[Tài liệu] Unpacking the “Unitrix” malware
The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text or video files. Here is a short list of the main options.
But, this is just the start of the detective work. Analysis of this exploit shows that the hackers do not directly takeover the infected computers. Instead, they have a “pay per installation” network that provides outsourced infection and malware distribution services for other cybergangs – apparently based in Russia and the Ukraine – after giving each infected computer its own identification number. And, this gang has the ability to change the final payload thanks to its downloader: rootkit today, tomorrow something else.
We’ve titled this malware W32:Fivfrom. It’s a malware downloader which, after activation, connects to several distribution centers to download and install malware to the infected computer. We analyzed over fifty separate files, all of which initially looked quite different. But when we looked inside, we found some similar patterns. All files were packed with UPX, and then there was a polymorphic loader which generated the final exe file. This means the malware contained two layers of protection – UPX as the first layer and a polymorphic loader for the second layer.
(Read more )