Exforel Backdoor Implemented at NDIS Level to Be More Stealthy

Microsoft Malware Protection Center researchers have analyzed the threat

  Functionality diagram of Exforel malware
Security researchers from Microsoft’s Malware Protection Center have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that’s somewhat different from other malicious elements of this kind.

Security researchers from Microsoft’s Malware Protection Center have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that’s somewhat different from other malicious elements of this kind.

That’s because the backdoor is implemented at the Network Driver Interface Specification (NDIS) level.

Since Exforel.A implements a private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, the backdoor TCP traffic is diverted to the private TCP/IP stack and then delivered to the backdoor.

This makes this variant of the malware more low-level and stealthy because there is no connecting or listening port. Furthermore, the backdoor traffic is invisible to user-mode applications.

According to experts, this particular version of Exforel – which can download, upload, and execute files, and rout TCP/IP packets – is used in a targeted attack against a particular organization.

Comments