The Arbor Networks has published a report on the Etumbot APT Backdoor. The Etumbot APT Backdoor is used in targeted cyber-attacks.
The first time the Etumbot was seen was in March, 2011.
The Arbor Network report provides insight in the capabilities and techniques which are used by the Etumbot APT Backdoor.
The authors of the Arbor Network report explain that the Etumbot APT Backdoor name might confuse a lot of people. This is because of the reason which is mentioned below:
The variety of names for this malware could lead to some confusion about the actual threat. ASERT has associated Etumbot with IXESHE, and therefore Numbered Panda, based on similar system and network
artifacts that are common between the malware families.
The mentioned malware families use the same log files:
The Etumbot APT report explains that both the families have been using the same command and control servers. These command and control servers are used to target specific victim populations with the malware attack methodologies.
Primary components in the Etumbot APT backdoor malware
- Distraction file
The Arbor Network researchers explain that the Etumbot APT backdoor works in various stages:
Stage one has been seen to leverage the Unicode Right to Left Override trick combined with convincing icons for various types of PDFs or Microsoft Office documents to convince the user to click and therefore execute the malware, which then runs the backdoor and displays the distraction file. As with the IXESHE malware, Etumbot has been observed dropping documents of interest to a Taiwanese and Japanese target population.
The second stage is the Distraction stage
The Etumbot APT Backdoor uses GET requests to control the availability of the Command and Control server. The Etumbot APT Backdoor does this 39 times in 61 million HTTP requests.
The beacon takes the form of a GET request to /home/index.asp?typeid=N where N is a randomly selected odd number between 1 and 13. If
the C&C is online, the decoded response payload will contain the RC4 key that is used to encrypt subsequent communication. If the C&C does not send a valid response, the bot will re-send the initial request every 45 seconds.
Md5 hashes from the Etumbot APT Backdoor
MIRROR on Cyberwarzone: