Thanks to Peter Coogan for his assistance with this research.
Earlier this week Mandiant released a blog which talked about a new advanced persistent threat (APT) they found while investigating a potential compromise. Symantec detects the APT in question as Backdoor.Hikit, a Trojan that enables an attacker to gain control of compromised servers from a remote location.
Samples related to Backdoor.Hikit were first observed by Symantec in October 2011 when detection was added for a component of the threat as Trojan.Ascesso. Our investigation of this threat has since identified further samples of Backdoor.Hikit in the wild. Based on the timestamp information from the PE headers of Backdoor.Hikit samples, we can present a probable timeline to indicate when different components of this threat were compiled:
Figure 1. Backdoor.Hikit timeline
The preceding figure identifies several Hikit kernel driver components that originate as far back as April 2011. A newer driver component can also be seen compiled in October 2011 (six months after the first generation) showing an evolution of the threat.
Backdoor.Hikit is compromised of four components:
- Unknown dropper that compromises a system and installs a malicious dynamic-link library (DLL) file
- DLL that implements back door functionality and installs a kernel driver
- Kernel driver that monitors network traffic for connections from an attacker
- Client tool that attackers use to connect to the back door
The following diagram shows how different components are connected and the order in which they are installed on a compromised computer. The unknown dropper installs the Oci.dll back door file onto the compromised computer, which in turn installs the W7fw.sys driver component responsible for network monitoring:
Figure 2. Backdoor.Hikit overview
Kernel driver installation on newer versions of the Windows operating system requires the drivers to be digitally signed. Interestingly, the DLL component (Oci.dll) comes with two certificates used as catalogs to sign 32 and 64-bit drivers. One certificate is self-signed:
Figure 3. Generated certificate
Another certificate is associated with other attacks that originate around the same time. This certificate is stolen and is no longer valid (expired November 28, 2011):
Figure 4. Stolen certificate
Interestingly, Backdoor.Hikit does not contact a command-and-control (C&C) server or an attacker after installation. Instead the kernel driver will monitor incoming network traffic and wait for the specific attacker’s pattern (HTTP GET request for a specific location) that opens the back door communication channel. Since the compromised computer does not contact the attacker its operational capability is significantly reduced. In most environments, the internal network is located behind a router and firewall making it difficult for the attacker to reach the internal network hosting the compromised computer and effectively leaving the attacker outside:
Figure 5. In most environments, attacker cannot reach internal network from Internet
However, according to the Mandiant analysis the preceding scenario is not a problem for the attackers as Backdoor.Hikit actually compromises computers located in the Internet-facing DMZ. DMZ exposes services over the Internet and typically has less restrictive firewall rules (eg. allows HTTP/HTTPS traffic over ports 80 and 443), which will allow the attacker to contact and communicate with compromised computers.
The following diagram shows how the Backdoor.Hikit attack scenario works:
Figure 6. Backdoor.Hikit compromises DMZ
Symantec is continuing to investigate this threat and will provide more information when available. As always, we recommend that you use the latest Symantec technologies and virus definitions to ensure you have the best protection against threats.
Leave a reply