Categories: Malware

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

PUP(potentially unwanted program) packages that install’s along with Chinese software’s consist of backdoors targeting English speakers. The backdoor was uncovered by Malware bytes research team by analyzing a China-developed WiFi hotspot application.

Distribution of Backdoor

These backdoors are being dropped by one of the major PUP bundler networks and then the bundler runs the installation hidden with argument /silent.

Installer SHA-256 Hash : B89017C2627CA80C68292453440CFCAE07A12798422737915F80F0720879C3D4

Installer will drop a set of 7zip files, in the middle of those files there are two driver files with same functionality one for 32-bit windows and other for 64-bit Windows.

SHA-256 for Windows 32bit:E6427DF5D439EE854485C1C1BC8747487B5F0848D5EBA98838BD8F377F9E8DBE SHA-256 for Windows 64bit: E5BC7CC800866C749FC588F5FC2F31D8B3202DD9EE3F40D450528AC08B08F311

Malicious backdoor Targets

According to Malware bytes at the entry point, drivers will check for the operating system types, if that dosen’t fall in it’s compatibility list then the driver will not load.

Targetted Windows Versions

Windows 2000
Windows XP
Windows XP x64
Windows Vista /
Windows 7
Windows 8
Windows 8.1
Windows 10 v1507, v1511, v1607
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

This driver will not load if your windows version v1607.

Application packed with backdoor

Clearly, some Chinese developer really didn’t want their backdoor to be discovered, said by Zammis Clark.

Searching on VirusTotal enabled me to find several Chinese applications with similar drivers including the very same backdoor Zammis Clark.

A Chinese Android rooting toolkit
A Chinese WiFi hotspot application
A Chinese USB drive helper utility
A Chinese calendar application (latest version doesn’t include the backdoored driver)
A Chinese driver updater (the English version of this app doesn’t include the backdoored driver)
Malware Bytes

The latest version of the mentioned Chinese calendar application no longer has the driver.

Proof of concept

POC for this HelpDetectWz functionality to load an unsigned driver is available. It includes binaries for both X86 and X64 systems which will bug check the system when loaded.

Also Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: BackdoorChinese applicationsMalwareWindows
8 years ago

Recent Posts

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian national…

17 hours ago

Maxar Space Data Leak, Threat Actors Gain Unauthorized Access to the System

Maxar Space Systems, a leader in space technology and Earth intelligence solutions, has recently confirmed…

21 hours ago

Apache Kafka Vulnerability Let Attackers Escalate Privileges

A newly identified vulnerability tracked as CVE-2024-31141, has been discovered in Apache Kafka Clients that could allow attackers…

21 hours ago

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL injection…

2 days ago

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which…

2 days ago

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing two…

2 days ago