“Dead blade” hacking Trojan raging, 360 Total Security powerful killing

May 24, 2019kate
Learn more about 360 Total Security

Recently, 360 Total Security intercepted a number of hacking Trojans. The Trojan began to spread Since December 2018. It has maintained a high level of activity in the past six months, and has infected tens of thousands of users.

The “Dead Blade” hacking Trojan disguised as “Xunyou Accelerator”, “MoMo Voice”, “Tencent Free Accelerator”, “Voice changer” and other small programs and spread through the QQ group: Small programs

After infecting the user’s machine, the Trojan will steal the user’s Steam account and password, steal the assembly number game, Chenlong game, 850 game plug-in configuration file, and also record the user’s key record, steal QQkey, etc., the overall virus process as follows:

The overall virus process

 

After the virus runs, create the following threads to execute different virus logic:

After the virus runs, create the following threads to execute different virus logic

Create a thread to set the value of RememberPassword to 0, so that users need to enter the account password each time they log in to the game:

Create a thread to set the value of RememberPassword to 0

Then iterate through the process, end the running steam-related process, and force the user to log in again to perform the hacking logic:

Then iterate through the process

Then continue to traverse the process, when the steam.exe process starts again, the steamHK in the resource is injected into the steam.exe process by means of DLL injection. The relevant injection logic is as follows:

The relevant injection logic

 

steamHk.dll hooks the V_strncpy function of the vstdlib_s.dll dynamic library by means of inline hooks. This function is called by steamUI.dll when the user enters the password. The virus uses the hook function to intercept the user input password and other parameters.

The function to filter the account password

 

The function to filter the account password is as follows:

The function to filter the account password

Finally, save the intercepted account password to A.txt in the Steam installation directory.

 save the intercepted account password to A.txt in the Steam installation directory

Create a thread to send the account password in A.txt, as well as the ssfn authorization file to http[:]//104.143.94.77/nc/n/getfile1.php:

Create a thread to send the account password in A.txt

Create a thread to release the virus file server.exe from the resource to the system directory for execution:

Create a thread to release the virus file server.exe

Server.exe decrypts in memory and loads the dynamic link library flyboy.dll and calls its export function Host() with the following code:

Server.exe decrypts in memory and loads the dynamic link library flyboy.dll

The relevant decryption logic is as follows:

The relevant decryption logic

Flyboy.dll will create a thread to decrypt the C&C server address in the resource and try to connect. The thread function is similar to the old Gh0st remote control. Then copy server.exe to a random directory and register as a self-starting item. Detect Rstray.exe and KSafeTray.exe and other security software processes, and use Vmware’s backdoor command to detect whether the current running environment is a virtual machine. When determining the security of the running environment, a thread is created to download and execute the chess game hacking module. The overall code logic is as follows:

The overall code logic

The downloaded 1.exe will release the work.dll in the resource to the Temp directory, and register to the RemoteAccess service item. Finally, rundll32.exe is executed to execute the XiaoDeBu export function of the virus dynamic library. The code logic is as follows:

The code logic

Work.dll records the user’s keyloggers, first gets the current active window, records the window title and keystrokes, and saves it to the Luck.ley file:

Work.dll records the user's keyloggers

Stealing the assembly game plugin, the Chenlong game plugin and the 850 game plugin configuration file:

Abduction of game information

Take the assembly plugin as an example:

Take the assembly plugin as an example

Finally, the sensitive data recorded in Luck.key will be X0 or 62 and sent to the server controlled by the virus author. The relevant logic is as follows:

The relevant logic

Safety Recommendation

(1) For the program that security software remind risk , do not easily add trust regions or exit Security software operation.

(2) 360 Total Security has been killing the “dead blade” hacking Trojan, affected users can go to www.360totalsecurity.com to download and kill it.

360 Total Security убивает хакерского трояна «мертвый клинок»

 

 

Learn more about 360 Total Security