A new strain of malware called Backdoor.LV uses a custom protocol over port 80 to communicate with its command and control server and has been growing since May.
Backdoor.LV was first found after it was determining its host’s NetBIOS name, user, date, locale, and Windows OS name and relaying that information to its command and control server via a customized protocol on port 80, said researchers at FireEye. It also identifies itself, letting the C&C server know which version of Backdoor.LV it is.
FireEye researchers captured a TCP stream between Backdoor.LV and its C&C and used it to determine what the malware was up to. In addition, FireEye highlighted three other fields, two coded in base64 and the third a string called “no.”
FireEye decoded the first base64 parameter and uncovered a string in Arabic that translates to ‘mining the personal,’ the second base64 parameter seems to be communicating the foreground window on an infected machine to its C&C.
The third field, which they are calling the “no”-string, plays an intriguing role in Backdoor.LV. FireEye researchers said the malware checks if the compromised machine has a camera attached to it, if it does, it sends a “Yes” if it doesn’t, it sends this “no.”
FireEye also said upon execution, Backdoor.LV opens a dialogue box that asks users to run an executable named, “trojan.exe.” The researchers said the malicious executable seems targeted at non-native English speakers, to whom, “trojan.exe” might not be so obviously malicious.
Backdoor.LV is distributing itself with malicious executables hidden on a number of websites with IP addresses emanating primarily from countries in North Africa, the Arabian Peninsula, and the Middle East. Saudi Arabia and Algeria play host to the largest number of Backdoor.LV’s domains, accounting for 18 percent each. Morocco, Egypt, Tunisia, Iraq, Jordan, the Netherlands, Palestine, the U.S., Syria, and Kuwait are also hosting a significant number of these domains, as are various other Asian and Middle Eastern nations.