Dark River. You can't see them, but they're there
Contents
Contents
- Introduction
- Initial infection vector
- MataDoor. Description of the backdoor
- 1. Launching and persistence
- 2. High-level architecture
- 3. Plugins
- 4. Asynchronous operations
- 5. Serialization mechanism
- 6. General workflow of the backdoor
- 7. Deferred commands
- 8. Descriptions of plugins
- 9. Network subsystem architecture
- Conclusion
- Applications
Introduction
In October 2022, during an investigation into an incident at a Russian industrial enterprise, samples of previously unseen malware were discovered running on compromised computers of this organization. The names of this malware’s executable files were similar to the names of legitimate software installed on the infected machines, and a number of samples had valid digital signatures. Also, the identified executable files and libraries were processed by the Themida protector to make them more difficult to detect and analyze.
Subsequent analysis of these samples revealed that the identified software is a fairly complex modular backdoor, which we called MataDoor, designed for long-term covert operation in the
Initial infection vector
We …
- Introduction
- Initial infection vector
- MataDoor. Description of the backdoor
- 1. Launching and persistence
- 2. High-level architecture
- 3. Plugins
- 4. Asynchronous operations
- 5. Serialization mechanism
- 6. General workflow of the backdoor
- 7. Deferred commands
- 8. Descriptions of plugins
- 9. Network subsystem architecture
- Conclusion
- Applications
Introduction
In October 2022, during an investigation into an incident at a Russian industrial enterprise, samples of previously unseen malware were discovered running on compromised computers of this organization. The names of this malware’s executable files were similar to the names of legitimate software installed on the infected machines, and a number of samples had valid digital signatures. Also, the identified executable files and libraries were processed by the Themida protector to make them more difficult to detect and analyze.
Subsequent analysis of these samples revealed that the identified software is a fairly complex modular backdoor, which we called MataDoor, designed for long-term covert operation in the
Initial infection vector
We …
IoC
0085a02b9ba24afd266116df43acbd4f57fc8822af4929e7d17b59f2ceae9418
01f3a22bf3e409154e79e067370ed98a
0818cda2299b358e1ddf4ea59249a6c4
09413b5d9d404398bc163bfe239e5f8d149ff412
0b06fb7f53bb7963ec2ff89d832b831763706e44d206a4d0a8c813ebee633e22
178b11323f921c0216bedefdd575a9c5a055b9fa
192.168.1.166
1f19f7db272cc5ec22eb08987aaffcab
2019322c33b648c9d3f7c8a17a990860044c03ed7bd2fc9e82139c22e9bc5635
207f386ebeb29e64e6b7fd10929217e1a664f06e6cc503e8798f57e0af2e5267
20ee5ab5724339f16c19be92d0912bb6
2ba653faef17d9ea623be1138f6f420be27c95d8ad7ee1ea0d15ae718895176d
2e068beb40f8901b698d4fc2f5766564c8324d5ba95fb0a0ffa841f5da5c7e72
317f1027095bc41de8fbcfce2c764ac4
34e3e94f9955c101640b44926bc44393
3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705
3d4c3856f86c1dac1fe644babe87f1e5b6c6636f
3f8016bafb700595490b732b92f8501201f0c9af
41dacae2a33ee717abcc8011b705f2cb
4a65848af705b2d2b23af0b0795f0ec8bfdc0c69
4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
4d1e16e2b914243e0c63017676956a73
4f544e8756373520e98ed12b921ea7e05a93cf0152405ef3ac65133f7c8660a1
538505d57722f6f6e747f7f1517f9c7d
566835ce413271ddca8d5014c912dda8ba7e5e45573a7da6ba8e20d72541a2ca
610303b58eb5d039c15061e48b743d17
6251126c3a44d5f8a72f0790ae8aba1b195cb5b2
647497d00704316a7414d357834ed3f7f111a85f
660bfbeeaf674e4e95c43bb61d7d0aec88154527e1218e51c1cb75d77c8acdda
6924b5219448733c43be7f569b1040d468b939f1
6da222a04b4d0ad74f7ab186d235b55a9bcf7a18
6f736eac915c2b647bfbba9e5dccf0cb
73055a139a248cccb2b6f4360f072f7626b4ce7c
73d6694a0339cc4083f66395b6b4b3da324e2113
748b9e94dc62e1fa364e9daec7d4bbb94a69b304cb81e1a1b6d302be47381a94
79fc7ed090bc935881e7c242e40071a2
84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
87e3e59f6653ae1306461bf9683bda92f442d77f
8a3d32cb67bbf600c81577f4c2dd0a5e601c43d4
9320a614916bbfaa31853d785ffe0ed0fc7b54f4
98e94d7be1d59c17f6bcf3ce09661f83
9b632505c27fa8ee58f680599fcc0b1794439af17a8c95df9f413e227e34798c
9cc89d708fcc2b114f6589d8077f66395d4b68ba
a1797d212560de7fd187d0771e8948bd8e0e242bed0ca07665f78076f4e23235
a1fc74b7fb105252aba222f5099fbd04
ae0bf4a92b37da3ca4dbd965bc646a747b7ceaf4
b0a4a1998a1be57d5b9b9ce727d473f46dfc849a3369ee8323d834bebf5ca70a
b52439640b7f0e0273f0d15bb3af6198
b822db93cde13ee2b2faf41e5a6096782bda7a71ef028641d2ce6ad9db777b67
bb93392daece237207b6e32fb5fb4f00
bf8f0b845c8f13b4386b7204add3c5d2e504b4c6
c587cdbadc3573149c8b1a78fbbd876f
c8399484d20c0ebed376cc8147e003cf4d930b5130392ae0e14cee0cec42d484
cc26e5fda0083f750d7748eeaea45350
d00073956786fb8a6b7168b243fa2ea8bb3dff345c020913638ce45c44b78dde
d3d38d113fcaf3ea2e1b8bc5c32182141f918246
e0f4924aeb8befbf6a78411f910d2c148de7c5ff
ec1205a050693f750dd6a984b68eb2533539a34a5602744127d1b729b22f42fd
ec70414b2295392cf7200b99747922a5648c4d2882140bd04c7661030aabe928
f463b1cf8d6dd8004edf047b4dea3c4e283f0ffb
fcbe52f671d2f20b292c3057320d89a9
fd7de2b8572f35f0f6f58bba6ff2360e
fdf50a01a8837c9f4280f3e7f7e336f3cbf93a30c78b48aa50c05b45a7f2ee5b
fe93382464347be4361c7e8fb131a668
fetchbring.com
cameoonion.com
kixthstage.com
fledscuba.com
capetipper.com
cravefool.com
trendparlye.com
merudlement.com
ipodlasso.com
aliveyelp.com
beez.com
bestandgood.com
bettertimator.com
biowitsg.com
cakeduer.com
casgone.com
diemonge.com
e5afaya.com
editngo.com
eimvivb.com
endlessutie.com
flowuboy.com
futureinv-gp.com
ganjabuscoa.com
getmyecoin.com
iemcvv.com
interactive-guides.com
investsportss.com
ismysoulmate.com
justlikeahummer.com
metaversalk.com
mlaycld.com
moveandtry.com
myballmecg.com
nuttyhumid.com
otopitele.com
outsidenursery.com
primventure.com
pursestout.com
reasonsalt.com
searching4soulmate.com
speclaurp.com
sureyuare.com
tarzoose.com
wemobiledauk.com
wharfgold.com
xdinzky.com
zeltactib.com
01f3a22bf3e409154e79e067370ed98a
0818cda2299b358e1ddf4ea59249a6c4
09413b5d9d404398bc163bfe239e5f8d149ff412
0b06fb7f53bb7963ec2ff89d832b831763706e44d206a4d0a8c813ebee633e22
178b11323f921c0216bedefdd575a9c5a055b9fa
192.168.1.166
1f19f7db272cc5ec22eb08987aaffcab
2019322c33b648c9d3f7c8a17a990860044c03ed7bd2fc9e82139c22e9bc5635
207f386ebeb29e64e6b7fd10929217e1a664f06e6cc503e8798f57e0af2e5267
20ee5ab5724339f16c19be92d0912bb6
2ba653faef17d9ea623be1138f6f420be27c95d8ad7ee1ea0d15ae718895176d
2e068beb40f8901b698d4fc2f5766564c8324d5ba95fb0a0ffa841f5da5c7e72
317f1027095bc41de8fbcfce2c764ac4
34e3e94f9955c101640b44926bc44393
3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705
3d4c3856f86c1dac1fe644babe87f1e5b6c6636f
3f8016bafb700595490b732b92f8501201f0c9af
41dacae2a33ee717abcc8011b705f2cb
4a65848af705b2d2b23af0b0795f0ec8bfdc0c69
4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
4d1e16e2b914243e0c63017676956a73
4f544e8756373520e98ed12b921ea7e05a93cf0152405ef3ac65133f7c8660a1
538505d57722f6f6e747f7f1517f9c7d
566835ce413271ddca8d5014c912dda8ba7e5e45573a7da6ba8e20d72541a2ca
610303b58eb5d039c15061e48b743d17
6251126c3a44d5f8a72f0790ae8aba1b195cb5b2
647497d00704316a7414d357834ed3f7f111a85f
660bfbeeaf674e4e95c43bb61d7d0aec88154527e1218e51c1cb75d77c8acdda
6924b5219448733c43be7f569b1040d468b939f1
6da222a04b4d0ad74f7ab186d235b55a9bcf7a18
6f736eac915c2b647bfbba9e5dccf0cb
73055a139a248cccb2b6f4360f072f7626b4ce7c
73d6694a0339cc4083f66395b6b4b3da324e2113
748b9e94dc62e1fa364e9daec7d4bbb94a69b304cb81e1a1b6d302be47381a94
79fc7ed090bc935881e7c242e40071a2
84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
87e3e59f6653ae1306461bf9683bda92f442d77f
8a3d32cb67bbf600c81577f4c2dd0a5e601c43d4
9320a614916bbfaa31853d785ffe0ed0fc7b54f4
98e94d7be1d59c17f6bcf3ce09661f83
9b632505c27fa8ee58f680599fcc0b1794439af17a8c95df9f413e227e34798c
9cc89d708fcc2b114f6589d8077f66395d4b68ba
a1797d212560de7fd187d0771e8948bd8e0e242bed0ca07665f78076f4e23235
a1fc74b7fb105252aba222f5099fbd04
ae0bf4a92b37da3ca4dbd965bc646a747b7ceaf4
b0a4a1998a1be57d5b9b9ce727d473f46dfc849a3369ee8323d834bebf5ca70a
b52439640b7f0e0273f0d15bb3af6198
b822db93cde13ee2b2faf41e5a6096782bda7a71ef028641d2ce6ad9db777b67
bb93392daece237207b6e32fb5fb4f00
bf8f0b845c8f13b4386b7204add3c5d2e504b4c6
c587cdbadc3573149c8b1a78fbbd876f
c8399484d20c0ebed376cc8147e003cf4d930b5130392ae0e14cee0cec42d484
cc26e5fda0083f750d7748eeaea45350
d00073956786fb8a6b7168b243fa2ea8bb3dff345c020913638ce45c44b78dde
d3d38d113fcaf3ea2e1b8bc5c32182141f918246
e0f4924aeb8befbf6a78411f910d2c148de7c5ff
ec1205a050693f750dd6a984b68eb2533539a34a5602744127d1b729b22f42fd
ec70414b2295392cf7200b99747922a5648c4d2882140bd04c7661030aabe928
f463b1cf8d6dd8004edf047b4dea3c4e283f0ffb
fcbe52f671d2f20b292c3057320d89a9
fd7de2b8572f35f0f6f58bba6ff2360e
fdf50a01a8837c9f4280f3e7f7e336f3cbf93a30c78b48aa50c05b45a7f2ee5b
fe93382464347be4361c7e8fb131a668
fetchbring.com
cameoonion.com
kixthstage.com
fledscuba.com
capetipper.com
cravefool.com
trendparlye.com
merudlement.com
ipodlasso.com
aliveyelp.com
beez.com
bestandgood.com
bettertimator.com
biowitsg.com
cakeduer.com
casgone.com
diemonge.com
e5afaya.com
editngo.com
eimvivb.com
endlessutie.com
flowuboy.com
futureinv-gp.com
ganjabuscoa.com
getmyecoin.com
iemcvv.com
interactive-guides.com
investsportss.com
ismysoulmate.com
justlikeahummer.com
metaversalk.com
mlaycld.com
moveandtry.com
myballmecg.com
nuttyhumid.com
otopitele.com
outsidenursery.com
primventure.com
pursestout.com
reasonsalt.com
searching4soulmate.com
speclaurp.com
sureyuare.com
tarzoose.com
wemobiledauk.com
wharfgold.com
xdinzky.com
zeltactib.com