YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus

MITRE Techniques

• [T1055] Process Injection – YiBackdoor injects into a newly created svchost.exe, allocates memory and copies its code, and hooks RtlExitUserProcess to redirect execution: ‘YiBackdoor creates a new svchost.exe process and injects its code into it… YiBackdoor patches the Windows API function RtlExitUserProcess… the malware’s code executes just as the target process is about to terminate.’
• [T1547.001] Registry Run Keys / Startup Folder – Establishes persistence by copying the DLL to a random directory and adding a Run registry value using regsvr32.exe with a pseudo-random name: ‘YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes.’
• [T1204.002] User Execution: Malicious File – Uses regsvr32.exe in the Run key to execute the malicious DLL at startup (implied by persistence mechanism described above): ‘YiBackdoor adds regsvr32.exe malicious_path in the registry value name…’
• [T1027] Obfuscated Files or Information – Decrypts strings at runtime by pushing encrypted strings onto the stack and XOR-ing with a unique 4-byte key for each string: ‘Decrypts strings at runtime by pushing an encrypted string onto the stack, which is then decrypted by performing an XOR operation with a 4-byte key (that is unique for each encrypted string).’
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – Uses CPUID with 0x40000000 and timing via rdtsc + CPUID loops to detect hypervisors and VMs, comparing results to known hypervisor values (VMWare, Xen, KVM, VirtualBox, Hyper-V, Parallels): ‘YiBackdoor utilizes the CPUID instruction with the parameter 0x40000000 to retrieve hypervisor information… the final calculated value must be greater than 20 to bypass the detection.’
• [T1005] Data from Local System – Collects system information (Windows version, process list, network info), and executes system commands like whoami, ipconfig, net view to gather host data: ‘Collects the following system information: Windows version. List of process names. Network and miscellaneous system information by executing the system commands… chcp 65001 whoami /all arp -a ipconfig /all net view /all…’
• [T1113] Screen Capture – Captures screenshots and reports them back to C2 (Base64-encoded): ‘Takes a screenshot of the compromised host’s desktop.’ and ‘Screenshot encoded in Base64 format.’
• [T1105] Ingress Tool Transfer – Downloads and stores plugins received from C2 as encrypted .bin files in the Temp folder and decrypts them for execution: ‘YiBackdoor stores each plugin that is received locally in the Windows temporary folder using a random filename with the file extension .bin… Each plugin is stored in an encrypted format.’
• [T1041] Exfiltration Over C2 Channel – Sends command outputs and status to C2 via HTTP POST with JSON, and uses encrypted data in the X-tag HTTP header for communication: ‘The encrypted output is then Base64-encoded and appended to the HTTP header X-tag, and sent in an HTTP GET request.’ and ‘YiBackdoor reports the output of each command to the C2 by sending an HTTP POST request.’