Virus techniques being used in Trojans

We found some unusual backdoors in the past few weeks. They seem like standard variants of Agobot, Rbot and other bots controlled via IRC. However, they contain files that work like EPO viruses.

Entry point obscuring viruses – EPOs.
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
-Searching for frames and overwriting them with infected starting points
-Disassembling the host file code
-Or changing the addresses of importing functions

These backdoors do not infect files, like typical viruses. Somebody makes these files by hand and appends a backdoor. For instance, winrar.exe is a real file in RAR, but in this case it contains an extra section with a backdoor.

Such Trojans are difficult to detect, since the backdoor is not accessed at the same time the file is launched. This technique is also dangerous because virus writers can recycle old Trojans, because the files will not match existing virus definitions from most antivirus vendors.

Virus techniques being used in Trojans

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox