Expecting an online booking or package delivery confirmation? Just make sure to avoid these fake email messages serving BKDR_KULUOZ.PFG.
This backdoor was first seen in the wild around April to June of 2012 and a part of a well-known botnet. However, we have recently been noticing several spam variants carrying this malware, like the one below:
Figure 1. Sample FedEx spammed message
BKDR_KULUOZ arrives in the form of attachments (usually archived) in spammed messages. These email messages typically spoof well-known corporations. So far, the spam variants we’ve seen recently included fake email notifications from courier services like FedEx, UPS (postal-themed), and airline companies. Like most malware arriving via email, BKDR_KULUOZ are disguised as your average office files like .PDF (Adobe) or .DOC (Microsoft document) files, to make them appear legitimate.
Once user downloads and executes the file, it drops and opens a .TXT file as a ploy to trick unsuspecting users into thinking that there’s no harm being done on the system.
Figure 2. Screenshot of the dropped.TXT file
It then creates svchost.exe process and injects another .PE file, which is a .DLL File with export named “work.” Typically, a malware injects its code into to normal processes so that it will be harder to terminate on the infected system. In addition, this backdoor also executes its code using the following native APIs to slowdown/hinder debugging:
- “ZwCreateSection”
- “ZwReadVirtualMemory”
- “ZwMapViewOfSection”
- “ZwUnmapViewOfSection”
- “ZwResumeThread”
Accordingly, this technique of coding malware is also seen in threats like DUQU and Andromeda. This downloader malware also communicates to its command-and-control (C&C) server to send and receive information and commands. In turn, the infected system is susceptible to further attacks and is effectively under a remote user’s control.
Unfortunately, BKDR_KULUOZ does not stop there. The backdoor is capable of downloading and executing other malware variants onto the infected machine, which may include variants of SIREFEF, known for its rootkit technology and FAKEAV. In one particular incident, my colleague Rhena Inocencio found a BKDR_KULUOZ variant that downloads the FAKEAV variant TROJ_FAKESYS.BH.
Figure 3. Screenshot of the FAKEAV page
The backdoor is also capable of updating itself, a common technique among malware to prevent from being detected by antivirus (AV) software.
In our 2013 security predictions, we are expecting cybercriminals to fine-tune existing tools instead of coming up with threats from scratch. As the year unfolds, we are already seeing significant manifestations of this prediction. Just recently, we posted about possible new variants of the CARBERP banking malware found in the wild and equipped with new plugins and improvements. CARBERP and now, KULUOZ only show that change is constant in the world of cybercrime – but oftentimes, it may come in a very familiar form.
We encourage users to delete such messages if found in their inboxes. Users must always be cautious when opening their email messages as recent spam campaigns (like those related to the Blackhole exploit kit) are quite good in imitating legitimate email notifications.
Trend Micro protect users from this threat via Smart Protection Network, which detects and deletes BKDR_KULUOZ.PFG if found on the system. It also effectively blocks all related spammed messages via its Email reputation service.
Leave a reply
