New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

June 29, 2012  |  Jaime Blasco

A couple of hours ago, Kaspersky reported a new variant of the MaControl backdoor targeting Uyghur users.

It seems to be a newer version of the MacControl RAT we found some months ago being dropped using Java and Office for Mac exploits.

The attackers send mails to the victims with a zip file that contains the backdoor and an image. We have spotted similar mails that contains a a RAT that connects to the same IP address as the Kaspersky variant but it affects Windows users. The mail has the following content:

And the image on the zip file:

Attached within the zip there is a Winrar file:

The Winrar file extracts the following binary:

The binary copies itself on Documents and SettingsUSERLocal SettingsTempkbdmgr.exe

And then the Winrar file is deleted from the system:

C:WINDOWSsystem32cmd.exe /c del C:DOCUME~1ADMINI~1LOCALS~1TempRarSFX0.exe

The file kkbdmgr.exe also drops the following dll:

Documents and SettingsUSERLocal SettingsTempkbdmgr.dll

A mutex is created on the system to identify the infection:

BaseNamedObjectsWuSh B- Is Running!

Finally the dll is loaded and injected into explorer.exe

Once injected, the backdoor establish the communication with the C&C server:

The code executed belongs to a version of the infamous Gh0st RAT

Share this with others

Tags:

Get price Free trial