Evasive Maneuvers: Another BKDR_VERNOT Malware Spotted
Evasion is always a goal of cybercriminals. They are not above misusing legitimate sites and services to hide malicious activities. One recent example would be BKDR_VERNOT.A, which tried to use Evernote to hide its activities. Another variant of this malware was recently spotted, but this variant uses a Japanese blogging platform as its command-and-control (C&C) server, in which it was able to log in successfully.
Figure 1. Network activity of BKDR_VERNOT.B
BKDR_VERNOT.B logs in and creates a draft where it uses the affected machine’s computer name as its title. It then adds the text “$_$Today is a very important day for me.$” and the date and time the malware was executed to the created draft.
It may use the drafts as a drop-off point of stolen information, as well as its C&C server where it gets its backdoor commands. Some of the stolen information includes the computer’s OS information, time zone, and user name.
After getting commands from the blog account, the malware may execute the following backdoor commands:
- Download files
- Execute files
- Rename files
- Extract archive files
For every backdoor command BKDR_VERNOT.B does, it reports back to the blog draft by editing it and adding the following strings:
- file create failed– If file download fails
- download file succeed – If file download succeeds
- Run failed– If file execution fails
- Run succeed – If file execution succeeds
- Exe file not found – If file to be executed is not found
- Unzip failed – If extracting archive file fails
- Unzip succeed – If extracting archive file succeeds
- Unzip file not found – If archive file is not found
- rename file failed – If renaming file fails
- rename file succeed – If renaming file succeeds
- src file not found – If file to be renamed is not found
Using sites like the Japanese blogging platform generates network traffic that may not be easily detected as malicious. Evernote, Google Docs, and Sendspace are examples of legitimate sites that have been misused by cybercriminals to store information and communicate with remote servers. These examples show that popular sites can become not only targets, but also tools of cybercriminals.