- Jul 27, 2015
Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.
How did it Work?
The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service "Windows Time Service", like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.
Due to this backdoor's limited functionality and simple coding style, it is not easy for anti-malware systems to detect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at least 2020.
We found the backdoor via our telemetry, but we didn't know the exact way the malware was installed on the victim system. We still knew the adversaries used a .bat file, similar to the one shown later on, to install the backdoor. The backdoor comes in the form of a service DLL called w64time.dll. The description and filename makes it look like a valid Microsoft DLL. There is a real Microsoft w32time.dll on non-infected Windows systems in the %SYSTEMROOT%\system32 directory, but it doesn't have a w64time.dll brother. The malicious w64time.dll and the original w32time.dll are 64-bit PE files on a 64-bit Microsoft Windows system. Windows contains many applications that come in 32- and 64-bit versions, so it’s not easy to immediately recognize this malicious software by name.