Backdoor.Win64.LEGIRAT.ZKLJ

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

该恶意软件不具(jù)有(yǒu)任何传播例程。

它会从受感染的系统检索特定信息。

新(xīn)病毒详细信息

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

安(ān)装(zhuāng)

它添加下列互斥条目，确保一次只会运行一个副本：

• c88b0910ed61c17a780135d615c43ef6917616749

传播

该恶意软件不具(jù)有(yǒu)任何传播例程。

信息窃取

它会从受感染的系统检索以下信息:

• Hostname
• Locale Info

其他(tā)详细信息

该程序执行以下操作(zuò)：

• It impersonates the logged on user.
• It uses the following URL to use Slack's API for its malicious purposes:
  • https://{BLOCKED}k.com/api/conversations.list?exclude_archived=true → lists all the conversations(channels, direct messages, and group chats) available in the Slack workspace
  • https://{BLOCKED}k.com/api/files.upload?&channels={channel ID} → uploads a file to one or more channels, direct messages in the Slack workspace
  • https://{BLOCKED}k.com/api/conversations.create → creates a new channel (public or private) in the Slack workspace
  • https://{BLOCKED}k.com/api/conversations.update → updates the settings of an existing Slack channel
  • https://{BLOCKED}k.com/api/conversations.delete → delete a Slack channel (public or private)
  • https://{BLOCKED}k.com/api/conversations.postMessage → sends a message to a specific conversation in Slack workspace
  • https://{BLOCKED}k.com/api/conversations.history?limit=200&channel={channel ID} → retrieves the past 200 messages from a specified Slack channel (public or private)
• It retrieves its encrypted component to communicate with Slack workspace using the following URL:
  • https://{BLOCKED}ell.io/notes/58434-3
  • https://{BLOCKED}l.xlog.app/page1
• The Slack communication was established through the use of this hardcoded authentication token:
  • {BLOCKED}19976938784-7094277537125-7090647648246-e3a9e4feeb2fe448f889890be6e1299e → Inaccessible; Token revoked