Research

More on Backdoor.Win32.Breplibot.b

We’ve been analysing the backdoor program which uses the Sony rootkit technology.

Trend Micro has told us that the backdoor was mass mailed using spamming technologies. The message sent was as follows:

Message subject:

Requesting Photo Approval

Attachment name:

article_december_3621.exe

Message body:

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.

Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************

Breplibot.b is 10240 bytes in size, and packed using UPX.

When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the rootkit technology used by Sony to hide the activity of the malicious program. Of course, the backdoor’s activity will only be hidden if the ‘Sony rootkit’ has been installed on your computer.

Once launched, the backdoor creates the following system registry key:

[HKEY_LOCAL_MACHINE] “WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj”=”$SYS$DRV.EXE”

More on Backdoor.Win32.Breplibot.b

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox