Iron Cybercrime Group  - VMP7J1528283789 - Iron Cybercrime Group Distributing new Backdoor with Evasion Techniques

Newly discovered powerful previously unknown using HackingTeam’s leaked Remote Control System (RCS) code to infect the thousands victim.

This backdoor is created by who is behind the ransomware that infected various countries victims in past year.

Also, Iron Cybercrime Group actively developing and infecting victims with various type of cyber threats such as backdoors, crypto-miners, and ransomware for  Windows, and platforms.

Further analysis revealed that this backdoor contains a source code of HackingTeam’s Remote Control System hacking tool also they used  IronStealer and Iron ransomware is a function with this backdoor.

Iron Cybercrime Group Backdoor working Function

This powerful backdoor employing the various advance technique to evade the detection and maintain its persistence within the infected system.

Initially, it drops malicious chrome extension in %appdata% folder and extracts the malicious code to schedule the task to execute its malicious VBS  script.

Later it Drops backdoor dll to %localappdata%Temp\<random>.dat and check the OS version for further infection.

- flow - Iron Cybercrime Group Distributing new Backdoor with Evasion Techniques

As we already saw that this backdoor using two other malware functions that developed by the HackingTeam cyber criminals and this backdoor also employing the such as Anti-VM.

Also, it can able to detect the Cuckoo Sandbox, VMWare product & Oracle’s VirtualBox and using its Anti-VM function to evade the detection.

- Untitled - Iron Cybercrime Group Distributing new Backdoor with Evasion Techniques

Iron Backdoor using dynamically call external library function by obfuscated the function name that gives more pain for an analyst to perform static analysis.

According to intezer, A patched version of the popular Adblock Plus chrome extension is used to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

also, it checks the anti-virus software  360 SafeGuard or 360 Internet Security by reading the registry key. if it found the AV software then it using hardcoded root CA certificate on the victim’s workstation to install the rogue malware.

This Fake CA certificate signed the binary that makes backdoor look legitimate. researchers suspect that the Team behind this backdoor operates it from China because Searches for wallet file names in Chinese on victims’ workstations and it Won’t install persistence if Qhioo360(popular Chinese AV) is found.

Source link


Please enter your comment!
Please enter your name here