14 DAY TRIAL // With increasing adoption of 64-bit systems, malware authors started to adapt their code to target these platforms. New variants of Kivars, an older piece of malicious software written for 32-bit, have been discovered to show a preference for the 64-bit machines, too.
Security researchers at TrendMicro have analyzed fresh samples of the malware and found that they had slight differences compared to the regular 32-bit releases.
The functionality remains the same, Kivars being able to download and upload data, execute and manipulate files, uninstall the malware service, grab pictures, enable or disable the built-in logging component, as well as trigger mouse and keyboard input.
After the dropper, identified by TrendMicro as TROJ_FAKEWORD.A, is launched, two executable files and a Microsoft document are downloaded. The document is used as a decoy.
TROJ_FAKEWORD.A relies on the RLO (Right-to-Left Override) feature in Windows and on a Word icon to mask the fact that it is in fact an executable file. The file appears to be harmless at first glance, since the extension seems to be that of a Microsoft Word document.
However, taking a look at the file type column reveals the deceit; unfortunately, very few users verify suspicious files this way.
According to Kervin Alintanahin, a threats analyst at TrendMicro, the loader and the dropped backdoor payload have random file names in the 64-bit version of the malicious software. The loader, just like in the 32-bit version, is installed as a service, named Iprip, Irmon or ias.
The latest variants of the malware rely on a modified version of the RC4 algorithm which integrates an extra byte that is added to the XOR’red output if it is equal or greater than 80h.
Communication with the command and control servers is also different, as the new Kivars delivers a key generated from a random packet that triggers a reply from the remote machine.
Then, it starts sending details about the infected computer, such as the IP address, version of the operating system, hostname, version of the malware, keyboard layout and the recent documents or desktop folder.
TrendMicro security researchers found evidence that the bad actors behind Kivars have also used Poison RAT (remote access Trojan) in their campaigns. They made the connection based on a command and control server that was contacted by both pieces of malware.
With more and more 64-bit systems becoming available, an increase of malicious attacks with software crafted for these machines is to be expected.