Neutrino Bot Gets Protective Loader

A recently observed variant of the multi-purpose Neutrino Bot is using a protective, obfuscated loader that is an integral part of the full package, Malwarebytes Labs researchers report.

Also known as Kasidet, the Neutrino Bot is different from the Neutrino exploit kit (EK), although it has been distributed by the latter. In January 2017, security researchers detailed a Neutrino Bot campaign where the malicious payload was being distributed via spam emails, and the same variant appears to have got the protective loader.

Not only does the malware feature multiple layers that hide the actual core, but there are also virtual machine detections packed inside it, researchers now explain. The threat was being distributed via a malvertising campaign in the United States leveraging the Neutrino EK. The infection chain includes checks for virtualization, network traffic capture and antivirus software, performed by heavily obfuscated JavaScript code in the pre-landing pages.

After the initial check has been passed, a specially crafted Flash file that contains exploits for Internet Explorer and Flash Player is launched. Finally, an RC4 encoded payload is downloaded and executed via wscript.exe to bypass proxies. The security researchers also observed that the sample deletes itself if it determines it is being deployed in a virtual machine or sandbox.

On the infected machines, the malware adds and modifies registry keys and leverages the Task Scheduler to achieve persistence. It also modifies keys to remain hidden in the system and adds itself into the firewall’s whitelist. Moreover, the path to the malware is added to Windows Defender’s exclusions list.

However, the malicious core isn’t loaded until the full installation process was successful, researchers say. After completing the process, the malware sends a request to the command and control (C&C) server, which responds with commands to be executed. All requests and responses are base64 encoded.

“The loader code shows that it is an integral part of the full Neutrino Bot package – not yet another layer added by an independent crypter. Both, the payload and the loader are written in C++, use similar functions and contain overlapping strings. They both also have very close compilation timestamps: payload: 2017-02-16 17:15:43, loader: 2017-02-16 17:15:52,” Malwarebytes Labs reports.

To ensure it isn’t executed more than once, the loader creates a mutex with a name that is hardcoded in the binary: 1ViUVZZXQxx. While the main purpose of the loader is to prevent the malware from being executed in a controlled environment, it does this differently than other malware: it deploys a thread that runs the checks in a never ending loop.

This means that the malware continuously checks if blacklisted processes are being deployed, and it immediately terminates execution if that happens. The loader enumerates through the list of the running processes, searches blacklisted modules within the current process, checks if the process is under the debugger, uses time measurement to detect single-stepping, checks blacklisted devices to detect virtual machines, and also searches and hides blacklisted windows by their classes.

The operations related to bot installation (such as adding a task to the Windows Scheduler, adding exclusions to the firewall, and more) are performed in a different thread, researchers say. In the end, the loader unpacks the final payload and runs it with the help of the Run PE method, but not before creating another instance of its own.

“Neutrino Bot has been on the market for a few years. It is rich in features but its internal structure was never impressive. This time also, the malware authors did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered,” the researchers conclude.


Leave a Reply