A little while ago I caught this RDP backdoor in my honeypot that I thought was kinda interesting, so I figured I would do a write-up on it. The author of this malware took minimal measures to hide its functionality.
I searched for the md5 hash on virustotal and someone had already uploaded it here.
CFF Explorer output:
Aside from some function calls being stored as character arrays, there was hardly any obfuscation in this malware. It was packed with UPX, so unpacking was trivial.
I searched the source IP in Shodan and got this:
From Thor APT Scanner:
Within the binary I found a reference to a script called "jingtisanmenxiachuanxiao.vbs", which is referenced in this whitepaper about Operation PZCHAO written by Bitdefender.
After some static analysis I discovered that this creates a new user and enables RDP.
**POST IN PROGRESS**