W32/DoubleAgent.4310!tr.rkit

description-logoAnalysis

W32/DoubleAgent.4310!tr.rkit is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/DoubleAgent.4310!tr.rkit may have varying behaviour.
Below are is a summary of its behaviours:

  • This malware has been analyzed as a modified version of LoJack rootkit. The rootkit has been known to serve as anti-theft tool made by Absolute Software Corporation. The tool is capable of locating and locking a device, delete files and data wiping platform remotely by calling back its Command and Control (CC) server. As part of its persistency this malware has the ability to survive hard drive replacements and Operating System (OS) re-imaging. This malware has been known to be modifiable, simply by changing the hard-coded CC URL which is encoded by using a single byte XOR key. LoJacx’s double agent "rpcnetp.exe" allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue CC server.

  • rpcnetp.exe, also detected as W32/DoubleAgent.4310!tr.rkit:
    This small executable 17408 bytes in size whose primary purpose is to ensure that the primary agent is running. If not, it will try to connect to Absolute Software’s CC server to download and execute it. This part of the malware sets into three stages:
    • It initially makes a copy of itself and modifies the PE header so that it becomes a dynamic-link library (DLL).
    • Afterwhich, this DLL is then loaded in memory, and it will spawn a svchost.exe process and inject the DLL there.
    • Lastly, spawn an Internet Explorer iexplore.exe process and again inject its DLL into it, which is used to communicate over the Internet.

  • Differences between "Genus" and malicious agent "rpcnetp.exe":
    • The time intervals between attempted connections to a malicious CC server instead of the legitimate Absolute Software can be modified via a configuration settings.
    • There is an export function "rpcnetp" in its Win32 body
    • It has 17,408 bytes in size.

  • This malware drops a copy of its own in the current path with as a ".dll", %CurrentPath%\[OriginalFileName].dll detected as W32/DoubleAgent.4310!tr.rkit

  • This malware may connect to any of the following remote sites(s):
    • hxxp://rpcnetconnec{Removed}.com/
    • hxxp://remotep{Removed}.net/
    • hxxp://18{Removed}.86.151.104/
    • hxxp://jflync{Removed}.com/
    • hxxp://rdsnet{Removed}.com/
    • hxxp://8{Removed}.106.131.54/
    • hxxp://elax{Removed}.org/
    • hxxp://sysanalyticwe{Removed}.com
    • hxxp://ikmtrus{Removed}.com/
    • hxxp://lxw{Removed}.org/
    • hxxp://18{Removed}.86.149.54/
    • hxxp://webst{Removed}.com/
    • hxxp://18{Removed}.77.129.106/
    • hxxp://seca{Removed}.org/


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2020-12-21 82.71500 Sig Updated
2020-11-25 82.09300 Sig Updated
2020-10-11 81.01600 Sig Updated
2020-08-11 79.55200 Sig Updated
2018-10-30 63.81200 Sig Updated
2018-10-21 63.09600 Sig Updated
2018-10-16 62.96900 Sig Updated
2018-10-09 62.80100 Sig Updated
2018-10-05 62.71000 Sig Updated