Threat Spotlight: Opening Hacker’s Door

Introduction

During a recent compromise assessment, Cylance incident responders and threat researchers uncovered a surreptitious and sophisticated remote access trojan (RAT) that had been planted and operated by the suspected threat actor. Upon further inspection, the RAT appeared to share many similarities with an old Chinese backdoor known as “Hacker’s Door”, first released publicly in 2004 and updated in 2005.

Hacker’s Door is now sold privately by the original author (yyt_hac) with updates to support newer Operating Systems and architectures. It is likely that the analyzed samples were created using the private version, as they are designed to run on modern 64-bit systems, although they could have been built based on sold, leaked or stolen source code.

Impact

The RAT comprises a backdoor and rootkit component, and once active allows for a typical set of remote commands, including:

  • Gathering system information
  • Grabbing screenshots and files
  • Downloading additional files
  • Running other processes and commands
  • Listing and killing processes
  • Opening Telnet and RDP servers
  • Extracting Windows credentials from the current session

The sample of “Hacker’s Door” analyzed by Cylance was signed with a stolen certificate, known to be used by the Winnti APT group. Its discovery within an environment is a clear indication of a broader compromise.

Technical Analysis

Components

The malware consists of a dropper that contains an embedded DLL in its resource section. The DLL is the main backdoor payload that also drops an additional rootkit driver that is used for covert communications:

All dropped files are time-stomped using the MAC time copied from %WINDIR%hh.exe.

Dropper

The dropper extracts the backdoor DLL from a resource named BIN/100 and writes it to %windir%system32pifngr.dll. Next it copies itself to %windir%system32pifmgr.exe and creates a service that will run it on each boot. When run with the “/o” parameter, the malware (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog