Backdoor.Win64.COBEACON.ZCLG

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

它执行遠(yuǎn)程恶意用(yòng)户的命令，有(yǒu)效地攻击受感染的系统。 它连接到网站，发送和接收信息。 However, as of this writing, the said sites are inaccessible.

新(xīn)病毒详细信息

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

后门例程

它执行遠(yuǎn)程恶意用(yòng)户的下列命令：

• Connect and disconnect to a named pipe
• Escalate privileges
• Execute arbitrary commands
• Impersonate tokens
• Inject code into processes
• Manage directories (Create, Remove, Set Directory)
• Manage files (List, Create, Delete, Modify, Rename, Copy)
• Manage processes (List, Create, Terminate)
• List Drive Information
• Use/purge Kerberos tickets

它连接到下列网站，发送和接收信息：

• http://{BLOCKED}g-f12b.azuer.workers.dev/feedback/js/help/prod/service/lazy.min.js
• http://{BLOCKED}g-f12b.azuer.workers.dev/we/s/h36B915845CCD42D1_App_Scripts/jquery.signalR2.1.1.min.js

However, as of this writing, the said sites are inaccessible.

信息窃取

它收集下列数据:

• Username
• Computer name
• Operating System Version
• Executable used to load the sample

其他(tā)详细信息

它要求下列额外的组件正常运行：

• %windows%\assembly\msco.conf → Detected as Backdoor.Win64.COBEACON.ZCLG.enc

该程序执行以下操作(zuò)：

• This sample needs to be located in the %windows%\assembly directory and have a file name of 'mscorsvc.dll' to execute properly.
• It is loaded by normal file Mscorsvw.exe which is acomponent of Windows, and is otherwise known as the .NET Framework Optimization Service.
• It requires to be executed as a service.