ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server.

The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version, 9.2.18.418.

The detected backdoor attempts to connect to a C&C server. Major features include collecting and forwarding user PC information, as well as capturing screenshots, file creation, and file execution.

The discovered backdoor had two appearances. It was confirmed to have been developed with C/C++ when it was initially found while the recently detected sample was created with .NET. There are no differences in features between the two forms. Some detection reports show that it attempted to conceal itself by using the name AhnLab when registering itself to the task scheduler.

This backdoor-classified malware uses the routine shown in Figure 4 when receiving and using data, and the same routine is used similarly when sending data. Based on AhnLab’s diagnosis, encrypting data through the encoding and decoding routine and bypassing the packet-level monitoring are features that can be seen as characteristics of Andardoor. The key value is 74615104773254458995125212023273 and is the same as the XOR key value in the CISA report [2] posted in 2016.
Companies and regular users are advised to be particularly cautious as this malware has recently been distributed in the form of a software vulnerability. Software still in vulnerable versions must be managed so that they are only used after being updated.
[File Detection]
- Backdoor/Win.Andardoor.R558252
- Backdoor/Win.Andardoor.C5381120
- Backdoor/Win.Andardoor.C5382662
- Backdoor/Win.Andardoor.C5382103
- Backdoor/Win.Andardoor.C5382101
[IOC]
- bcac28919fa33704a01d7a9e5e3ddf3f
- 1ffccc23fef2964e9b1747098c19d956
- 9112efb49cae021abebd3e9a564e6ca4
- 0a09b7f2317b3d5f057180be6b6d0755
- 0211a3160cc5871cbcd4e5514449162b
- ac0ada011f1544aa3a1cf27a26f2e288
- c892c60817e6399f939987bd2bf5dee0
- 6dd579cfa0cb4a0eb79414de6fc1d147
- 88a7c84ac7f7ed310b5ee791ec8bd6c5
- e5410abaaac69c88db84ab3d0e9485ac
- 4.246.144.112:443
- 139.177.190.243:443
- 27.102.107.224:5443
- 27.102.107.234:8443
- 27.102.113.88:5443
- 27.102.113.88:21
- 109.248.150.179:443
[References]
[1] Security Vulnerability Information Portal (krcert.or.kr)
Categories:Malware Information
[…] post Distribution of Malware Exploiting Vulnerable Innorix: Andariel appeared first on ASEC […]
[…] the blog post “Distribution of Malware Exploiting Vulnerable Innorix: Andariel.” [5] The Innorix Agent program abused in distribution is a file transfer solution client program. […]
[…] Agent in the blog post “Distribution of Malware Exploiting Vulnerable Innorix: Andariel.” [5] The Innorix Agent program abused in distribution is a file transfer solution client program. […]
[…] of the attacks detected by ASEC in February 2023 is said to have involved the exploitation of security flaws in an […]
[…] of the attacks detected by ASEC in February 2023 is said to have involved the exploitation of security flaws in an […]
[…] 1. https://asec.ahnlab.com/en/48198/ 2. https://asec.ahnlab.com/en/56405/ […]