HackDig : Dig high-quality web security articles for hacker

Cycbot Backdoor

2014-09-12 00:00

Cycbot is a malware that spreads using instant messaging and removable drives and contains backdoor functionality that allows unauthorized access to an affected computer.

When Cycbot malware is executed, it drops several malicious files in the Appdata folder of the victim machines, and then it tries to contact a malicious URL in order to download other variants. It then opens a TCP port to listen for inbound connections and may use this port to act as a proxy server. It also modifies the proxy settings of browsers like Internet Explorer to point to the proxy server on that specific port. This malware has capability to monitor activities on social networks, search engines, etc. Thus Cycbot malware can steal user browsing habits and can also act a key logger, thus causing a negative business impact by data loss and loss of confidential business data.


Now lets look in detail to get the facts of Cycbot backdoor. A sample of Cycbot is available at kernelmode.info and was executed on an isolated system. After that, the entire system was scanned for malicious content and a suspicious file C97F4.exe was found. This file, which was suspected to be the main executable, was uploaded for analysis in a Cuckoo Sandbox environment. Sandbox detected the file as Backdoor:Win32/Cycbot, and also several other anomalies were detected. The automated sandbox was able to dig out other malicious files that were dropped in the infected machine. The malicious file was found in the ‘%Appdata%/Roaming/8C8C6′ folder.

Several malicious IPs and C&C servers were tracked down during the automated malware analysis.

After automated malware analysis, a preliminary analysis was carried out in a virtual machine. The malicious executable was analyzed with different packing detection tools and found out that it was packed with a less familiar but sophisticated packer named ‘Private Exe Protector’.

Since the malware was packed, by using debugger it is impossible to view out the strings or functions list from the malware. Then the malware was manually unpacked and we were able to retrieve the functions and strings that were not available in the packed state.

Dynamic analysis was carried out by executing the file in a virtual malware lab, and the malicious executable creates a process with a child process.

This Trojan opens a back door on TCP port 63576 to listen for inbound connections, and it may use this port to act as a proxy server.

Many interesting registry modifications were observed while doing registry analysis. Another malicious file in the “%Appdata%” folder was observed that was dropped by the Cycbot Trojan. This malicious executable adds a custom shell instead of starting in the Explorer shell, thus making it start faster since it has to load fewer libraries. Also this enables the malware to access the device’s administrative function in an unlimited manner. Registry analysis also revealed that the malware also creates a proxy settings on Internet Explorer to the TCP port 62202, thus listening for any inbound connections.

Network sniffers were used to study the malicious traffic generated by the malware and were able to capture traffic to many suspicious URLs.

One of the URLs that we captured using automated sandbox was listed as malicious when checked with multiple vendors.

The malware was then analyzed using a debugger, and it identified a registry key for manipulating DnsCache parameter value. The Cycbot malware changes the DNS cache amount by changing the maxCacheTtl to 1. Thus the browser doesn’t want to query the DNS for each website for a long time. The malware also changes the infected machine name to another one.

The Cycbot malware was then analyzed using a Disassembler, and several functions that were called by the Trojan were retrieved. The Trojan uses a WIN API function named as GetConsoleMode that retrieves the current input mode of a console’s input buffer or the current output mode of a console screen buffer.

Memory malware analysis tools were used and a function that was hooked by the Cycbot was found. It uses a trampoline type to hook the wbemcomn.dll with a push instruction call. Wbemcomm.dll is a component of the Windows Management Instrumentation, and is considered part of the operating system distribution.

The malware has dropped along with a 6EF4.C8C file that contains PARAM_LISTEN_PORT keyword. This file may be used to change the port number in which the malware listens.

Also some malicious files named 29DDO.exe and 5322.C85 are dropped into the “%Appdata%6C855” and these files exhibit the same behavior as that of the Cycbot.


  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available and only allow services you explicitly want to offer to the outside world.
  • Block peer to peer traffic across the organization.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.
  • Ensure that your Anti-Virus solution is up to date with latest virus definitions.
  • Ensure that your systems are up to date with the latest available patches.
  • Isolate the compromised system immediately if the malware is found to be present.
  • Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions.
    • bigcherrybox.com
    • knowledgesutra.com


  • www.symantec.com

Source: /roodkcab-tobcyc/moc.etutitsnicesofni.secruoser

Read:5477 | Comments:0 | Tags:Malware Analysis feature malware analysis

“Cycbot Backdoor”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud