Friday, March 29, 2024

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

PUP(potentially unwanted program) packages that install’s along with Chinese software’s consist of backdoors targeting English speakers. The backdoor was uncovered by Malware bytes research team by analyzing a China-developed WiFi hotspot application.

Distribution of Backdoor

These backdoors are being dropped by one of the major PUP bundler networks and then the bundler runs the installation hidden with argument /silent.

Installer SHA-256 Hash : B89017C2627CA80C68292453440CFCAE07A12798422737915F80F0720879C3D4

Installer will drop a set of 7zip files, in the middle of those files there are two driver files with same functionality one for 32-bit windows and other for 64-bit Windows.

SHA-256 for Windows 32bit:E6427DF5D439EE854485C1C1BC8747487B5F0848D5EBA98838BD8F377F9E8DBESHA-256 for Windows 64bit: E5BC7CC800866C749FC588F5FC2F31D8B3202DD9EE3F40D450528AC08B08F311

Malicious backdoor Targets

According to Malware bytes at the entry point, drivers will check for the operating system types, if that dosen’t fall in it’s compatibility list then the driver will not load.

Targetted Windows Versions

Windows 2000
Windows XP
Windows XP x64
Windows Vista /
Windows 7
Windows 8
Windows 8.1
Windows 10 v1507, v1511, v1607
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

This driver will not load if your windows version v1607.

Application packed with backdoor

Clearly, some Chinese developer really didn’t want their backdoor to be discovered, said by Zammis Clark.

Searching on VirusTotal enabled me to find several Chinese applications with similar drivers including the very same backdoor Zammis Clark.

A Chinese Android rooting toolkit
A Chinese WiFi hotspot application
A Chinese USB drive helper utility
A Chinese calendar application (latest version doesn’t include the backdoored driver)
A Chinese driver updater (the English version of this app doesn’t include the backdoored driver)
Chinese PUPs distributing Backdoored Drivers which affect Windows operating system
Malware Bytes

The latest version of the mentioned Chinese calendar application no longer has the driver.

Proof of concept

POC for this HelpDetectWz functionality to load an unsigned driver is available. It includes binaries for both X86 and X64 systems which will bug check the system when loaded.

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

Also Read:

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles