Later, another variant of Pterodo (deep-sided.fly) was executed and was used to download and execute a new file called deerskin.exe (ad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29). This file is a dropper for a VNC client. When executed, it pings google DNS (8.8.8.8) to test internet connectivity, then proceeds to drop a VNC client and establishes a connection to a remote C&C server controlled by the attackers:
Italian Movie Download Deep Six
The file deerbrook.ppt (b46e872375b3c910fb589ab75bf130f7e276c4bcd913705a140ac76d9d373c9e) VBS file contacts a command-and-control (C&C) server at deep-pitched.enarto.ru. If the C&C server is available, a HTTP POST request is sent to download a payload, which is saved in the %USERPROFILE% folder as deep-sunken.tmp then renamed to deep-sunken.exe and executed. The binary is then deleted.
The dropped file deep-versed.nls (817901df616c77dd1e5694e3d75aebb3a52464c23a06820517108c74edd07fbc) downloads a payload from a C&C server (deep-toned.chehalo.ru) and saves it as deep-green.exe in the following location: 2ff7e9595c
Comments