When researchers used a variety of security software for testing, only South Korea’s AhnLab and Czech Zoner Antivirus successfully intercepted the virus detection.
Other security software did not detect any abnormality in this virus sample, which is the most critical reason for researchers to pay attention to this virus.
Because the virus uses more creative techniques to load multiple backdoors, this loading process bypasses the detection and interception of security software.
Use multiple vulnerabilities to bypass security detection at the same time:
The virus mainly uses CVE-2017-0199 and CVE-2017-11882, two known security vulnerabilities to load malware.
Documents that originally carry the virus are primarily spread via email or the web, and if the user downloads and opens the document, it triggers the virus and exploits the vulnerability.
Critical malicious modules use OLE embedded object links to control defined content, which is often not recognised by RTF.
RTF WordPad’s parsing engine ignores what they don’t know. The result is that these custom characters use the vulnerability to load the backdoor successfully.
Load multiple backdoor programs to monitor keyboard input records and steal various account passwords:
It is worth noting that this virus does not use a single backdoor module, but splits each backdoor module for different victim monitoring functions.
For example, the keylogger module mainly collects and uploads all input records of the user, and the information stealing module steals the account password and the digital currency key.
Finally, a worm is loaded to make the victim’s computer a member of the botnet. The three backdoor modules have different functions and a clear division of labour.
It doesn’t matter if the anti-virus software kills one of the modules, you can still re-implant the new backdoor module to complete the work by relying on another module.