A couple of hours ago, Kaspersky reported a new variant of the MaControl backdoor targeting Uyghur users.
It seems to be a newer version of the MacControl RAT we found some months ago being dropped using Java and Office for Mac exploits.
The attackers send mails to the victims with a zip file that contains the backdoor and an image. We have spotted similar mails that contains a a RAT that connects to the same IP address as the Kaspersky variant but it affects Windows users. The mail has the following content:
And the image on the zip file:
Attached within the zip there is a Winrar file:
The Winrar file extracts the following binary:
The binary copies itself on Documents and SettingsUSERLocal SettingsTempkbdmgr.exe
And then the Winrar file is deleted from the system:
C:WINDOWSsystem32cmd.exe /c del C:DOCUME~1ADMINI~1LOCALS~1TempRarSFX0.exe
The file kkbdmgr.exe also drops the following dll:
Documents and SettingsUSERLocal SettingsTempkbdmgr.dll
A mutex is created on the system to identify the infection:
BaseNamedObjectsWuSh B- Is Running!
Finally the dll is loaded and injected into explorer.exe
Once injected, the backdoor establish the communication with the C&C server:
The code executed belongs to a version of the infamous Gh0st RAT