Recently we found several malicious executables with similar characteristics. These files were found on the following six domains:
The malicious files kept changing, with different signatures. Their behavior, however, was always the same and was identified as a botnet. When executed, the botnet hides itself in the Recycle bin and infects other running processes. It connects to over 50 IP addresses over UDP/16471 and TCP/16471. These IPs keep changing with each file and each execution.
The botnet always connects to xlotxdxtorwfmvuzfuvtspel.com through HTTP, but the domain answers with an empty response. You’ll notice that the malware uses HTTP/1.0 with a Host header (not RFC compliant), often a good sign of malicious HTTP activity.
|HTTP request to C&C|
We found the malicious samples through Behavior Analysis, then used our log correlation to find the source of the malicious executables.
Leave a reply