# Study of an APT attack on a telecommunications company in Kazakhstan


-----

**© Doctor Web, Ltd., 2022. All rights reserved.**

This document is the property of Doctor Web, Ltd. (hereinafter - Doctor Web). No part of this
document may be reproduced, published or transmitted in any form or by any means for any
purpose without proper attribution.

Doctor Web develops and distributes Dr.Web information security solutions which provide
efficient protection from malicious software and spam.

Doctor Web customers can be found among home users from all over the world and in
government enterprises, small companies and nationwide corporations.

Dr.Web antivirus solutions are well known since 1992 for continuing excellence in malware
detection and compliance with international information security standards. State certificates and
awards received by the Dr.Web solutions, as well as the globally widespread use of our products
are the best evidence of exceptional trust to the company products.

**Study of an APT attack on a telecommunications company in Kazakhstan**
**3/23/2022**

Doctor Web Head Office
2-12A, 3rd str. Yamskogo polya
Moscow, Russia
125040

Website: www.drweb.com
Phone: +7 (495) 789-45-87

Refer to the official website for regional and international office information.


-----

## Table of Contents

###### Introduction 4

 Remote Rover 5

 Conclusion 7

 Operating Routine of Discovered Malware Samples 8

**BackDoor.PlugX.93** **8**

**BackDoor.Siggen2.3622** **18**

**BackDoor.Whitebird.30** **21**

**Trojan.DownLoader43.44599** **27**

**Trojan.Loader.891** **37**

**Trojan.Loader.896** **45**

**Trojan.Uacbypass.21** **54**

###### Appendix. Indicators of Compromise 59


-----

### Introduction

In October 2021, one of Kazakhstan’s telecommunication companies contacted Doctor Web,
with suspicion of malware in the corporate network. During the first look, we found backdoors
that were previously only used in targeted attacks. During the investigation, we also found out
that the company’s internal servers had been compromised since 2019. For several years,
Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and
RemCom have been the main attackers' tools.

Because of the hackers' mistake, we got a unique opportunity to study the lists of victims and
find out what backdoor management tools were used. Based on the acquired information, we
concluded that the hacker group specialized in compromising the Asian companies’ mail servers
with Microsoft Exchange software installed. That said, we also found victims from other
countries, including:

 - Egyptian government agency

  - Italian airport

 - USA marketing company

 - Canadian transport and woodworking companies

The logs collected along with the command and control server included victims infected from
August 2021 to early November of the same year. Yet, in some cases, BackDoor.Whitebird.30
was installed not only on the server running Microsoft Exchange, but on domain controllers, too.

Based on the tools, methods, and infrastructure used, we conclude that the Calypso APT hacker
group is behind the attack.


-----

### Remote Rover


Command and control server for BackDoor.Whitebird.30 calls Remote Rover. It allows hackers
to remotely launch applications, update the backdoor configuration, download and upload files.
Besides that, you can use a command shell via Remote Rover. This is what the control server
interface looks like:

Remote Rover came with a configuration file CFG\default.ini with the following content:
```
 E:\  \   \2021\RR\  \telecom.cfg
 OneClock.exe

```
If you translate the content from Chinese into English, you can get this path:
```
 E:\personal use\Independent research and development
 remote\2021\RR\Configuration backup\telecom.cfg

```
For a detailed description of the malware used and how it works, see the Dr.Web Virus Library.

 - BackDoor.Siggen2.3622

 - BackDoor.PlugX.93

 - BackDoor.Whitebird.30

 - Trojan.Loader.891


-----

- Trojan.Loader.896

- Trojan.Uacbypass.21

- Trojan.DownLoader43.44599


-----

### Conclusion

During the investigation of the targeted attack, Doctor Web virus analysts found and described
several backdoors and trojans. It’s worth noting that the attackers managed to remain
undetected for as long as other targeted attack incidents. A hacker group compromised a
telecommunications company's network more than two years ago.

Doctor Web specialists recommend regularly checking network resources’ efficiency and timely
fixing failures that may indicate the presence of malware on the network. Data compromise is
one of targeted attacks’ main dangers, but the long-term presence of intruders is also a cause
for concern. Such development allows them to control the organization’s work for many years
and gain access to especially sensitive information at the proper time. If you suspect malicious
activity in the corporate network, the best option is to contact the Doctor Web virus laboratory
for qualified help. Dr.Web FixIt! helps you detect malware on servers and workstations. Taking
adequate measures timely will minimize the damage and prevent the serious consequences of
targeted attacks.


-----

### Operating Routine of Discovered Malware Samples


#### BackDoor.PlugX.93

**Added to the Dr.Web virus database: 2021-10-22**

**Virus description added: 2021-10-30**

**Packer: absent**

**Compilation date: 2020-08-13**

**SHA1 hash: a8bff99e1ea76d3de660ffdbd78ad04f81a8c659**

##### Description

The PlugX backdoor module is written in C. It’s designed to decrypt the shellcode from the
registry that loads the main backdoor into memory.

##### Operating principle

First, the backdoor receives the address of the VirtualProtect() function by hash. It then
uses this address to change access rights to PAGE_EXECUTE_READWRITE, starting from the
function at 0x10001000 and ending with the entire .text section:

Getting the function’s address by the hash passed as a parameter:


-----

Script to get a function by hash:


-----

Changing the permissions to PAGE_EXECUTE_READWRITE was necessary to decrypt the code
using the XOR operation:


-----

One version of the backdoor has dynamic XOR encryption. It has decryption at the beginning of
the function:

And with encryption at the end of the function:


-----

Facilitating the script’s work for IDAPython:
```
 import idaapi
 def xor_dec(address, count, key):
   for i in xrange(count):
     idaapi.patch_dword(address, idaapi.get_dword(address) ^ key) 
     key += idaapi.get_dword(address)
     address += 4

```
Before performing malicious actions, the backdoor, as in the case of VirtualProtect(),
receives functions’ addresses that it needs to work


-----

Received features:

|Function name|Hash|
|---|---|
|CloseHandle|0x528796C6|
|CreateFileA|0x4FDAF6DA|
|DeleteFileA|0x13DD2ED7|
|ExitProcess|0x56A2B5F0|
|GetAdaptersInfo|0x62C9E1BD|
|GetModuleFileNameA|0xFE61445D|
|GetSystemDirectoryA|0x60BCDE05|
|LoadLibraryA|0x726774C|
|ReadFile|0xBB5F9EAD|


-----

|Function name|Hash|
|---|---|
|RegCloseKey|0x81C2AC44|
|RegDeleteValueA|0x3846A3A8|
|RegEnumValueA|0x2EC95AA4|
|RegOpenKeyExA|0x3E9E3F88|
|RegQueryValueExA|0x8FF0E305|
|VirtualAlloc|0xE553A458|
|VirtualFree|0x300F2F0B|
|VirtualProtect|0xC38AE110|
|WinExec|0x876F8B31|
|WriteFile|0x5BAE572D|


In addition, the backdoor checks if it is executed in a sandbox:


-----

After receiving the function addresses and checking for execution in the sandbox,
BackDoor.PlugX.93 removes the updatecfgSetup task from the task scheduler:

The key for shellcode encryption is MD5 from the following registry key values:


-----

The shellcode is stored in the following registry keys:


-----

Before running the shellcode, it’ll be decrypted in 2 steps: first, using the RC4 algorithm:

then, with XOR:


-----

#### BackDoor.Siggen2.3622

**Added to the Dr.Web virus database: 2021-11-03**

**Virus description added: 2021-xx-xx**

**Packer: UPX**

**SHA1 hash: be4d8344669f73e9620b9060fd87bc519a05617a**

##### Description

A backdoor written in Go. It’s packed by UPX. Investigated backdoor version V2.5.5 z 2021.7.19.

##### Operating principle

In the beginning, the malicious code checks if another backdoor copy is running. The trojan
checks for the c:\windows\inf\mdmslbv.inf file. If it exists, the trojan starts reading. You
can use the following script to decrypt:
```
 import sys
 with open(sys.argv[1], 'rb') as f:
   d = f.read()
 s = bytearray()
 for i in range(len(d)):
   s.append(d[i])
 for i in range(len(s)-2, 0, -1):
   s[i] = (((s[i + 1] * s[i + 1]) ^ s[i]) & 0xff)
 with open(sys.argv[1] + '.dec', 'wb') as f:
   f.write(s)

```
Encrypted file’s length

The packet’s structure:


-----

 - random string from 10 to 19 characters long

 - between the <a>...</a> tags contains the backdoor process’s PID

 - between the <b>...</b> tags is the process’s name

 - random string from 10 to 19 characters long

The trojan checks for the existence of a process with the specified parameters. If it finds it, the
trojan terminates its work.

If it doesn’t find a process with the specified parameters or the mdmslbv.inf file itself, the
trojan generates data as shown above. Then, it encrypts and writes to the c:
```
\windows\inf\mdmslbv.inf.

```
Communication with the command and control server

The trojan has command and control server: blog[.]globnewsline[.]com.

The trojan sends a GET request to the following URL:
```
hxxps://blog.globnewsline.com:443/db/db.asp using User-Agent "Mozilla/5.0 (X11;

```
Windows x86_64; rv:70.0) Gecko/20100101 Firefox/70.0". If the server response contains the
substring Website under construction, then the trojan considers that the control server is
available. If the server is unavailable, the malicious code checks for the presence of a proxy
configuration file c:\windows\inf\bksotw.inf. If that’s present, the trojan reads the
parameters written in the file.

The backdoor uses MAC addresses as the network interface bot ID. For heartbeat requests, the
following POST requests are used:
```
 https://blog.globnewsline.com:443/db/db.asp?m=w&n=~A<macaddr>.t

```
where <macaddr> is the MAC address string, converted to uppercase with colons removed.

Next, a GET request is sent to get a list of commands:
```
 https://blog.globnewsline.com:443/db/A<macaddr>.c

```
The server response is encrypted in the same way as the file with the backdoor process’s PID.

The following commands can be executed:

 - up

 - down

 - bg

 - bgd

 - getinfo


-----

The command’s result is encrypted the same way as the command itself was encrypted. Then, it’s
sent in the POST request’s body to the following URL:


-----

#### BackDoor.Whitebird.30

**Added to the Dr.Web virus database: 2021-10-21**

**Virus description added: 2021-xx-xx**

**Packer: absent**

**Compilation date: 2021-29-03**

**SHA1 hash: abfd737b14413a7c6a21c8757aeb6e151701626a**

##### Description

A multi-functional backdoor trojan for 64-bit and 32-bit Microsoft Windows operating system
family. It’s designed to establish an encrypted connection with the command and control server
and unauthorized control of an infected computer. It has a file manager and Remote Shell’s
functions.

##### Preparing procedures

At the beginning of the work, the backdoor decrypts the overlay provided by the shellcode. The
first encryption layer is removed by the following algorithm:
```
 k = 0x37
 s = bytearray()
 for i in range(len(d)):
   c = d[i] ^ k
   s.append(c)
   k = (k + c) & 0xff

```
The second layer is the XOR operation with the key 0xCC.

This overlay contains:

  - configuration of trojan

 - module for bypassing UAC

Configuration looks as follows:


-----

The flags field displays which autoload methods the trojan should use, and what launch
features are:


-----

If the launch is specified via the task scheduler (INSTALL_AS_MSTASK), then the configuration
```
flags creates a mutex after decrypting. That prevents restart:

```
Next, it checks if the trojan has enough rights to launch in the way that was previously specified
in the configuration. If not, it restarts itself to bypass UAC.

Trojan checks for the presence of a file in the path
```
C:Users\Public\Downloads\clockinstall.tmp, and if it exists, it deletes
clockinstall.tmp.

```
If the clockinstall.tmp file is missing, it checks if the install file exists in the folder from
which the trojan was launched. If it exists, it removes it.

Then, it installs itself into the system in accordance with the type specified in the configuration.
The backdoor will also try to hide its activity from the user.

If the trojan runs on a 32-bit OS, then the same mechanism for hiding a service from running
[ones is valid, as in BackDoor.PlugX.28, deleting that structure from the list of](https://vms.drweb.ru/virus/?i=21507745)
```
ServiceDatabase structures. That corresponds to the trojan service.

```
If the configuration specifies that the trojan should be injected into a process, then it’ll be
injected into the target process. If the RUN_AS_USER flag is specified in the configuration, then
the trojan will wait until at least one authorized user appears. After that, it’ll create its own
process, but on behalf of the user.


-----

Regardless of the trojan's autorun type, only one process can communicate with the command
and control server. This creates a mutex:

Before attempting to establish a connection with the command and control server, trojan
determines the proxy server settings. For this purpose:

 - The presence of the <process_name>.ini file in the folder from which the trojan process
was launched is checked. Example of the configuration:
```
 [AntiVir]
 Cloud=0A0804D2242000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000299CC1003C9CC10098F11900DCF1190062F21900000000
 00E02AC300CC004501D8F11900000000000000000000000000000000000000000000000000
 00000000000000000000000000000000000000000000000000000000000001

```
 - Reads a file named <loader_name>.tmp in the trojan folder, where <loader_name> is
the value from the configuration

 - Reads proxy settings from registry
```
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,

```
keys ProxyEnable and ProxyServer

 - Reads proxy settings from Mozilla Firefox settings - %APPDATA%
```
  \Mozilla\Firefox\<profile>\prefs.js

```
 - Checks for stored login:password from the proxy server in Mozilla Firefox and Internet
Explorer

##### Control server protocol

Establishing a connection to the server mimics the creation of a TLS1.0 connection between the
client and the server. Trojan body contains two buffers:

1. Contains the TLS1.0 Client Hello package:

2. Contains TLS 1.0 Client Key Exchange packets with key length 0x100 bytes, Change Cipher
Spec, Client Handshake Finished:


-----

When sending a Client Hello packet, the trojan encrypts all bytes of the Client Random field,
starting from the 4th one, using the XOR method with random bytes. It also records the current
time in the first 4. The server's response to this message is accepted, but the data is ignored.

When sending the second packet, the backdoor also encrypts the Client Key Exchange packet’s
public key field using the XOR method with random bytes, and writes its 28-byte key into the
data of the Client Handshake Finished packet. That’ll be used to encrypt and decrypt packets
sent or received from the server. The backdoor encrypts the last 4 bytes of the Client Handshake
Finished packet with random bytes. Then, it sends it to the command and control server. In
response, the server sends its own key. That key is used to initialize the key shared with the client.

After that, the backdoor enters the command processing cycle from the control server. The
traffic between the client and the server is encrypted using the RC4 algorithm.

The list of commands:

|opcode|Command|
|---|---|
|0x01|Gathering information regarding the infected device|
|0x02|Remote shell|
|0x03|File manager (see below for commands ending in 3)|
|0x100|Keep-Alive|
|0x103|Open file for writing|


-----

|0x203|Download a file|
|---|---|
|0x303|Data to be written|
|0x400|Reconnect to server|
|0x403|Obtain information about disk or directory listing;|
|0x500|To finish work|
|0x503|Move a file|
|0x600|Delete proxy configuration ini file|
|0x603|Delete a file|
|0x703|Run a process|
|0x700|Execute a command during ShellExecute|
|0x800|Renew configuration|


-----

#### Trojan.DownLoader43.44599

**Added to the Dr.Web virus database: 2021-10-15**

**Virus description added: 2021-10-20**

**Packer: absent**

**Compilation date: 2020-07-13**

**SHA1 hash: 1a4b8232237651881750911853cf22d570eada9e**

##### Description

The trojan is written in C++. It’s used for unauthorized control of an infected computer.

##### Operating principle

In the beginning, the trojan decrypts the C&C server’s IP addresses and ports using the XOR
operation:
```
 import idaapi
 address = 0x416200
 for i in xrange(0x7c):
   idaapi.patch_byte(address + i, idaapi.get_byte(address + i) ^ 0xEF)

```
Decryption result:


-----

C&C server—159.65.157.100:443

Communication with it occurs using sockets:


-----

Depending on the time, the connection to the required C&C server will be selected:


-----

The trojan creates file tmp.0 in folder %tmp%, that it use as log.


-----

Collect information about the system:


-----

-----

-----

Trojan.DownLoader43.44599 pushes each value onto a stack before encrypting and sending the
collected data. The transferred data looks as follows:
```
 struct computer_info {
   string computer_name;
   string user_name;
   uint32_t major_version;
   uint32_t minor_version;
   uint32_t build_number;
   uint32_t computer_bitness;
   string March01;
   uint32_t code_page_id;
   uint32_t oem_code_page_id;
 };

```
To encrypt the information collected about the system, the AES128 algorithm is used in CBC
mode.

The key and initialization vector are embedded inside:


-----

The decryption method looks as follows:
```
 from Crypto.Cipher import AES
 key = '\x95\x2B\x2D\xBF\x09\xC5\x2F\x80\xB4\xBC\x47\x27\x29\xB3\x28\x09'
 iv = '\x63\x5F\x72\x2A\xBB\xE3\xE8\x95\xF8\xF9\x32\x87\x53\x6A\x77\xFB'
 enc = ...
 decipher = AES.new(key, AES.MODE_CBC, iv)
 open('dec', 'wb').write(decipher.decrypt(enc))

```
The command execution cycle received from the C&C server:


-----

Table of commands compiled from the results of this cycle:

|Command ID|Command|
|---|---|
|0x51|Creating cmd.exe process|
|0x52|Execution command exit in cmd.exe|
|0x54|Execute commands in the cmd.exe console;|
|0x60|Creating the flow that reads, writes, and encrypts files.|


-----

#### Trojan.Loader.891

**Added to the Dr.Web virus database: 2021-10-15**

**Virus description added: 2021-xx-xx**

**Packer: absent**

**Compilation date: 2021-09-03 12:04:44**

**SHA1 hash: 595b5a7f25834df7a4af757a6f1c2838eea09f7b**

##### Description

This trojan is written in C. The program contains several files, and the trojan uses each file
sequentially. The trojan’s main task is to decrypt the shellcode and execute it. The decrypted
shellcode contains BackDoor.Whitebird.30, a module for bypassing UAC and backdoor
configuration.

##### Operating principle

The trojan folder contains the following files:

  - mcupdui.exe — the executable file into which the malicious library is loaded using
Hijacking DLL has a valid McAfee signature:
```
  4F638B91E12390598F037E533C0AEA529AD1A371: CN=McAfee, Inc., OU=IIS,
  OU=Digital ID Class 3 - Microsoft Software Validation v2,
  O=McAfee, Inc., L=Santa Clara, S=California, C=US

```
 - McUiCfg.dll — downloader

 - mscuicfg.dat — encrypted shellcode

 - mcupdui.ini — configuration of trojan

To move to the main malicious functionality, the trojan modifies the process memory:

The instruction following the malicious library’s download library is modified:


-----

Trojan.Loader.891 finds all the functions it needs by hashes using the PEB (Process Environment
Block) structure.

At the same time, the names of libraries and functions are hashed differently: library names are
hashed as Unicode strings converted to upper case. Function names are hashed as ASCII strings
without changing the case. The resulting two hashes are added together and then compared
with the desired one.


-----

Trojan’s main functions are encrypted. When the function is called, it decrypts its code, and when
it exits, it encrypts it back.

Main function:

Trojan.Loader.891 obtains the MAC addresses of all network interfaces on the computer. The
trojan then reads data from the mscuicfg.dat file. If the last 6 bytes are zero, then it writes the
first MAC address from the list into them and encrypts this file with the RC4 algorithm. In this


-----

case, the key is equal to the MAC address written to the file, so the encrypted data is saved to
the file mscuicfg.dat.

After that, in any way, the trojan reads the file again, sorting through each of the received MAC
addresses until it finds the right one. The decryption’s correctness is checked by matching the
last 6 decrypted bytes with the encryption key. Upon successful decryption, the trojan cuts them
off and decrypts the file again using the RC4 algorithm, but takes the string mscuicfg.dat as
the key. The received data is a shellcode with a configuration and a payload.

##### Shellcode

The shellcode is obfuscated with a lot of JMP instructions and each value is computed with a lot
of SUB, ADD, and XOR operations:

The shellcode’s principle is to decrypt the payload and load it into memory for execution.

The last DWORD of the shellcode contains the OFFSET before the start of the payload.

Encrypted data at this stage:


-----

-----

For decryption, XOR with a dynamic key is used:
```
 k = 0x37
 s = bytearray()
 for i in range(len(d)):
   c = d[i] ^ k
   s.append(c)
   k = (k + c) & 0xff

```
The decrypted data contains an MZPE file with signatures replaced:


-----

The decoded module is BackDoor.Whitebird.30. In addition, the module overlay contains an
encrypted configuration and a module for bypassing UAC:


-----

-----

#### Trojan.Loader.896

**Added to the Dr.Web virus database: 2021-11-03**

**Virus description added: 2021-11-17**

**Packer: absent**

**Compilation date: 2020-14-10**

**SHA1 hash: ff82dcadb969307f93d73bbed1b1f46233da762f**

##### Description

The backdoors downloader, PlugX, is written in C.

##### Operating principle

After loading from the main module (msrers.exe) using the LoadLibraryW function, the
trojan loads the kernel32.dll library using the LoadLibraryA. Then, it gets the address of
the exported function GetModuleFileNameA:

It then obtains the name of the main module using the previously obtained function
```
GetModuleFileNameA. It checks if the name contains the substring "ers." (msrers.exe):

```

-----

From the hash, 0xEF64A41E gets the function VirtualProtect to change the memory
access rights to PAGE_EXECUTE_READWRITE at 0x416362 (msrers.exe):

The following fragment will modify the code at 0x416362 (msrers.exe):


-----

Place in the main module to be modified:

Next, a function is called that receives the base kernel32.dll, and the addresses of the
functions by hashes.

Script to get a function by hash:


-----

Received features:

|Function name|Hash|
|---|---|
|VirtualProtect|0xEF64A41E|
|GetLastError|0x12F461BB|
|CloseHandle|0xFF0D6657|


-----

|Function name|Hash|
|---|---|
|ReadFile|0x130F36B2|
|VirtualAlloc|0x1EDE5967|
|GetFileSize|0xAC0A138E|
|CreateFileA|0x94E43293|
|lstrcat|0x3E8F97C3|
|GetModuleFileNameA|0xB4FFAFED|


In the following, the below structure is used to call these functions:
```
 struct api_addr {
   DWORD (__stdcall *GetModuleFileNameA)(HMODULE, LPSTR, DWORD);
   LPSTR (__stdcall *lstrcat)(LPSTR, LPCSTR);
   HANDLE (__stdcall *CreateFileA)(LPCSTR, DWORD, DWORD,
 LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
   DWORD (__stdcall *GetFileSize)(HANDLE, LPDWORD);
   LPVOID (__stdcall *VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD);
   BOOL  (__stdcall *ReadFile)(HANDLE, LPVOID, DWORD, LPDWORD,
 LPOVERLAPPED);
   BOOL  (__stdcall *CloseHandle)(HANDLE);
   DWORD (__stdcall *GetLastError)();
 };

```
Trojan takes the name dll (TmDbgLog.dll) and adds the ".TSC" extension to it. Next, it
opens the file TmDbgLog.dll.TSC for reading and decrypts its contents, which turns out to be
a shellcode.

After decrypting the shellcode (TmDbgLog.dll), the trojan starts executing it:


-----

The below is how the script for decrypting the shellcode looks like:
```
 enc = bytearray(open('TmDbgLog.dll.TSC', 'rb').read())
 dec = bytearray()
 for i in xrange(len(enc)):
   dec.append(((enc[i] ^ 0xbb) - 1) & 0xff)
 open('TmDbgLog.dll.TSC.dec', 'wb').write(dec)

```
Before decrypting and running the payload, the shellcode assembles the following structure:
```
 struct st_mw {
  DWORD magic;
  DWORD *shell_base;
  DWORD shell_size;
  DWORD *enc_payload;
  DWORD enc_payload_size;
  DWORD *enc_config;
  DWORD enc_config_size;
  DWORD *payload_entry;
 };

```
This is what the encrypted config looks like:


-----

The config’s decryption will be done directly in the payload:
```
 import struct
 enc = open('enc_cfg', 'rb').read()
 key, = struct.unpack('I', enc[0:4])
 key1 = key
 key2 = key
 key3 = key
 dec = bytearray()
 for i in xrange(len(enc)):
   key = (key + (key >> 3) - 0x11111111) & 0xFFFFFFFF
   key1 = (key1 + (key1 >> 5) - 0x22222222) & 0xFFFFFFFF
   key2 = (key2 + 0x33333333 - (key2 << 7)) & 0xFFFFFFFF
   key3 = (key3 + 0x44444444 - (key3 << 9)) & 0xFFFFFFFF
   dec.append(ord(enc[i]) ^ (key + key1 + key2 + key3) & 0xFF)
 open('dec_cfg', 'wb').write(dec)

```
And it’ll look like this:


-----

Encrypted payload:

Script to decrypt the payload:


-----

After decrypting the payload, the shellcode transfers control to the trojan, with the previously
assembled structure st_mw acting as one of the parameters:

[Further, the trojan works in the same way as the backdoor BackDoor.PlugX.28.](https://vms.drweb.com/virus/?lng=en&i=21507745)


-----

#### Trojan.Uacbypass.21

**Added to the Dr.Web virus database: 2021-10-22**

**Virus description added: 2021-10-22**

**Packer: absent**

**Compilation date: 2019-09-29**

**SHA1 hash: 7412b13e27433db64b610f40232eb4f0bf2c8487**

##### Description

This trojan is written in C. It elevates backdoor privileges. It also disguises itself as a legitimate
process and uses a COM object to bypass User Account Control (UAC). In this way, it elevates
the executable process’s privileges.

##### Operating principle

The trojan disguises as a legitimate process C:\Windows\explorer.exe via PEB (Process
Environment Block). That’s how it fools the IFileOperation COM object into thinking it’s
being called from a Windows Explorer shell.


-----

-----

The trojan obtains a COM object to implement UAC bypass via privilege elevation
(https://github.com/cnsimo/BypassUAC/blob/master/BypassUAC_Dll/dllmain
```
.cpp):

```
It allows Trojan.Uacbypass.21 to run the file that was passed to it as an argument as a legitimate
Windows process:


-----

-----

-----

### Appendix. Indicators of Compromise


##### SHA1 hashes

**Trojan.Loader.889**

f783fc5d3fc3f923c2b99ef3a15a38a015e2735a: McUiCfg.dll

**Trojan.Loader.890**

65f64cc7aaff29d4e62520afa83b621465a79823: SRVCON.OCX

8b9e60735344f91146627213bd13c967c975a783: CLNTCON.OCX

84d5f015d8b095d24738e45d2e541989e6221786: sti.dll

3d8a3fcfa2584c8b598836efb08e0c749d4c4aab: iviewers.dll

**Trojan.Loader.891**

595b5a7f25834df7a4af757a6f1c2838eea09f7b: McUiCfg.dll

**Trojan.Loader.893**

46e999d88b76cae484455e568c2d39ad7c99e79f: McUiCfg.dll

**Trojan.Loader.894**

b1041acbe71d46891381f3834c387049cbbb0806: iviewers.dll

**Trojan.Loader.895**

635e3cf8fc165a3595bb9e25030875f94affe40f: McUiCfg.dll

**Trojan.Loader.896**

ff82dcadb969307f93d73bbed1b1f46233da762f: TmDbgLog.dll

**Trojan.Loader.898**

429357f91dfa514380f06ca014d3801e3175894d: CLNTCON.OCX


-----

**Trojan.Loader.899**

cc5bce8c91331f198bb080d364aed1d3301bfb0c: LDVPTASK.OCX

**BackDoor.PlugX.93**

a8bff99e1ea76d3de660ffdbd78ad04f81a8c659: CLNTCON.OCX

**BackDoor.PlugX.94**

5a171b55b644188d81218d3f469cf0500f966bac

**BackDoor.PlugX.95**

b3ecb0ac5bebc87a3e31adc82fb6b8cc4fb66d63: netcfg.dll

**BackDoor.PlugX.96**

a3347d3dc5e7c3502d3832ce3a7dd0fc72e6ea49

**BackDoor.PlugX.97**

36624dc9cd88540c67826d10b34bf09f46809da7

**BackDoor.PlugX.100**

16728655e5e91a46b16c3fe126d4d18054a570a1

**BackDoor.Whitebird.30**

abfd737b14413a7c6a21c8757aeb6e151701626a

a5829ed81f59bebf35ffde10928c4bc54cadc93b

**Trojan.Siggen12.35113**

4f0ea31a363cfe0d2bbb4a0b4c5d558a87d8683e: rapi.dll

**Trojan.Uacbypass.21**

20ad53e4bc4826dadb0da7d6fb86dd38f1d13255


-----

**Program.RemoteAdmin.877**

23873bf2670cf64c2440058130548d4e4da412dd: AkavMiqo.exe

**Tool.Frp**

a6e9f5d8295d67ff0a5608bb45b8ba45a671d84c: firefox.exe

39c5459c920e7c0a325e053116713bfd8bc5ddaf: firefox.exe

##### Network indicators

**Domains**

webmail.surfanny.com

www.sultris.com

mail.sultris.com

pop3.wordmoss.com

zmail.wordmoss.com

youtubemail.club

clark.l8t.net

blog.globnewsline.com

mail.globnewsline.com

**IPs**

45.144.242.216

45.147.228.131

46.105.227.110

5.183.178.181

5.188.228.53

103.30.17.44

103.93.252.150

103.230.15.41

103.251.94.93

104.233.163.136

159.65.157.100

180.149.241.88

185.105.1.226


-----

192.236.177.250

209.250.241.35


-----