14 DAY TRIAL // A backdoor Trojan called Yebot by security researchers has been discovered to include an impressive list of functions, which allow it to take over the infected machine and manipulate it for various purposes desired by the threat actor.
It reaches the victim’s computer through other pieces of malware and once executed, it sets up an FTP and a proxy server, which can be used for transferring data collected from other infected computers, possibly with a different type of threat, thus creating a secure communication tunnel for the cybercriminals.
Long list of capabilities
Security researchers from antivirus vendor Dr.Web say that Yebot’s dropper injects its code into four Windows processes (svchost.exe, csrss.exe, lsass.exe and explorer.exe) and then downloads and decrypts the malware on the infected system. All this activity is carried out in memory.
Among Yebot’s capabilities, the researchers count running a SOCKS 5 proxy server, gaining remote access to the computer through RDP (remote desktop protocol), capturing keystrokes and screenshots, web injection, intercepting system functions, changing the code of running processes, or searching for private keys.
Apart from these, the malware piece can also intercept data by PCRE patterns (Perl Compatible Regular Expressions), which leads to intercepting all features associated with web browsing.
Also, it appears that Yebot has support for different plug-ins that can expand its default functionality.
C&C server blacklists IPs with suspicious requests
The researchers have determined that the command and control (C&C) servers run with a “paranoid” parameter, which blacklists an IP address when an incorrect request is received or too many of them come from the same address. This is likely used to protect against malware analysis operations performed by security experts.
The conclusion of Dr. Web’s analysis is that Yebot is suitable for several nefarious activities, including stealing financial information and executing fraudulent transactions. In a blog post published on Monday, they say that “in fact, it is multi-purpose due to a wide range features and the ability to interact with various additional modules.”