This month we added three new families to the Microsoft Malicious Software Removal Tool (MSRT) to help protect our customers: Win32/Escad, Win32/Jinupd and Win32/NukeSped.
While this blog focuses on Escad and NukeSped, we want to note that Jinupd is point-of-sale malware that steals sensitive data, such as credit card information and sends it to a malicious hacker.
The Escad and NukeSped malware families have backdoor capabilities that have been used as part of targeted attacks.
It is clear from the binaries that we've analyzed that Escad has varying functionalities. It can perform a number of routines on a compromised machine that can be used to gather sensitive files and information, including:
- Acting as a proxy server.
- Copying files and sending them to a remote IP address.
- Downloading files remotely into the infected system.
- Enumerating files in any folder.
- Gathering machine information, such as PC name, TCP connections and network adapter information.
- Modifying firewall settings.
- Modifying IP settings.
All of these routines are components of an information-stealing payload that leaves the infected system open to other remote attacks – including the downloading and running of other malware.
It drops files to install itself as a service in order to run at system startup. We’ve seen it drop and use the following files for this purpose:
- ansi.nls
- dayipmr.tbl
- netmonsvc.dll
- pmsconfig.msi
- pmslog.msi
- rdmgr.dll
- remoteevtmanager.dll
- tmscompg.msi
Accordingly, the presence of any of these files could indicate an Escad infection.
Figures 1 and 2 show the prevalence and distribution of Escad malware in recent months.
Figure 1: Escad detections since December
Figure 2: Location of machine infected with Escad
We have recently seen NukeSped variants installed during targeted attacks against machines compromised by Escad. NukeSped can arrive on the system with one of the following file names:
- comon32.exe
- diskpartmg16.exe
- dpnsvr16.exe
- expandmn32.exe
- hwrcompsvc64.exe
- mobsynclm64.exe
- rdpshellex32.exe
- recdiscm32.exe
- taskchg16.exe
- taskhosts64.exe
The dropper that we detect as Trojan:Win32/NukeSped.A!dha installs itself as a service named WinsSchMgmt. It also drops a text file that contains a list of potentially compromised IP addresses. Part of NukeSped’s functionality is to connect to a malicious hacker from an infected machine with the ability to do any of the following:
- Check for an Internet connection.
- Download and run files (including updates or other malware).
- Enable/disable full access to these folders in compromised machine:
- Systemroot (root directory)
- Syswow64
- System32
- Report a new infection to its author.
- Receive configuration data.
- Receive instructions from a malicious hacker.
- Search for your PC location.
- Upload information taken from your PC.
It also drops other files such as igfxtrayex.exe, which we detect as Trojan:Win32/NukeSped.B!dha. This variant is also registered as a service named brmgmtsvc. It drops copies of this file in the current directory with the file name taskhostxx.exe - where xx can be any letter. It checks the architecture of the infected system and can drop either a 32-bit or 64-bit third-party driver to %Temp%\usbdrv3.sys. This legitimate file is used by the malware for modifying sectors of the master boot record that prevents the machine from booting.
It also disables the following services in the infected system:
- MSExchangeIS
- MSDEPSVC
- SSIS
- SSRS
- Termservice
- W3SVC
- WMServer
Trojan:Win32/NukeSped.B!dha also drops the file iissvr.exe in the default windows directory. We detect this file as Trojan:Win32/NukeSped.C!dha. This variant has an embedded image/sound file that is launched as an HTML page with a message that scrolls to notify the user that files on the system have been compromised by a group of hackers.
Figure 3: Page launched by Trojan:Win32/NukeSped.C!dha
Microsoft security products, such as Microsoft Security Essentials, include detection for Escad, Jinupd and NukeSped. To help stay protected you should keep your security software up-to date and regularly run a full scan of your PC.
Joining the Microsoft Active Protection Service Community (MAPS) can also help your Microsoft security product take full advantage of Microsoft's cloud protection service.
You should also make sure you back up your files regularly to help prevent data loss that could result from a malware infection.
Marianne Mallen
MMPC