- #AVAST ERROR MESSAGE ENTRY POINT NOT FOUND CODE#
- #AVAST ERROR MESSAGE ENTRY POINT NOT FOUND PROFESSIONAL#
Each entry contains an error code, an error message, and a timestamp formatted as “ %error code% %message%”. They both create a log file under the path: %COMMON_DOCUMENT%\WZ9JuN00.tmp aggregating errors during the backdoor’s runtime. These are installed as services by the aforementioned batch file. Technical details ( sqllauncher.dll, logon.dll)īoth DLLs, sqllauncher.dlland logon.dll, are primarily used as backdoors. The contents of the pcaudit.batscript can be found below:įigure 2: The batch file that is responsible for the backdoor’s persistence
This batch file is responsible for the backdoor’s persistence. Pcaudit.bat is a batch file that is used to invoke the svchost.exe in order to load the DLL file for a given service specified in the registry. Details on these backdoors are provided below the complete list of backdoors. Throughout our analysis, we stumbled upon the following backdoors.
#AVAST ERROR MESSAGE ENTRY POINT NOT FOUND PROFESSIONAL#
The targeted companies and institutions, as well as the professional coding point to an APT group.
#AVAST ERROR MESSAGE ENTRY POINT NOT FOUND CODE#
Similarities in the code used in the Vicious Panda campaign, (TTPS, especially the use of the RTF Weaponizer in the infection vector), which is also thought to have come from China, and the code we analyzed, also lead us to believe the group might be from China. Gh0st RAT, one of the tools used, has been known to be used by Chinese APT groups in the past. We suspect the APT group behind these attacks is from China. A GoDaddy registrar was also seen early in the campaign, these servers were removed early on. The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past. The backdoors we found are custom tools that have not previously been analyzed, as far as we know. The samples we analyzed contain links to malware samples and campaigns, such as Microcin, BYEBY, and Vicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. Timeline Figure 1: Timeline of events related to the tracking of Microcin, and Avast notifying the targeted companyĪvast’s and Eset’s antivirus engines blocked the samples used by the APT group prior to it attracting our attention, as our antivirus engines’ detections are automated. The group also used tools such as Gh0st RAT and Management Instrumentation to move laterally within infiltrated networks.
Infected devices could also be commanded by a C&C server to act as a proxy or listen on a specific port on every network interface. Further, some commands may have instructed the backdoors to exfiltrate data to a C&C server. The backdoors gave the actors the ability to manipulate and delete files, take screenshots, manipulate processes, and services, as well as execute console commands, remove itself, and more. This has led to a large number of samples, with binaries often protected by VMProtect, making analysis more difficult. The group behind the attack frequently recompiled their custom tools to avoid AV detection, which, in addition to the backdoors, included Mimikatz and Gh0st RAT. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus. An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. A few months later, we began working together with fellow malware analysts from ESET to analyze samples used by the group to spy on a telecommunications company, a gas company, and a governmental institution in Central Asia. Last fall, APT malware intrusions targeting high-profile companies in Central Asia caught our attention.
0 kommentar(er)
