Quasar, Sobaken and Vermin: reveal the details of the current cyber espionage campaign

    Using Quasar, Sobaken and Vermin remote access tools, cybercriminals monitor Ukrainian government agencies and steal data from their systems. This cyber group was first mentioned in a report in January 2018, attracted the attention of ESET in mid-2017 and today continues to develop its software.

    In this report, we reveal the details of the current campaign, provide information about malware, and describe the methods that attackers use to distribute, target, and avoid detection.


    Attacking profile


    It appears that this group does not have outstanding technical knowledge or access to zero-day vulnerabilities. Nevertheless, she successfully uses social engineering to spread Malvari and covert work for a long time.

    We managed to track her work until October 2015, but it is possible that the group started its activity much earlier.

    The attackers use three modifications of .NET-Malvari: Quasar RAT (Remote Administration Tool), Sobaken (derived from RAT from Quasar) and custom RAT Vermin. The tools were simultaneously used on the same targets, they partially share the infrastructure and connect to the same C & C servers. A possible explanation for the use of three parallel modifications is the fact that they were developed independently of each other.

    The victims


    Malicious software is used in attacks on Ukrainian government agencies. According to ESET telemetry, there are hundreds of victims in various organizations and several hundred executables related to this campaign.

    Chronology


    Figure 1 shows the main campaign events in chronological order.


    Figure 1. Campaign Timeline

    Spread


    According to our telemetry, attackers use e-mail as the primary distribution channel for the three RATs. They use social engineering to convince victims to download and run malware.

    In most cases, the file names are written in Ukrainian and are related to the work of the victims. Here are examples of such files:

    • "INSTITUTION of the organization of the defection of the military service of the Ukrainian Forces and members of the family" ("Order on ensuring the safety of the military of the Ukrainian army and their families")
    • “A new project will be ordered, an assignment of the interchange of willows” (“New draft order of verification of seizure”)
    • "Interviewing Don OVK Zbіlshennya lіmіtu" ("Supply Department Don OVK. Increasing the credit limit")

    In addition to the basic social engineering techniques (drawing attention to the attachment), the attackers use three technical methods. This is likely to further increase the effectiveness of campaigns.

    Method # 1 : Email applications use the Unicode symbol right-to-left override , which changes the direction of character reading to hide the actual extension. In fact, these are executable files that use Word, Excel, PowerPoint or Acrobat Reader icons to avoid suspicion.

    An example of a file name: as shown in Figure 2, “Carrying solid firewood (firewood) for a firewood _ <> xcod scr” (“Transporting firewood for heating”) will look to inattentive users as a .DOCX file.


    Figure 2. Executable file masquerading as a Word document

    Method # 2 : Email applications masquerading as RAR self-extracting archives.

    Example: an e-mail with the application “Mandate_MO_Dodatki_ to_Ionstruktsii_440_startor” (“Order of the Ministry of Defense, Appendices to Instruction No. 440”), as shown in Figure 3. Inside the RAR archive there is an executable file named “Mandate_MO__Dodatki_to_I_Instructionsii_440_st__0__4__4__4__4__4__4__4__0_0_0_0_0_0_0_0_0_0_0_0_O_D_Datatki_to_I_E_Dust_Or_D_D_A_D_A_D_O___O_D_O_D_O_D_A_D_A_D_A_D_A_D_A_D_A_D_A_O__D_A_D_A_O_ of_A_of_A_A_O_ of_ of_ of_ of

    Presumably, the victims launch this file, waiting for further unpacking of the contents of the self-extracting archive, but thereby unwittingly launch a malicious executable file.

    Method number 3: Word document + exploit CVE-2017-0199. This vulnerability applies when the victim opens a specially crafted Word document. The Word process sends an HTTP request for an HTA file containing a malicious script located on a remote server. Then the malicious script is launched mshta.exe. The first public information about this vulnerability appeared in April 2017 , and Microsoft closed it, releasing a security update for all versions of Windows and Office.

    According to ESET telemetry, these attackers began using this method in May 2017. The attackers used hxxp: // chip-tuning lg [] ua / to deliver the HTA files and the final payload.


    Figure 3. File disguised as a self-extracting RAR archive. The version and copyright data suggest that this is a fake

    Installation and Persistence


    The installation procedure is the same for the three Malvari modifications used by this group. Dropper dumps payload files (Vermin, Quasar or Sobaken) into a folder %APPDATA%in a subfolder with the name of a legitimate company (usually Adobe, Intel or Microsoft). Then, as shown in Figure 4, it creates a task in the scheduler to run the component every 10 minutes to ensure persistence. Some versions also use the method of using the quick call feature of the Windows Control Panel to make their folders inaccessible from Windows Explorer. These folders will not open when clicked in Windows Explorer, instead the “All Tasks” page opens.


    Figure 4. Task that launches a malicious component every 10 minutes

    Examples:

    C:\Users\Admin\AppData\Roaming\Microsoft\Proof\Settings.{ED7BA470-8E54-465E-825C- 99712043E01C}\TransactionBroker32.exe
    C:\Users\Admin\AppData\Roaming\Adobe\SLStore\Setting.{ED7BA470-8E54-465E-825C- 99712043E01C}\AdobeSLService.exe


    Targeting


    Attackers use a lot of techniques to make malware work only on target machines. Especially carefully they try to avoid automated analysis systems and sandboxes.

    Method number 1 : check the keyboard layout in Windows
    Malware checks whether the Russian or Ukrainian keyboard layout is installed. If not, her work is immediately terminated.

    Method number 2 : Check IP-address
    Malware gets the IP-address of the infected computer through a request to a legitimate service
    Ipinfo.io/json. The work will be completed if the IP address is not found on the territory of Ukraine or Russia, or if it is registered with one of several selected cloud service providers or anti-virus software developers. The code that performs the verification is shown in the disassembly results in Figures 5 and 6.


    Figure 5. The code that performs the geolocation check of the IP address of the infected machine


    Figure 6. The code that checks the IP address with a list of cloud service providers and anti-virus vendors

    Method # 3 : check network environment emulation
    Automated analysis systems often use tools such as Fakenet-NG, where DNS / HTTP communication succeeds and yields some kind of result. Malvari authors try to determine such systems by generating a random name / URL of the site and verify that there is no connection to this URL (in Figure 7), as it would be on a real system.


    Figure 7. Code that generates a random URL and starts loading

    Method # 4 : checking a specific username
    Malvar does not run under an account with a username typical of automated malware analysis systems, as shown in Figure 8.


    Figure 8. Reconciliation of the current user name with list of known malware analysis systems

    Steganography application


    Since mid-2017, attackers have been using steganography, hiding malicious components in images on free hosting sites saveshot.net and ibb.co.

    Steganography is a science that allows you to hide data "in plain sight", inside other, unclassified information. In our case, the malicious EXE file was encrypted and hidden in a JPEG file, as in Figure 9. The malware downloads and decodes JPEG, extracts hidden data, decrypts the EXE file from this data, and launches it.


    Figure 9. Example of a JPEG image used to conceal a malicious component being delivered (size changed and component deleted)

    The decryption process is rather complicated and can be described as follows:

    1. Download a JPEG file from a URL that is hard coded in a binary.

    2. Bruteforce password of eight digits through the calculation of its hash and reconciliation with the hash, hard-coded in the downloaded binary file. This step uses the CPU intensively, it takes more than 10 minutes to complete it on a regular computer. Most likely, this is another measure to counteract automated systems for analyzing malware.

    3. Processing the JPEG file and extracting the data hidden in it, as can be seen from the disassembled code in Figures 10 and 11. The algorithm used by malware is very similar to that used in JSteg, one of the oldest and simplest steganography algorithms for JPEG files. It hides the data in the LSB (lowest-order bit) of the discrete cosine transform JPEG file coefficients. Such hidden data usually does not affect the image in a manner visible to the naked eye, but specialized algorithms easily detect their presence. However, this steganography algorithm is very easy to implement, which was probably the reason for the choice of the Malvari authors.

    4. Extract data and unpack it with GZip.

    5. Decryption of the unpacked data on AES with the password obtained in step №2.

    6. Decoding decrypted data using Base64.

    7. Burn the EXE file to disk and execute.

    As a result, the authors of this threat abandoned the idea of ​​using steganography and began to use hxxp: // chip-tuning lg [] ua to transfer unencrypted executable files.


    Figure 10. Steganography code inside a JPEG decoder


    Figure 11. Steganography code inside a JPEG decoder

    Malvari Modifications


    These attackers use three modifications of Malvari in attacks. Below we give a brief overview of each and concentrate on the description of the characteristic features.

    Quasar


    Quasar is an open source RAT available on GitHub. We have seen several campaigns in which this cybergroup used Quasar RAT binary files. The first known campaign lasted from October 2015 to April 2016. The next one was in February 2017. Compilation artifacts show the path to the PDB. n:\projects\Viral\baybak_files_only\QRClient\QuasarRAT-master\Library\obj\ Release\Library.pdb

    Another campaign with Quasar RAT, using the command servers of these intruders (mailukr.net), was implemented in July-September 2017. The attackers used an old version of Quasar RAT called “xRAT 2.0 RELEASE3”. Compilation artifacts in the dropper show the path to the PDBN:\shtorm\WinRARArchive\ obj\Release\WinRAR.pdb

    Sobaken


    Sobaken is a significantly modified version of Quasar RAT. If you compare the structure of the program Quasar and Sobaken, you can see a lot in common - see Figure 12.

    The authors of Sobaken have reduced the functionality of Malvari, so the executable file has become smaller and easier to hide. They also added techniques for circumventing the sandbox and others described above.


    Figure 12. The evolution of Sobaken. Left Quasar RAT v1.3, in the middle and to the right - two versions of Sobaken

    Vermin


    Vermin is a custom backdoor that only this cyber group uses. Malvar was first documented in the January 2018 report of Palo Alto Networks . The backdoor appeared in mid-2016 and is still in use. Like Quasar with Sobaken, it is written in .NET. To make analysis difficult, the code is protected with the help of the commercial system of protection of the .NET code Reactor or the open-end protector ConfuserEx.

    In addition, like Sobaken, it uses Vitevic Assembly Embedder, free software for embedding the necessary DLLs in the main executable file that is in the Visual Studio Marketplace store.

    Functional


    Vermin is a full-featured backdoor with several optional components. The last known at the time of writing version (Vermin 2.0) supports the following commands, the essence of which you can tell from the names of:
    - StartCaptureScreen
    - StopCaptureScreen
    - ReadDirectory
    - uploadfile
    - the DownloadFile
    - CancelUploadFile
    - CancelDownloadFile
    - GetMonitors
    - DeleteFiles
    - ShellExec
    - GetProcesses
    - KillProcess
    - CheckIfProcessIsRunning
    - CheckIfTaskIsRunning
    - RunKeyLogger
    - CreateFolder
    - RenameFolder
    - DeleteFolder
    - UpdateBot
    - RenameFile
    - ArchiveAndSplit
    - StartAudioCapture
    - StopAudioCapture
    - SetMicVolume

    Most commands are implemented in the main payload. Only a few commands and additional functions - through optional components, loaded by attacking the victim's car. Among the optional components:
    - Audio recording
    - Keylogger
    - Password
    theft - USB file stealing (USB file stealer)

    Audio Recording Tool (AudioManager)


    A full-featured Vermin component that can record sound from a victim's computer microphone. It accepts three Vermin commands: StartAudioCapture, StopAudioCapture and SetMicVolume. The resulting data is compressed with Speex codecs and uploaded in SOAP format to Vermin's C & C servers.

    Keylogger (KeyboardHookLib)


    Vermin Keylogger is a simple, separate executable file that intercepts all keystrokes and writes them to a file in encrypted form. It also records the contents of the buffer and the names of the active windows. The keylogger itself cannot communicate with Vermin's C & C servers; The main backdoor is used to transfer the collected information.

    The path to the PDB in the keylogger confirms the connection with the malware Vermin:
    Z:\Projects\Vermin\KeyboardHookLib\obj\Release\AdobePrintLib.pdb

    Password Theft Tool (PwdFetcher)


    A separate component Vermin to steal passwords is used to extract saved passwords from browsers (Chrome, Opera). The main part of the code seems to be copied from the article from Habr . Some samples also contain code to extract information from the Firefox browser, but it seems that it is not used. As shown in Figure 13, this component also contains the paths to the PDB, similar to the keylogger component, which confirms the connection with Vermin.


    Figure 13. Compile artifacts that allow you to associate a component to steal a password with Vermin

    USB File Theft Tool (UsbGuard)


    UsbGuard.exe- an optional component used by both Sobaken and Vermin. This is a small separate program that tracks USB drives connected to the computer and copies all files that match the filter configured by the attackers. The stolen files are then transferred using the main backdoor module. Many different paths to the PDB have been found in the sample of this component, which explicitly links it to Vermin.

    Since April 2018, the file theft component has been used as a separate tool. He copies the files and immediately uploads them to the server under attack.

    In the analyzed samples, attackers searched for files with the following extensions:
    - doc
    - docx
    - xls
    - xlsx
    - zip
    - rar
    - 7z
    - docm
    - txt
    - rtf
    - xlsm
    - pdf
    - jpg
    - jpeg
    - tif
    - odt
    - ods

    Conclusion


    Among the many attacks with the use of malware aimed at high-ranking objects in Ukraine, this campaign has not received much attention. Perhaps this is due to the use of code from open sources. However, the group has already moved on to developing its own toolkit.

    The use of several families of malware and infection mechanisms, including social engineering and steganography, over the past three years may be due to the fact that attackers are experimenting with methods or working in several groups.

    The successful application of trivial techniques (for example, sending RAR and EXE by e-mail) underlines the importance of protection from the human factor.

    Compromise Indicators (IOC)


    C & C Servers


    Sobaken c & c


    akamaicdn.ru
    akamainet021.info
    cdnakamai.ru
    windowsupdate.kiev.ua
    akamainet022.info
    akamainet066.info
    akamainet067.info
    notifymail.ru
    mailukr.net
    188.227.16.73
    212.116.121.46
    206.54.179.160


    Quasar C & C


    188.227.75.189
    mailukr.net
    cdnakamai.ru
    notifymail.ru


    Vermin C & C


    185.158.153.222
    188.227.17.68
    195.78.105.23
    tech-adobe.dyndns.biz
    notifymail.ru
    akamainet023.info
    mailukr.net
    185.125.46.24
    akamainet024.info
    206.54.179.196


    Component transfer, data exfiltration


    chip-tuning.lg.ua
    www.chip-tuning.lg.ua
    olx.website
    news24ua.info
    rst.website
    1ua.eu
    novaposhta.website


    SHA1


    Vermin


    028EBDBEBAC7239B41A1F4CE8D2CC61B1E09983B
    07E1AF6D3F7B42D2E26DF12A217DEBACEDB8B1B9
    09457ACB28C754AA419AB6A7E8B1940201EF3FFE
    0EEE92EC2723ED9623F84082DAD962778F4CF776
    10128AB8770FBDECD81B8894208A760A3C266D78
    131F99A2E18A358B60F09FD61EE312E74B02C07C
    14F69C7BFAF1DF16E755CCF754017089238B0E7B
    1509F85DE302BE83A47D5AFAD9BEE2542BA317FC
    170CEE6523B6620124F52201D943D7D9CA7B95E5
    191159F855A0E580290871C945245E3597A5F25C
    1F12C32A41D82E978DE333CD4E93FDAA1396BE94
    22B17966B597568DB46B94B253CD37CBCF561321
    2C7332D8247376842BD1B1BD5298844307649C99
    2E08BA5DF30C0718C1733A7836B5F4D98D84905E
    2EDF808F8252A4CBCB92F47A0AEDC1AAAE79A777
    360F54B33AC960EE29CA0557A28F6BB8417EF409
    431FCE6A47D0A48A57F699AA084C9FF175A9D15F
    45438834FDC5C690DA3BC1F60722BE86B871280D
    4A8A8188E3A7A137651B24780DF37CB6F610CC19
    4C1E4E136B7922F9E28D1B38E9760E28929E4F0B
    5B6EA57FFC09593C3B65D903368EA5F7FAA2EB68
    61D366939FE36861B2FECB38A4DFF6D86C925A00
    6A72366D8AE09F72F0466FB59E8ED372F8B460D7
    6FECA622B0FB282064F7DE42BA472A8EC908D0D6
    70A772485C5ED330C6876FA901BA722CD44CA05E
    70D97367A3DBD5D45482B6AF8C78C58B64D3F3B3
    7803FD9753930522705F2B6B4E73622887892C28
    7B11A84B18DC4B5F1F2826E7925F0B2DC1B936AE
    889FD0BEB3197DDD6C88F5C40D6B8E4D74A892CE
    9B6FBABFA2A77FA633F7A2EB352979D5C68CEBC6
    A451291F17489E3A59F440A1B693D691B053C531
    A53D77E55A06CF131D670339BACEC5AC0F0C6D66
    A925D0AFB5D4F5FAC65543C993BE4172F1DBF329
    B5F81C804E47B76C74C38DF03A5CBE8A4FE69A9A
    B99DE55043099E9506B304660B8E1374787AB195
    C00C104FC3E9F5977D11C67EF0C8C671D4DFC412
    CA0296FA9F48E83EA3F26988401B3F4C4E655F7A
    D4C6540E789BD3839D65E7EDA5CCA8832493649E
    D5EDE1BBB9A12757E24BE283AFC8D746ADC4A0D4
    DEFBFD98C74BEFF839EEB189F0F6C385AD6BA19B
    ECF152EB6417A069573F2C7D9A35B9CC31EC8F56
    EE2D40825C77C8DFEF67999F0C521919E6672A10
    EF09AC6BA08A116F2C4080CBEE8CEF9523E21265
    F414C49CF502D1B6CC46E08F3AC97D7846B30732


    Sobaken


    087F77998004207BCCFFBF3030B6789648930FA5
    0A4A2BCB3EF4E19973D5C4BE4E141B665CC0BFE0
    1CEEF0813C0F096E6DA5461DC4B3BF901C500C56
    293DBFF0230DAB3C4C21428F90C8EF06E9F35608
    37E2947BFB5FC0839087C5BCE194EC193F824C85
    39525CBCA591F2A10946BA62A56E4C3382CD4FC0
    3CE0A18E9A8A2B95827008DBFF16364B6FEDF361
    3E869038080DAE006FF6B20DF9B0CD9CB3A5E1A1
    400830AB6DD46789B00D081ADF0F82623472FB13
    43F382A330A454FF83F4F35FB571ECF587A4694A
    4449FBE2B28A81B760B284880ADBED43462C2030
    4712AF28168FD728A13EFD520E0665FFD076B6FB
    4F504D7B35660943B206D6034752C686365EA58D
    53239A62E09BB0B4E49B7954D533258FEF3342C4
    540292753FA0CC4ACB49E5F11FEDEA4B7DEF11D8
    5589E8018DC7F934A8FDAB62670C9140AF31CAB6
    57BBA7D8786D3B0C5F93BC20AB505DF3F69C72D4
    630FE59D60F6882A0B9E35ED606BF06AD4BA048C
    63EA7C844D86882F491812813AAAD746738A6BE9
    64121FA2FD2E38AC85A911A9F7ADD8CA1E1A9820
    64DBA711FDD52FECF534CAC0C6FE8848FE36F196
    650AB5E674FEF431EBC8CF98141506DDC80C5E64
    6EF13E9D5B0B6FCB5EB2A7439AAD7B21EA7FB7AC
    7177F64362A504F3DF8AA815CEF7136D5A819C04
    9B91EC03A09C4CF6DBEC637B3551BDCA11F04A9B
    A26764AFB1DAC34CAA2123F7BF3543D385147024
    A55319D3DBD7B9A587F5156CF201C327C803FBC9
    A841FF1EE379269F00261337A043448D3D72E6FD
    AAB5BAAAE8A2577E1036769F0D349F553E4D129B
    ACB989B3401780999474C5B1D7F9198ECA11549A
    B65372E41E7761A68AEF87001BBB698D8D8D5EC6
    BDB5E0B6CA0AA03E0BECA23B46A8420473091DFF
    C4421084C19423D311A94D7BB6CB0169C44CBECD
    C7E76993BB419DC755BD0C04255AB88E6C77B294
    CF5238C467EBE2704528EED18AB4259BFDC604E3
    D2334E161A1720E2DF048E4366150729B9395144
    D35FB6E031720876482E728A40532703EF02A305
    D82DF2903AA4BC5FD4274B5D1BFAF9E081771628
    E4B3CBCA9A53B7B93177A270C2A76F981D157C34
    E585AA2C5BFB9D42D2E58DB3833330D056713B9A
    F4A485696FC871307C22906701CBBB3FA522499B
    F5C75450108440D0BC9E7B210F072EF25A196D20


    Quasar


    0A4915B81D9A9ACF4E19181DEEEBBE244430C16B
    323160C88A254127D9ADB2848AE044AFFF376A4D
    395166835495B418773C9690227779D592F94F71
    3EE410DD50FC64F39DFF0C4EE8CC676F0F7D5A74
    5B665152F6596D4412267F9C490878455BA235F9
    5FE8558EB8A3C244BE2DA8BE750221B9A9EE8539
    61CB5E535F0AC90A1F904EC9937298F50E2B4974
    6A1CD05F07B1024287CEA400237E1EA9D2FE1678
    7676AFF05A3550E5BBFF78CF4D10C9E094447D72
    86165F464EC1912A43445D80559D65C165E2CF76
    AB3CD05BE6B0BA8567B84D10EDE28ABF87E115AC
    BFD7158E1C2F6BA525E24F85ED8CCF8EF40FD370
    CFEBEFC92DCDF1687FD0BC1B50457EBDEA8672A2
    D21B8514990B0CEAC5EAE687DEAA60B447139B9D


    Steganography


    04DA3E81684E4963ABEC4C0F6D56DF9F00D2EF26
    3C618A0C4BF4D3D24C9F2A84D191FC296ED22FA4
    746155881D5AB2635566399ACC89E43F6F3DA91A
    CADBC40A4EFB10F4E9BD8F4EC3742FA8C37F4231
    E22CE72406B14EF32A469569FBE77839B56F2D69


    Hta files


    39F5B17471FD839CC6108266826A4AD8F6ECD6A3
    751FBD034D63A5E0A3CA64F55045AE24E575384A
    76433D1D13DF60EC0461ED6D8007A95C7A163FF9
    89DF6A7551B00969E22DC1CAE7147447ACA10988
    D6D148050F03F5B14681A1BBF457572B9401B664


    Audio recording tool


    1F49946CA2CE51DC51615000BAA63F6C5A9961F1
    98F62C2E6045D5A15D33C8383ADACF9232E5FBE3
    E7C4A69EBD7B41A6AF914DD3D3F64E1AA1ABE9B4
    F233A0F2997BB554D4F1A4B7AC77DAE4180850FA


    Keylogger


    21921864D2F1AB2761C36031A2E1D2C00C9B304A
    3C2D0615BEF6F88FED6E308D4F45B6133080C74F
    91E8346910E0E6783ACFC4F2B9A745C81BD7573A


    Password theft tool


    2A5C9D4DAE5E53B2962FBE2B7FA8798A127BC9A6
    9B1586766AF9885EF960F05F8606D1230B36AC15
    A2F0D5AF81D93752CFF1CF1E8BB9E6CAEE6D1B5E
    CE18467B33161E39C36FC6C5B52F68D49ABCFC2A


    USB File Theft Tool


    050EB7D20EE8EF1E1DAEE2F421E5BF648FB645DF
    069A919B3BC8070BB2D71D3E1AD9F7642D8ECF0F
    0D265E0BDA9DF83815759ABCA64938EC0FF65733
    0D7DF910D0FB7B100F084BFB8DFA0A9F2371171A
    2FF3F5DA2960BE95E50B751680F450896AD1ED67
    3200ECC7503F184F72AB9DA1DC3E1F8D43DDFD48
    46D256EF277328E803D2B15CA7C188267059949D
    524EE1B7269D02F725E55254A015200BB472463A
    53A0EFD3D448DA8E32CFDDA5848312D3CF802B06
    6FC150A9CAFA75813E7473C687935E7E4A5DCE24
    70559245303F99630A27CB47B328C20C9666F0BB
    7D8044A5CBEFE3B016F2132A5750C30BB647E599
    8FD919D531A7A80615517E1AC13C2D0F050AF20D
    9D22421DA9696B535C708178C72323F64D31FC80
    BFD2DFA3D6AF31DF4B9CC2F6B31B239ADF1CECA1
    C08A6222B59A187F3CF27A7BAE4CACFACC97DDEE
    C2F6A65E14605828880927B9BA3C386507BD8161
    C562006D2FA53B15052A4B80C94B86355CCA7427
    CB43058D9EBB517832DF7058641AEDF6B303E736
    CC8A9C28E884FDA0E1B3F6CEAB12805FEA17D3C1
    D3CC27CA772E30C6260C5A3B6309D27F08A295CD
    E7A2DE3776BA7D939711E620C7D6AB25946C9881
    EE6EFA7A6A85A1B2FA6351787A1612F060086320
    EF0ABB3A0CD1E65B33C0F109DD18F156FC0F0CDE
    F63BE193C8A0FBB430F3B88CC8194D755BAD9CD1


    Detection by ESET products


    Most of the files were automatically recognized by ESET as being similar to malware. Detections are directly related to most of the files in the campaign:
    MSIL/Agent AWB
    MSIL/Agent AZG
    MSIL/Agent AZJ
    MSIL/Agent AZX
    MSIL/Agent BCH
    MSIL/Agent BCV
    MSIL/Agent BCY
    MSIL/Agent BFT
    MSIL/Agent BGB
    MSIL/Agent BGC
    MSIL/Agent BGE
    MSIL/Agent BGM
    MSIL/Agent BJU
    MSIL/Agent SCM
    MSIL/Spy Agent BBB
    MSIL/Spy Agent BIF
    MSIL/TrojanDownloader Agent DYV
    MSIL/TrojanDownloader Small BBM
    MSIL/TrojanDropper Agent DBE
    MSIL/TrojanDropper Agent DJQ
    MSIL/TrojanDropper Agent DJR

    Also popular now: