A couple of hours ago, Kaspersky reported a new variant of the MaControl backdoor targeting Uyghur users.
It seems to be a newer version of the MacControl RAT we found some months ago being dropped using Java and Office for Mac exploits.
The attackers send mails to the victims with a zip file that contains the backdoor and an image. We have spotted similar mails that contains a a RAT that connects to the same IP address as the Kaspersky variant but it affects Windows users. The mail has the following content:
And the image on the zip file:
The binary copies itself on \Documents and Settings\USER\Local Settings\Temp\kbdmgr.exe
And then the Winrar file is deleted from the system:
C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1.exe
\Documents and Settings\USER\Local Settings\Temp\kbdmgr.dll
A mutex is created on the system to identify the infection:
\BaseNamedObjects\WuSh B- Is Running!
Finally the dll is loaded and injected into explorer.exe
Once injected, the backdoor establish the communication with the C&C server:
The code executed belongs to a version of the infamous Gh0st RAT