Parite.BKR: A Backdoor Uses Image File to avoid detection.
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Parite.BKR actively spreading in the wild. This time attacker uses an Encrypted JPG Image File to avoid detection by Anti-Virus programs.
![](http://software.sonicwall.com/gav/Parite.BKR_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image002.png)
Md5:
-
a168e4773236bf97e9920a3c2e280e4c
The Malware adds the following files to the system:
-
Malware.exe
-
%Userprofile%Local SettingsTempllg3AC.tmp [Detected as GAV: Parite.BKR (Trojan)]
-
%Userprofile%Local SettingsTemporary Internet FilesContent.IE5YGPZUUH84[1].jpg [ Encrypted JPG]
-
C:Program FilesAppPatch4.dll [ Encrypted JPG]
-
C:Program FilesMicrosoft GvumyzPbvwlsu.exe [Decrypted EXE ]
-
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWsiswy woogmoag
-
C:Program FilesMicrosoft GvumyzPbvwlsu.exe
-
Once the computer is compromised, the malware copies its own executable file to Program files folder.
![](http://software.sonicwall.com/gav/Parite.BKR_files/image003.png)
The file Pbvwlsu.exe is dropped after malware launches on the target system, the malware tries to download JPG encrypted file from its own C&C server from following domain:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image004.png)
Here is an example of encrypted JPG file:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image005.png)
The Malware injects Explorer.exe to infect executable files on the local file system and on network shares. Here is an example of the Malware injection:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image006.png)
![](http://software.sonicwall.com/gav/Parite.BKR_files/image007.png)
When the Malware injects Explorer.exe its opens a Backdoor on the targets Machine on UDP Port 30167, here is an example:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image009.png)
Command and Control (C&C) Traffic
Parite.BKR performs C&C communication over 80 ports. The malware retrieves some files from its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image010.png)
![](http://software.sonicwall.com/gav/Parite.BKR_files/image011.png)
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
![](http://software.sonicwall.com/gav/Parite.BKR_files/image012.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Parite.BKR (Trojan)