A couple of hours ago, Kaspersky reported a new variant of the MaControl backdoor targeting Uyghur users.

It seems to be a newer version of the MacControl RAT we found some months ago being dropped using Java and Office for Mac exploits.

The attackers send mails to the victims with a zip file that contains the backdoor and an image. We have spotted similar mails that contains a a RAT that connects to the same IP address as the Kaspersky variant but it affects Windows users. The mail has the following content:

 

 

 

 

And the image on the zip file:

 

 

 

 

 

 

 

 

 

 

 

 

Attached within the zip there is a Winrar file:

https://www.virustotal.com/file/1f516b10a749c7e1625469d8905393e298f7504be6b56534b195f72640a7638a/analysis/1340973673/

 

 

 

 

 

The Winrar file extracts the following binary:

https://www.virustotal.com/file/1e0ae243e5bb091be07a10ebb246f355e50d6627b64ea0ee4845c588ac97bffb/analysis/1340974896/

 

 

 

 

 

 

The binary copies itself on \Documents and Settings\USER\Local Settings\Temp\kbdmgr.exe

 

And then the Winrar file is deleted from the system:

C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1.exe

The file kkbdmgr.exe also drops the following dll:

\Documents and Settings\USER\Local Settings\Temp\kbdmgr.dll

https://www.virustotal.com/file/e6012b7c340841b4725ab3c619e3d0b274cc11565526d91b8a639a7ae93bce60/analysis/1340975273/

 

 

 

 

 

 

A mutex is created on the system to identify the infection:

\BaseNamedObjects\WuSh B- Is Running!

Finally the dll is loaded and injected into explorer.exe

 

Once injected, the backdoor establish the communication with the C&C server:

 

 

 

 

 

 

 

 

The code executed belongs to a version of the infamous Gh0st RAT

 

 

 

 

 

This RAT (Remote Access Tool) has been found in previous incidents and it is commonly used on APT incidents regarding Tibetans, Uyghurs and other groups on the ASEAN zone.