Remote Control Trojan analysis report of "shadow stealing"

Remote Control Trojan analysis report of "shadow stealing"

I. Overview

After feedback from multiple users, a scammers lied about trading game equipment and sent the compressed package to induce them to click "Images ". In the actual transaction process, the user finds that he suddenly cannot control the mouse and keyboard, while the scammers actually control his computer and steal the property of his game, causing losses.

According to the query by the harbork analysis system, this is a kind of back-category Trojan horse that uses game transactions as the guise and actually aims to control the victim's computer. On the surface of the compressed package, the file named "image" is actually a shortcut file. After you double-click the shortcut, the trojan program running in the same directory is loaded to implant a backdoor program into your computer.

The core function of this remote control Trojan is modified by the previous Gh0st Remote Control Trojan, which is highly concealed. After the user's computer is hosted, the system will steal files, monitor screen operations, and operate the mouse and keyboard, it is very harmful to users. Although similar cases have been reported in the past, the rapid outbreak of such Trojans has recently caused great security risks to the whole network.

 

Ii. Detailed Analysis

After extracting the file you received, the victim can see an "image" file in the directory.

 

But it is actually a shortcut. View the content of the shortcut. You can see that an image. com file is actually running.

 

After opening the selection box for viewing hidden files, we can see three hidden files. image. com is actually an executable file.

 

After image. com is run, the prepared image is first opened so that users can think that they have received an image file, so as to relax their vigilance:

 

Then, it copies itself and Release. dll to the system folder. Open Release. dll in the binary editor and you will see a PE file missing the MZ header.

 

Next, the com file will run the executable file in the system folder. After this operation, the new process will fix the Release. dll MZ header to make it a complete PE file, and then load and execute it. The main remote control code is also written in dll.

During the trojan execution phase, malicious code is dynamically constructed in the memory and then redirected to the execution. After the trojan starts to run, it tries to connect to the control IP address.

 

The trojan program adds some anti-virus software detection during code execution. Once it finds that some anti-virus software has been installed on the user's machine, the trojan will enable the method of moving flowers and trees, use the process structure information field of some system processes to replace the process structure information field of the Trojan process, so as to disguise itself as a white list process and bypass anti-virus software.

The trojan first traverses the system process list to find the specified anti-virus software process.

 

As soon as you find that the software is available, you can easily read the process information of the system's entry, such as ”csrss.exe, and replace some of the key fields with the process structure information of the Trojan process to fool anti-virus software.

 

After the trojan is successfully connected to the control server, basic information such as CPU and operating system on the user's computer will be collected.

 

Then, you can perform operations such as file management, keyboard and mouse operations, and screen monitoring by receiving commands from the control end. The analysis of these control commands should be based on the idea of the popular Trojan Horse gh0st in the early years.

The following is a code snippet for the Trojan to monitor the screen by copying the screen window.

 

In terms of file management, Trojans can scan User Machine directories, read and upload specified files, and delete specified files. The following is the code snippet of the deletion operation after the Trojan receives the command to delete a file from the control side.

 

The following section describes the remote control of the user's keyboard and mouse. with the control of the keyboard and mouse, game equipment can be sold and purchased on the user's computer, causing economic losses to users.

 

After receiving the control command, the trojan executes the sub_A091C0 function, in which the mouse and keyboard operations are performed.

 

Iii. Suggestions

 

We recommend that you do not randomly open files downloaded from the internet or transmitted by others. It is best to use a virus scanner to detect security before opening the files.