Announcement Announcement Module
Collapse
No announcement yet.
Virus Alert:: Hikiti malware Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus Alert:: Hikiti malware


    Virus Type: Backdoor/Rootkit

    It has been reported that the variants of a new malware family having backdoor functionalities, dubbed as “Hikit “are spreading.
    The malware
    mainly targets the machines running Windows operating system.
    Initially ,
    the target system is compromised as a consequence of drive by download attack or exploiting the Internet Explorer Memory corruption vulnerability(CVE-2013-3893) or downloaded by other malwares including Win32/Mdmbot, Win32/Moudoor,Win32/Plugx, Win32/Sensode, and Win32/Derusbi.

    The malware performs nefarious actions not limited to the below:


    • Download other variants in the form of .jpg files.
    • Collects various information such as CPU information, computer name,operating system version, memory status etc.
    • Makes network connections and sends exfiltrated data to the remote C2 server.
    • Communicates with remote command and control server to send/receive commands.
    • Modify various files attributes to make then hidden and read only.
    • Uses SSL certificate for communication establishment and thereafter performs encrypted communication.

    The variants of the malware can be categorized as generation 1(Gen1) and generation 2(Gen 2) malware depending upon the mode of network communication to the remote C2 server.
    The Gen 1 variants of the malware
    act as a server and uses externally exposed network interface for remote access whereas the Gen 2 variants uses the traditional client model and
    beacons out to an attacker’s C2 server.
    Aliases: BKDR_HIKIT.A(Trendmicro), Backdoor.HIKIT!gen1(Symantec), Win32/Hikit.E(ESET), Troj/Hikit-B(Sophos), Backdoor:Win32/Hikiti.E (Microsoft), TR/Symmi.20726 (Avira),

    Installation:
    File System Changes:
    The malware arrives on the system in the form of an “.exe” file pretending to be an image files.
    On execution, it makes the following file
    system changes:
    C:\Users\<user name>\AppData\Roamingfb968754.dll
    C:\Windows\System32\drivers\W7fw.sys. (To hide network traffic) %temp%\¬https.sys (14848 B)

    Note: Files system changes vary with respect to the variants of the malware.

    Registry Entries:
    For Persistence mechanism, the malware makes an entry in RUN registry key, so as to start its execution on every next reboot of the system.
    It is
    shown as follows:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Sets value: "<file name without extension>", for example "FB968754"
    With data: "rundll32.exe"<location and file name of threat>",launch",
    For example""rundll32.exe"c:\documents and settings\all users\application data\fb968754.dll",launch"

    Network Communication:
    The malware makes a network connection to the various command and control
    servers. Some of these servers are mentioned below:
    • 103.17.<removed>.90
    • 110.45.<removed>.5
    • 180.150.<removed>.102

    The various commands received and executed by the attacker on the victim machines are:
    • Shell- Establishes a remote command shell on the victim machine
    • File - File management
    • Connect - Establishes a tunnel connection (e.g. port forwarding) through another Hikit sample
    • Socks5 -Establishes a forwarding proxy (retired in Gen 1.2)
    • Proxy - Establishes a forwarding proxy
    • Information- Returns the configuration for the Hikit infection
    • Exit -Terminates a channel

    Countermeasures:
    • Install the patch for the Internet Explorer Vulnerability

    CVE-2013-3893
    https://technet.microsoft.com/library/security/ms13-080
    http://blogs.technet.com/b/srd/archi...available.aspx

    • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
    • Locking out accounts after N number of incorrect login attempts
    • Configure browsers to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
    • Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
    • Limiting or eliminating the use of shared or group accounts
    • Disable Auto run/Auto play.
    • Do not visit untrusted websites.
    • Enable firewall at gateway or desktop level.
    • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
    • Install and scan anti malware engines and keep them up-to-date.

    References:
    http://blogs.technet.com/b/mmpc/arch...er-2014-hikiti.aspx
    http://www.novetta.com/files/9914/14...ysis-Final.pdf
    http://www.virusradar.com/en/Win32_Hikit.E/description
    https://www.mandiant.com/blog/hikit-...ques-part-1-2/
    https://www.mandiant.com/blog/hikit-...niques-part-2/
    http://www.microsoft.com/security/po...2/Hikiti#tab=2
Working...
X