16_UroburosCampaign.txt

The first task of the malware is to install the file credprov.tlb in %APPDATA%\Microsoft\. This file is the main payload of the malware. The dropper executes the following command in order to install a second file: rundll32.exe %APPDATA%\Microsoft\credprov.tlb,Install %APPDATA%\Microsoft\shdocvw.tlp. The second file is shdocw.tlp. The two files are Microsoft Windows dynamic libraries. To be started during the boot process of the infected machine, the malware creates the following registry key: HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 = %APPDATA%\shdocvw.tlp. This registry key is used to associate the library shdocvw.tlp to the object 42aedc87-2188-41fd-b9a3-0c966feabec1 as previously explained in the article about COMpfun. The purpose is to load the library into each and every process executed on the infected system. If the version of the malware is older than 3.26, the dropper creates an additional file called winview.ocx. We noticed that the file name is still the same as the file name used by Agent.BTZ in the past. During the startup of the infected machine, the shdocvw.tlp library is loaded into all processes. If the process is explorer.exe, this library will load the other library called credprov.tlb. This library is the real payload. Its features are common for a Remote Administration Tool (RAT): ComRAT’s communication to the command and control server is performed by the browser process and not by explorer.exe in order to avoid being blocked by a firewall on the system or any additional security products. The communication between the processes is performed by named pipe.