The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file.
These commands are also executed when the loadconfig command is issued.
This file can be likened to a startup script for the backdoor.
Other than the state command, all commands in the configuration file are identified by their hash’s decimal value instead of their plain text name.
Certain commands, when executed, add themselves to the configuration so they will persist across (or be part of) reboots.
Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time.
The backdoor may optionally start one or more threads that perform continuous monitoring for various purposes, as described in Table 1.A message starts with a host ID composed by concatenating a hash value generated from the computer’s hostname and MAC address to a string likely used as a campaign code.Once the message has been formatted, it is sandwiched between an additional two fields of randomly generated strings of upper and lower case alphabet characters.This article reveals details about the initial distribution vector that was used during the Disk Coder. The Cyberpolice Department of Ukraine’s National Police stated, on its Facebook account, as did ESET and other information security companies, that the legitimate Ukrainian accounting software M. The PE compilation stamps of analyzed files suggest that these files were compiled on the same date as the update or the day before. The malicious code writes the information collected into the Windows registry under the value names. The only difference from a legitimate request is that the backdoored code sends the collected information in cookies. And, of course, the attackers added the ability to control the infected machine. The result is an XML file that could contain several commands at once. method is called periodically in order to check whether a new update is available. Doc is accounting software commonly used in Ukraine, the EDRPOU values could be expected to be found in application data on machines using this software. We recommend changing passwords for proxies, and for email accounts for all users of M. So if these values exist on a computer, it is highly likely that the backdoored module did, in fact, run on that computer. The backdoored module does not use any external servers as C&Cs: it uses the M. Doc software’s regular update check requests to the official M. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time. Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution.