Monday, July 6, 23:09 p.m.
Home security Hackers have been using backdoor since 2017 to hide malware

Hackers have been using backdoor since 2017 to hide malware

A cyber-espionage team, operating since at least 2012, used a legitimate tool to protect the backdoor from analytics efforts to avoid detection. In their attempt, the hackers also used a fake header.

The backdoor is referred to by the names Spark and EnigmaSpark and was developed in a recent phishing campaign that appears to be the work of the low budget Gaza Cybergang MoleRATs. He is in charge of the SneakyPastes feature, which is detailed by Kaspersky, which is based on malware hosted on free sharing services such as GitHub and Pastebin.

There is strong evidence that the team has been using this backdoor since March 2017, deploying dozens of variants that contacted at least 15 command and control domains.

Multiple cyber security researchers monitored this threat organization's campaigns and analyzed the malicious programs, tactics and infrastructure used in the attacks.

Prevention tactics

The perpetrator attempted to hide the compromise using Enigma Protector software - a legitimate tool to "protect executable files from illegal copying, hacking, modification and analysis ”.

Based on the stated objectives and the subject of the bait documents, this looks like a political attack directed at Arab speakers who are interested in the possible acceptance of the Palestinian peace plan.

The infection chain that led to the installation of the backdoor EnigmaSpark began with the delivery of a malicious Microsoft Word document. The file is written in Arabic and urges the recipient to allow editing to view it. content.

The researchers found that the document obtained from a Google Drive link a malicious Word embedded with a macro to deliver the final payload "runawy.exe".

To protect the feature, hackers added some protection capabilities, such as password protection macros and application of a base64 encoding system in the backdoor, which was also stored in Google Drive.

In addition, the binary malware program was "packed" with Enigma Protector which adds some resistance to hacking and cracking efforts.

Another precaution for hackers is the use of a fake header in the HTTP POST request that provides information about the victim on the command and control (C2) server, which was nysura. [Com. 'However, the header indicates' cnet] [com' as a destination.

Common denominator

An X-Force investigation (IRIS) revealed that the attacker used this technique with other binary files. After unpacking 'runawy.exe', they noticed that file The result was the same as 'blaster.exe', a binary file delivered by an executable by Themida, another legitimate tool that adds protection to inspect or modify an edited application.

Multiple files were discovered because they had the unique string "S4.4P" and the signature "tg1678A4" cryptographic certificate: Wordeditor.exe, Blaster.exe (the unpacked version of runawy.exe and soundcloud.exe), HelpPane.exe , and taskmanager.exe.

In the case of Blaster, the same trick was used with the fake host header, as in the case of 'runawy', but the actual destination server was different ('webtutorialz [.] Com').

Previous research

The binary file "runawy.exe", its C2 server and unique string have been previously documented by researchers at other security companies in cyberspace.

Cybereason's Nocturnus team, on February 12, released a technical analysis of the Backdoor backdoor, which describes the malware's capabilities:

  • Collect information about the host victim
  • Encrypt the data collected and send it to the intruders via the HTTP protocol
  • Download other payloads
  • Entering keys Record audio using the system's built-in microphone
  • Execute commands on the infected machine

At the beginning of the month, Palo Alto Networks detailed the same payload surrounded by Enigma delivered with the help of a Word document on October 31 and November 2, 2019.

The backdoor backdoor was originally documented by researchers at Beijing-based Qi An Xin Cyber ​​Security, with the English version of the research published on February 14, 2019.

Researchers from all of these companies attribute the backdoor Spark to the MoleRATs team, known for its use of malware available in a hacker forum. However, they also develop custom tools, such as Spark.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Windows 10 2004: Unauthorized settings "block" the upgrade

Users report that they have a problem with Windows 10, since they are excluded from the application of the May 2020 update, when they manually attempt to ...

Lenovo is improving Linux ThinkPads but the problems remain

Last month, when Lenovo announced that it was going to certify the ThinkPad series for use with Linux operating systems, we thought directly ...

Nigerian accused of fraud against US companies

A Nigerian was taken to the federal court in Chicago on Friday, after being accused of coordinating an international cyber fraud system, which affected ...

Home routers display critical errors and run unpatched Linux

The German Fraunhofer Communication Institute (FKIE) conducted a survey that included 127 home routers from seven different brands, in an effort to ...

IPhone 12 release: Will we finally see it by the end of 2021?

New data on the release of the iPhone 12, which we all expect not to happen in September, say that it will only be delayed ...

MySQL: Replaces terms that reinforce racial discrimination

MySQL database developers have announced that they will be replacing terminology such as master, slave, blacklist, and whitelist.

The CEO of a cryptocurrency investment company was cheating

As reported by News24, Willie Breedt, the founder of VaultAge Solutions (cryptocurrency investment company), declared bankruptcy last week and the ...

United Kingdom: Will it exclude Huawei from its 5G networks?

The UK government has received an NCSC report on Huawei, which may change its policy ...

A Yahoo engineer is not in jail after hacking 6.000 accounts

A former Yahoo engineer has been sentenced to five years in prison for hacking into personal accounts ...

PoC exploits released for critical vulnerability on F5 BIG-IP devices

PoC exploits released for critical vulnerability on F5 BIG-IP devices Two days after the release of updates on critical vulnerability on F5 ...