A strain of malware called Backdoor.LV that uses a custom protocol over port 80 to communicate with its command and control server has been consistently increasing its reach since May, according to a report from FireEye.
The security firm observed Backdoor.LV determining its host’s NetBIOS name, user, date, locale, and Windows OS name and relaying that information to its command and control server via a customized protocol on port 80. It also identifies itself, letting the C&C server know which particular version of Backdoor.LV it is.
FireEye researchers captured a TCP stream between Backdoor.LV and its C&C and used it to determine what the malware was up to. In addition, FireEye highlighted three other fields, two coded in base64 and the third a string called ‘no.’
FireEye decoded the first base64 parameter and uncovered a string in Arabic that translates to ‘mining the personal,’ the second base64 parameter seems to be communicating the foreground window on an infected machine to its C&C.
The third field, which they are calling the ‘no’-string, plays an intriguing role in Backdoor.LV. According to FireEye, the malware checks if the compromised machine has a camera attached to it, if it does, it sends a ‘Yes’ if it doesn’t, it sends this ‘no.’
Furthermore, FireEye claims that, upon execution, Backdoor.LV opens a dialogue box that asks users to run an executable, conspicuously named, ‘trojan.exe.’ The researchers seem to believe that the obviously malicious executable is being targeted at non-native English speakers, to whom, ‘trojan.exe’ might not be so obviously malicious.
Backdoor.LV is distributing itself with malicious executables hidden on a number of websites with IP addresses emanating primarily from countries in North Africa, the Arabian Peninsula, and the Middle East. Saudi Arabia and Algeria play host to the largest number of Backdoor.LV’s domains, accounting for 18 percent each. Morocco, Egypt, Tunisia, Iraq, Jordan, the Netherlands, Palestine, the U.S., Syria, and Kuwait are also hosting a significant number of these domains, as are various other Asian and Middle Eastern nations.
