"
	],
	"threat_actors": [
		{
			"id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005",
			"created_at": "2023-12-08T02:00:05.758552Z",
			"updated_at": "2026-04-10T02:00:03.495698Z",
			"deleted_at": null,
			"main_name": "UAC-0118",
			"aliases": [
				"FRwL",
				"FromRussiaWithLove"
			],
			"source_name": "MISPGALAXY:UAC-0118",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8f14bf993357ee1cb9f652df3e3cfd3f5dbc6be.pdf",
		"text": "https://archive.orkl.eu/b8f14bf993357ee1cb9f652df3e3cfd3f5dbc6be.txt",
		"img": "https://archive.orkl.eu/b8f14bf993357ee1cb9f652df3e3cfd3f5dbc6be.jpg"
	}
}