W32/DoubleAgent.4310!tr.rkit
Analysis
W32/DoubleAgent.4310!tr.rkit is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/DoubleAgent.4310!tr.rkit may have varying behaviour.
Below are is a summary of its behaviours:
- This malware has been analyzed as a modified version of LoJack rootkit. The rootkit has been known to serve as anti-theft tool made by Absolute Software Corporation. The tool is capable of locating and locking a device, delete files and data wiping platform remotely by calling back its Command and Control (CC) server. As part of its persistency this malware has the ability to survive hard drive replacements and Operating System (OS) re-imaging. This malware has been known to be modifiable, simply by changing the hard-coded CC URL which is encoded by using a single byte XOR key. LoJacx’s double agent "rpcnetp.exe" allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue CC server.
-
rpcnetp.exe, also detected as W32/DoubleAgent.4310!tr.rkit:
This small executable 17408 bytes in size whose primary purpose is to ensure that the primary agent is running. If not, it will try to connect to Absolute Software’s CC server to download and execute it. This part of the malware sets into three stages:- It initially makes a copy of itself and modifies the PE header so that it becomes a dynamic-link library (DLL).
- Afterwhich, this DLL is then loaded in memory, and it will spawn a svchost.exe process and inject the DLL there.
- Lastly, spawn an Internet Explorer iexplore.exe process and again inject its DLL into it, which is used to communicate over the Internet.
- Differences between "Genus" and malicious agent "rpcnetp.exe":
- The time intervals between attempted connections to a malicious CC server instead of the legitimate Absolute Software can be modified via a configuration settings.
- There is an export function "rpcnetp" in its Win32 body
- It has 17,408 bytes in size.
- This malware drops a copy of its own in the current path with as a ".dll", %CurrentPath%\[OriginalFileName].dll detected as W32/DoubleAgent.4310!tr.rkit
- This malware may connect to any of the following remote sites(s):
- hxxp://rpcnetconnec{Removed}.com/
- hxxp://remotep{Removed}.net/
- hxxp://18{Removed}.86.151.104/
- hxxp://jflync{Removed}.com/
- hxxp://rdsnet{Removed}.com/
- hxxp://8{Removed}.106.131.54/
- hxxp://elax{Removed}.org/
- hxxp://sysanalyticwe{Removed}.com
- hxxp://ikmtrus{Removed}.com/
- hxxp://lxw{Removed}.org/
- hxxp://18{Removed}.86.149.54/
- hxxp://webst{Removed}.com/
- hxxp://18{Removed}.77.129.106/
- hxxp://seca{Removed}.org/
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-12-21 | 82.71500 | Sig Updated |
2020-11-25 | 82.09300 | Sig Updated |
2020-10-11 | 81.01600 | Sig Updated |
2020-08-11 | 79.55200 | Sig Updated |
2018-10-30 | 63.81200 | Sig Updated |
2018-10-21 | 63.09600 | Sig Updated |
2018-10-16 | 62.96900 | Sig Updated |
2018-10-09 | 62.80100 | Sig Updated |
2018-10-05 | 62.71000 | Sig Updated |