Have you heard, or worse – experienced, the T5000 backdoor that was detected in 2013 and 2014? If you are a human right activist, a government clerk or an employee of the automotive industry in the Asia Pacific, chances are you were infected by the sophisticated T5000 malware.
Learn More about APT Backdoors
Unfortunately, a recent research by Palo Alto Networks, the same security company that first analyzed the T5000 malware family (also known as Plat1), indicates that the backdoor has a new version.
Meet T9000 – the Backdoor that Aims at Skype Users
As just said, the T9000 malware appears to be a new version of T5000. T9000 has been spotted being distributed via spear phishing emails within the US. Apparently, even though certain organizations are currently on target, the piece is adaptable enough to be used in various campaigns against various targets.
T9000 is not only capable of flying under the radar and evading detection, two features present in most advanced backdoors. T9000 is also capable of capturing encrypted data, taking screenshots and specifically targeting Skype users. The whole installation process of the malware goes through 4 stages, and a lot of effort has been made to avoid detection and any ongoing security analysis.
In addition, the malware is accurate enough to identify 24 potential anti-malware products that may be running on the targeted system:
- Trend Micro
The above mentioned anti-malware products are included via a binary value that is combined with any other security products. As explained by Palo Alto researchers, the following numbers represent each respective security product.
0x08000000 : Sophos
0x02000000 : INCAInternet
0x04000000 : DoctorWeb
0x00200000 : Baidu
0x00100000 : Comodo
0x00080000 : TrustPortAntivirus
0x00040000 : GData
0x00020000 : AVG
0x00010000 : BitDefender
0x00008000 : VirusChaser
0x00002000 : McAfee
0x00001000 : Panda
0x00000800 : Trend Micro
0x00000400 : Kingsoft
0x00000200 : Norton
0x00000100 : Micropoint
0x00000080 : Filseclab
0x00000040 : AhnLab
0x00000020 : JiangMin
0x00000010 : Tencent
0x00000004 : Avira
0x00000008 : Kaspersky
0x00000002 : Rising
0x00000001 : 360
That being said, if both Trend Micro and Sophos are found on a victim machine, the resulting value will be 0x08000800. The value is then written to the following file:
The infection process is started by malicious RTF files. Two particular vulnerabilities are exploited:
The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka “MSCOMCTL.OCX RCE Vulnerability.”
Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka “Microsoft Office Memory Corruption Vulnerability.”
If everything goes as planned, once installed, T9000 will collect information about the system, send it to its command and control server, and mark the targeted system so that it is distinguished from the others.
Once the infected machines are recorded and the information that can be stolen is identified, the command and control server sends specific modules to every target.
One of these modules, or plugins, has been found to be particularly interesting:
tyeu.dat: send to spy on Skype activities; once the module is installed and running, the next time Skype is started, a message will appear saying that “explorer.exe wants to use Skype”.
tyeu.dat can also:
Capture full desktop screenshots
Capture window screenshots of targeted processes
Capture Skype audio, video, and chat messages
T9000: In Conclusion
The advancement of the T9000 backdoor malware is an excellent proof of how determined and well-funded malicious attackers are. The authors of T9000 have done their best to avoid being detected by AV vendors and to evade the investigation of reverse engineers. Luckily, the researchers at Palo Alto have shared publicly their vast analysis which is available online. Have a look at the whole Palo Alto Networks report.
In addition, we would like to remind every organization out there how important incident response is:
- Preparation. Enterprises should educate their employees and IT personnel of the importance of updated security measures and train them to respond to computer and network security incidents in a swift and adequate manner.
- Identification. The response team is signaled whenever a possible breach takes place, and should decide whether it is a security incident or something else. The team is often advised to contact the CERT Coordination Center, which tracks and records Internet security activities and collects the most recent information on viruses and worms.
- Containment. The response team decides on the severity and span of the issue. Disconnecting all affected systems and devices to prevent further damage is also applied.
- Eradication. The response team proceeds with the investigation to disclose the origin of the attack. The root cause of the problem and all malicious code leftovers are eradicated.
- Recovery. Data and software are restored from clean backup files, making sure that no vulnerabilities are left. Systems are monitored for any sign of proneness to a flaw.
- Lessons learned. The response team analyzes the attack and the way it was dealt with, and prepares recommendations for better future response and for the sake of incident prevention.