Threat Research

Introducing DevOpt: A Multifunctional Backdoor Arsenal

Securonix

Zscaler ThreatLabz uncovered a new multifunctional backdoor named DevOpt, built with Free Pascal, capable of keylogging, stealing browser credentials, clipper functionality, and persistence. The campaign shows two development variants, lure infrastructure on a Russian site, and a structured command-and-control protocol used to exfiltrate data. #DevOpt #ThreatLabz

Keypoints

  • DevOpt is a new backdoor built with Free Pascal that can keylog, steal browser credentials, grab data, clip data, and persist on the system.
  • Two development variants exist: a larger, GUI-enabled older version using plain HTTP and a smaller newer version using encoded strings with OpenSSH DLLs for encrypted C2.
  • Persistence is achieved by copying itself into startup locations (Startup folder) and using a configuration file named Winkeyjet.ini to store OS info, Device_ID, Version, OwnVer, and CnC details.
  • Clipper, Stealer, Keylogger, Grabber, and Dropped text files are used to exfiltrate clipboard data, browser data (Chrome and Yandex), keystrokes, and local documents.
  • Distribution involves a Russian site offering rewards; the download URL pattern is wdfiles-download.siteme.org/arxiv[digit].exe.
  • Command and control flows include encoded commands (e.g., DIR, PUT, READ, EXEC, DRLS, PRLS) and a SYNC mechanism with the CnC, indicating evolving stealth features.

MITRE Techniques

  • [T1547.001] Startup Items – Persistence by placing copies in Startup folder to auto-start on boot. “the malware replicated itself in the Startup folder, enabling it to initiate automatically whenever the computer is powered on.”
  • [T1027] Obfuscated Files or Information – The newer variant uses encoded integer-based strings for its functionality. “newer variant uses encoded integer-based strings for its functionality.”
  • [T1037.005] Registry Run Keys / Startup Folder – Persistence via Startup directory path. “Startup directory path.”
  • [T1082] System Information Discovery – The config file exposes OS name, Device_ID, Version. “The configuration file Winkeyjet.ini contains information about the compromised system, such as the name of the operating system, a unique Device_ID, and the version number.”
  • [T1057] Process Discovery – The malware can enumerate processes. “Command to collect the Process list of infected systems.”
  • [T1083] File and Directory Discovery – The DIR command collects file information (name, directory, size, modified date). “Command to collect file information of the given directory. It can collect file name, directory name, size and modified date.”
  • [T1115] Clipboard Data – Clipper steals clipboard data. “Clipper malware … record the clipboard data” and “logs all the information copied to the clipboard.”
  • [T1056.001] Keylogging – Keystrokes are captured and logged. “Keylogger malware is specifically designed to capture every keystroke made by a user” and “Kebba.dan … log the keystrokes.”
  • [T1005] Data from Local System – Data exfiltration of credentials and sensitive data. “stealer … pilfer sensitive information” and browser data described in detail.
  • [T1555.003] Credentials from Web Browsers – Chrome/Yandex data stolen (cookies, history, login data). “Chrome browser data collected” and “Ya Passman Data” equivalents are listed.
  • [T1539] Steal Web Session Cookie – Browser session data theft indicated by browser data collection. “Web Browser Data” mentions cookies/history.
  • [T1095] Non-Application Layer Protocol – C2 over network; initial create request and 200 OK response. “establishing a connection with the Command and Control (CnC) starts with the malware sending a “create” request. … CnC responds with a “200 OK” message.”
  • [T1071] Application Layer Protocol – C2 communications via domain and HTTP-based protocols. “Command and Control domain” referenced alongside data exfiltration patterns.

Indicators of Compromise

  • [File Hash] Old Variant – db14d40d780853f80b93e21e92617680, 94df2e4aa0f432ef992893d7b994ce84
  • [File Hash] New Variant – 391c894616dd0e8b372b801cbbc0a790, e42198e7c0647238b999a2b2133daac2
  • [Domain] Command and Control Domain – mvd-k-tula.siteme.org, mvd-k-tula.ru
  • [URL] Malicious Source URL used for distribution – wdfiles-download.siteme.org/arxiv5.exe

Read more: https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint