Categories: Malware

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

PUP(potentially unwanted program) packages that install’s along with Chinese software’s consist of backdoors targeting English speakers. The backdoor was uncovered by Malware bytes research team by analyzing a China-developed WiFi hotspot application.

Distribution of Backdoor

These backdoors are being dropped by one of the major PUP bundler networks and then the bundler runs the installation hidden with argument /silent.

Installer SHA-256 Hash : B89017C2627CA80C68292453440CFCAE07A12798422737915F80F0720879C3D4

Installer will drop a set of 7zip files, in the middle of those files there are two driver files with same functionality one for 32-bit windows and other for 64-bit Windows.

SHA-256 for Windows 32bit:E6427DF5D439EE854485C1C1BC8747487B5F0848D5EBA98838BD8F377F9E8DBE SHA-256 for Windows 64bit: E5BC7CC800866C749FC588F5FC2F31D8B3202DD9EE3F40D450528AC08B08F311

Malicious backdoor Targets

According to Malware bytes at the entry point, drivers will check for the operating system types, if that dosen’t fall in it’s compatibility list then the driver will not load.

Targetted Windows Versions

Windows 2000
Windows XP
Windows XP x64
Windows Vista /
Windows 7
Windows 8
Windows 8.1
Windows 10 v1507, v1511, v1607
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

This driver will not load if your windows version v1607.

Application packed with backdoor

Clearly, some Chinese developer really didn’t want their backdoor to be discovered, said by Zammis Clark.

Searching on VirusTotal enabled me to find several Chinese applications with similar drivers including the very same backdoor Zammis Clark.

A Chinese Android rooting toolkit
A Chinese WiFi hotspot application
A Chinese USB drive helper utility
A Chinese calendar application (latest version doesn’t include the backdoored driver)
A Chinese driver updater (the English version of this app doesn’t include the backdoored driver)
Malware Bytes

The latest version of the mentioned Chinese calendar application no longer has the driver.

Proof of concept

POC for this HelpDetectWz functionality to load an unsigned driver is available. It includes binaries for both X86 and X64 systems which will bug check the system when loaded.

Also Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: BackdoorChinese applicationsMalwareWindows
8 years ago

Recent Posts

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning on March 3,…

38 minutes ago

Threat Actors Exploiting AES Encryption for Stealthy Payload Protection

Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES) encryption…

12 hours ago

33.3 Million Cyber Attacks Targeted Mobile Devices in 2024 as Threats Surge

Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in cyber…

12 hours ago

Routers Under Attack as Scanning Attacks on IoT and Networks Surge to Record Highs

In a concerning trend, the frequency of scanning attacks targeting Internet of Things (IoT) devices…

12 hours ago

Google Launches Shielded Email to Keep Your Address Hidden from Apps

Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…

17 hours ago

Hackers Using PowerShell and Microsoft Legitimate Apps to Deploy Malware

Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…

18 hours ago