The AlienVault Blogs
Taking On Today’s Threats
June 29, 2012

New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

A couple of hours ago, Kaspersky reported a new variant of the MaControl backdoor targeting Uyghur users.

It seems to be a newer version of the MacControl RAT we found some months ago being dropped using Java and Office for Mac exploits.

The attackers send mails to the victims with a zip file that contains the backdoor and an image. We have spotted similar mails that contains a a RAT that connects to the same IP address as the Kaspersky variant but it affects Windows users. The mail has the following content:

And the image on the zip file:

Attached within the zip there is a Winrar file:

The Winrar file extracts the following binary:

The binary copies itself on \Documents and Settings\USER\Local Settings\Temp\kbdmgr.exe

And then the Winrar file is deleted from the system:

C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1.exe

The file kkbdmgr.exe also drops the following dll:

\Documents and Settings\USER\Local Settings\Temp\kbdmgr.dll

A mutex is created on the system to identify the infection:

\BaseNamedObjects\WuSh B- Is Running!

Finally the dll is loaded and injected into explorer.exe

Once injected, the backdoor establish the communication with the C&C server:

The code executed belongs to a version of the infamous Gh0st RAT



Get the latest
security news in
your inbox.

Subscribe via Email

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content