"Pdf file": Trojan Horse also uses cloud Technology

"Pdf file": Trojan Horse also uses cloud Technology

Recently, when downloading a PDF file, we found a simple malicious Downloader (a virus type ). Unlike other malicious loaders, this malware adds PE Loader to its binary.

Is the zombie online?

Once executed, the loader captures the system information of the local user, generates a URL, and connects to a server.

In the preceding example, AVA ***** 5 (the first masked part) is the computer name of the victim. Next, the 51-SP is the system version.

Analysis of Li Gui

Although the file downloaded by the loader is a PDF extension, the content in the file is very different from that in the PDF file.

This loader embeds 0x74E7E1C8 into this fake PDF file to conceal it. After decryption, if the length is the same as that of the entire fake PDF, the loader checks the offset 0 × 12 dubyte value. If it is the same as the hardcoded signature 0x2E0F1567, another dubyte value located at offset 4 is detected.

The loader Bootstrap code calls the cloud Loader

In the above Code, esi contains the starting offset of the "pdf file". call eax will actually execute the cloud loader.

We can see that offset 0 × 1134 is the address of the RtlDecompressBuffer API. after calling the API, this malicious PE file will appear, and the cloud loader will use a small trick to detect the MZ Header Signature.

During our analysis, we found that this malware was downloading some other malware, such as W32/Battdil. I! Tr and W32/Kryptik. CWIM! Tr.

Summary

Why does this malware remove the loader from its binary file? We believe that this malware aims to help attackers reduce their targets, and the cloud loader also facilitates malicious software authors to add more features in the future.